Safe to expose repository server to internet?

Hi, I’m trying to decide how to handle backups from my laptop when I’m on the go. The options are

1. Install the repository server on a cloud VPS
2. Install the repository server on a raspberry pi at home.

For connection I can either
a) Expose the repository server to the internet or
b) connect via wireguard VPN.

I guess 1) + a) would be fastest, but I’m not sure if this is safe.
In the docs it says

Repository Server should be started on a dedicated server in LAN…

which sounds like exposing the server to the internet is not the recommended usage. In this forum topic someone asked a similar question, but the answers mostly centered around append-only / ACLs.

It would be great if someone knowledgeable who has read or written parts of the repository server code could make a recommendation as to resilience of the server against attacks when exposed to the internet. I’m not looking for a 100% guaranty, more of “I am competent in server hardening and have looked at large parts of the code and I would feel comfortable exposing it to the internet for my own personal data”.

Thank you!

I did not write the server code, but how about sidestepping the issue and using some WebDAV or SSH server (which you can get for a few € or even for free) storage instead of a dedicated Kopia service? This is what I do (backup to Nextcloud) and it works perfectly.
This way, no Kopia related code will ever handle login or security procedure, this is left to the tried and tested Apache/nginx/openssh teams.

I would do it via Tailscale. It’s basically an easier to setup wireguard.

Hosting it behind caddy with mtls is another option I’m considering. This way you would get protection from caddy and convenience from not installing a tun adapter on the client. Will post when I get around to testing it

Would Cloudflare’s Tunnel work for this as well?