Is exposing just SSH (key-only) safe?

Better than password SSH, but Unraid's SSH runs as root and exposing any port on the home WAN expands your attack surface. VPN-then-SSH is materially safer than direct SSH for the same convenience.

What about port-forwarding only certain Docker containers?

Possible, but each container has its own auth model and update cadence. A reverse proxy with TLS, strong app-level auth, and a separate non-root Unraid user is the minimum bar. If any of those are unclear, default to VPN-only access.

NAS

Unraid safe remote access

Unraid's admin panel was never designed to face the public internet. Operators who port-forward the web UI to 'access it from work' regularly end up in incident reports. The right pattern is VPN-style access — your phone/laptop connects to the home network, and Unraid stays internal where it belongs.

Best for: Unraid operators who need away-from-home access to admin or services and want to avoid the standard 'I exposed my NAS' mistakes.

What you should not expose

Unraid web UI (port 80 or 443): no MFA on the local admin account by default, no rate-limiting, and the UI runs as root. Direct internet exposure is the worst-case scenario.
SSH directly to the Unraid host: also runs as root, also no MFA in the default install. Even with key-only auth, the attack surface is wide.
SMB (port 445): exposes share contents and credentials, frequently targeted by ransomware worms (think WannaCry-style attacks).
Docker container ports for services with weak auth (Sonarr/Radarr default to no auth, Plex Web has admin-level access if you reuse credentials).

VPN-style remote access (recommended path)

Tailscale or WireGuard: install on the Unraid server (Community Applications has both), connect from your phone/laptop, and reach Unraid at its LAN IP as if you were home. Zero ports forwarded.
Tailscale specifically: handles NAT traversal without any router config, includes MFA on the Tailscale identity, and adds an access log. Free for personal use up to 100 devices.
Self-hosted WireGuard: more control, no third-party trust, but you handle the keys and the dynamic DNS for the home WAN IP yourself.
ZeroTier and Twingate are similar alternatives with comparable security models.

What is reasonable to expose (with care)

Plex Media Server's own remote access (not direct port forwarding): Plex's app authenticates against plex.tv accounts with MFA; the server-to-internet path is established via Plex's own infrastructure. This is materially safer than exposing the Unraid UI.
Nextcloud or a similar self-hosted service running in a Docker container behind a reverse proxy with proper TLS, HTTP basic auth in front, and per-user credentials separate from any admin account.
Even these need: container running as non-root, regular updates, MFA on application accounts, and a separate Unraid user with limited share access (not root).

Account and audit baseline

Set a strong password on the Unraid root account; do not reuse from other services.
If using Tailscale, enable MFA on your Tailscale identity (Google/Microsoft/Okta-backed); this is the actual gate to your home network.
Review Unraid > Users periodically; remove unused accounts and confirm each share's access list is intentional.
Enable Unraid notifications for failed login attempts and unsafe shutdowns; route them to email or a monitoring service you check.

Operator snapshotEvidence first

First proof

List current port forwards at the router.

Screen to open

Router admin > Port Forwarding / Virtual Servers

Expected signal

Router admin > Port Forwarding shows every external port → internal IP:port mapping.

Stop boundary

Stop before keeping any forward to the Unraid admin port.

Layer path

1Unraid's admin panel (web UI, SSH) runs as root with no MFA by default and was never designed to face the public internet — direct exposure is the worst-case scenario.

2VPN-style access (Tailscale, WireGuard, ZeroTier, Twingate) lets remote clients reach Unraid at its LAN IP without forwarding any port at the router, and adds MFA at the VPN identity layer.

3Some services can be reasonably exposed with care — Plex's own remote access (managed by plex.tv with MFA), Nextcloud behind a reverse proxy with TLS and app-level auth — but the same rules don't apply to Unraid's UI or SMB.

4Credential reuse across Unraid root, Plex admin, router admin, and email turns any single account compromise into total network exposure.

Runbook

Step-by-step runbook

Start here. Do each check in order, compare it to the expected result, and stop when the evidence explains the failure or the safe stop point applies.

Audit current exposure

Check: Router > Port Forwarding list (screenshot); Unraid the "Unraid Users audit" command below; Unraid Notifications history.

Expected result: You have a written list of every internet-facing path into the home network.

If not: Without this, you can't decide what's intentional vs accidental.

Set up the VPN-based remote access path

Check: Install Tailscale (or WireGuard) on Unraid via Community Applications. Authenticate Tailscale with an MFA-capable identity (Google/Microsoft/Okta). Install Tailscale on your phone and laptop.

Expected result: From cellular or any remote network, you can reach Unraid's web UI at its LAN IP without any port forwarding.

If not: If reachability fails, check Tailscale's admin console — both devices must be online in the same tailnet.

Remove dangerous port forwards

Check: After VPN reachability is verified, remove router forwards for ports 80, 443, 445, 22, and any forwards pointing at the Unraid web UI, SMB, or SSH.

Expected result: Port-forward list is now zero or contains only intentional services with reviewed auth (Plex direct, reverse-proxied apps).

If not: If you can't remove a forward because of a service you need, document the auth model for that service.

Safe stop: Stop before keeping any forward to the Unraid admin port.

Strengthen Unraid root and user accounts

Check: Set a unique strong password on Unraid root. Audit the "Unraid Users audit" command below — remove unused accounts, set unique passwords on remaining users, confirm intentional share access for each.

Expected result: Every user has a unique strong password and a documented purpose.

If not: Credential reuse across services means one breach exposes everything.

Set up audit alerts and recurring review

Check: Configure Unraid Notifications to email or push for failed logins and unsafe shutdowns. Add a monthly calendar reminder to review Users, port-forward list, and Tailscale-connected devices.

Expected result: Failed-login alerts route to a channel you check; monthly review keeps state honest.

If not: Without alerts, quiet attacks go unnoticed.

Decision tree

If: Need admin access (web UI, SSH) from outside.

Then: Direct exposure is unacceptable.

Action: Install Tailscale or WireGuard on Unraid; connect from your remote device; reach the Unraid web UI at its LAN IP.

If: Need media streaming (Plex) from outside.

Then: Plex's own remote access is materially safer than exposing the Unraid UI.

Action: Configure Plex Remote Access (see /fix/plex-remote-access-not-working). Plex authenticates against plex.tv accounts with MFA; the server-to-internet path is established via Plex infrastructure.

If: Need file access (Nextcloud, file sync) from outside.

Then: Self-hosted file services can be exposed with care.

Action: Run the service in Docker behind a reverse proxy with TLS and app-level auth (basic auth or OAuth). Use a non-root Unraid user with limited share access for the service.

Safe stop: Stop if you can't articulate the auth layers or what happens if the service is compromised.

If: Need to reach a specific Docker service (Sonarr, Radarr, dashboards) from outside.

Then: These services default to no auth or weak auth.

Action: Either put them behind the same reverse proxy as Nextcloud, or access via VPN — never direct-forward their default ports.

If: Asked to share Unraid access with a friend or family member.

Then: Granting VPN access shares your entire home network.

Action: Prefer per-service shares (Plex sharing for media, Nextcloud user for files) over giving them VPN credentials.

Evidence

Evidence table

Symptom	Evidence to collect	Likely layer	Next action
Forwarded port 80/443/445/22 to Unraid host.	Router > Port Forwarding list.	Direct admin/SMB/SSH exposure	Remove the forward immediately. Install Tailscale/WireGuard for the remote-admin use case.
Forwarded ports 8080, 7878, 8989, etc. (default Sonarr/Radarr/etc. ports) to Unraid host.	Router port-forward list.	Weak-auth services exposed to internet	Remove the forwards; use VPN to reach those services, or put them behind a reverse proxy with auth.
Same password used on Unraid root, Plex admin, router admin, and email.	Credential review (password manager audit).	Credential reuse	Generate unique passwords for each; store in password manager. Enable MFA where supported.
Unraid Notifications: repeated failed-login attempts.	Notifications panel and/or syslog.	Active scanning or brute-force attempts	If admin port is exposed, remove the forward NOW. Investigate which source IPs and adjust firewall rules.

Reference

Commands and settings paths

Router port-forward audit

Router admin > Port Forwarding / Virtual Servers

Where: In the home router's admin UI.

Expected: Every forward is intentional and points at a service you've reviewed for auth and update cadence.

Failure means: Unknown forwards are exposure you haven't decided on.

Safe next step: Remove unknown entries; document intended ones.

Tailscale install + reach Unraid via tailnet

Community Applications > Tailscale > install. Authenticate Tailscale. From phone on cellular, open browser to http://<unraid-lan-ip>

Where: On Unraid server first (install), then on a remote device (verify).

Expected: Unraid web UI loads from cellular at the same LAN IP you use at home, with no port forwards configured.

Failure means: If the URL doesn't load, check both devices are on the same tailnet and Tailscale shows them as online.

Safe next step: Verify Tailscale identity has MFA enabled before removing any existing port forwards.

Unraid Users audit

Users page

Where: In the Unraid web UI.

Expected: Each user has a password, a documented purpose, and intentional share access.

Failure means: Old test users or blank-password users are exposure.

Safe next step: Remove or password-protect every account; document who has access.

Failed-login notification check

Notifications > Settings, plus syslog auth entries

Where: In the Unraid web UI and Tools > System Log.

Expected: Failed-login alerts are routed to a channel you actually check; syslog auth entries are reviewed periodically.

Failure means: Quiet failures of these alerts mean you'll miss active attacks.

Safe next step: Configure email or app notification; test by intentionally failing a login.

Hardware boundary

Hardware and platform boundary

Change only when

Move to a self-hosted WireGuard server only after Tailscale has been working reliably for months; the self-hosted path adds key management and dynamic-DNS work you don't need on day one.

Evidence that matters

Tailscale identity with MFA, Unraid root password uniqueness/strength, per-service auth on reverse-proxied containers, and notification routing matter.

Evidence that does not matter

Faster router or more VPN bandwidth does not improve security; the path is what matters.

Avoid

Avoid DMZ-ing the Unraid host, disabling Unraid's host firewall, or sharing Tailscale credentials.

Last reviewed

2026-05-07 · Reviewed by HomeTechOps. Reviewed for Unraid remote-access safety using VPN-style access patterns (Tailscale/WireGuard/ZeroTier), the don't-expose-admin-UI rule, account/credential audit, and the failed-login notification + monthly review baseline.

Source-backed checks

HomeTechOps turns official docs and conservative safety rules into a shorter runbook. These links are the source trail for the page direction.

Unraid Docs: Security fundamentalsUsed for Unraid account, update, password, and remote-exposure safety guidance.Tailscale: Connect to network attached storageUsed for VPN-style NAS remote-access planning instead of exposing admin or file-sharing ports.Tailscale: Subnet routersUsed for VPN routing, subnet overlap, and local-network reachability assumptions.Unraid Docs: DockerUsed for Unraid Docker, appdata location, and container start/stop assumptions before cache/mover work.