Blackmagic Forum

TL;DR
This is a LONG, nerdy post, culminating in just one question, which is this:

Can I run a shared, internet-facing Blackmagic Resolve Project Server securely?

If so, how? Please tell!

If you are considering doing something similar, or are as big a nerd as I am, read on!
_____________________________________________________________


I am trying to set up a zero-cost Resolve collaboration system, accessible over the internet, sharing both projects and media.
(Yes, I know I could get a BMD Cloud project share for just £€$5/month, but I'm more interested in doing it for free, just to see if I can! This is for fun - and the technical challenge - not profit!)


Here's the deal:

I am running 2 Windows machines on a LAN, "Server" (Windows 10) and "Editor" (Windows 11). (I have a remote tester who is running a macOS machine.)

I have a static IP address on my internet facing router.

(I also have a ddns service so access is more friendly for remote editors, but that's not overly relevant, given the static IP address.)

I am running the Resolve Project Server on my first PC, "Server"

I have shared a media folder on a RAID tower set up with specific user permissions also on "Server", to be accessed via samba.

I have successfully set up the PostgreSQL server and have connected to it from my local LAN-connected "Editor" machine.

On "SERVER" the Windows Firewall has the standard "DaVinci Resolve..." inbound rules set up. I have added additional inbound rules opening up the following ports in the firewall:

5432 - PostgreSQL
445 - Samba

In PostgreSQL.conf it already has listen_addreses = '*'

In pg_hba.conf, I have #commented everything else out and added "host all all 0.0.0.0/0 scram-sha-256".
I can now connect to "Server" from my "Editor", and my tester can successfully connect to the project server from within Resolve.

But this is all using the default, required username/password combo of postgres/DaVinci which is ridiculously insecure.

I would like to use PGAdmin to change the "postgres" user password from the default "DaVinci" to something more secure, but this breaks the Davinci Resolve Project Server app. Is there anything I can do about that? At one point (see the YouTube link, below) Resolve (v12.5) allowed you to set whatever database password you wanted but, somewhere down the line, that changed.

-=#* THE QUESTION *#=-

Could I make it more secure by setting up a VPN tunnel on the "Server"? I've got an open source VPN server up and running, but that's another layer of complexity that I don't want to deal with until I've got it working without it. Or SSL? I've no idea what that is, but I'm clearly willing to learn!

If you've made it this far, you get a gold star! Well done, and thanks for your time!

Information sources:
viewtopic.php?f=21&t=165647
viewtopic.php?f=32&t=72146

Hi.

Never ever expose an internal resource or service to the public.

As you mention - VPN is the solution.
But with strong enough authentication like MFA or passkeys is what you should look at.
With that said, performance can be tricky and there are different kinds of VPNs.
One option is Tailscale which is a WireGuard based service.

Holy mother of god please do not do this. Especially if you’re going to expose the default Postgres and SMB ports to the internet, which is like tossing bloody seal carcasses into shark infested waters. I know that relocating well-known ports to other random port numbers is a classic example of misguided security through obscurity”, but in this case it would literally be better than nothing.

Instead you should setup a good VPN server like Wireguard, which allows for secure, key-based authentication to your network, with the added bonus of being completely invisible to portscans. Don’t port forward stuff unless you have no better option, especially if they’re highly targeted services like Postgres and Samba.

Tailscale (which is based on Wireguard under the hood) might also be an interesting option as well. It’s really easy to set up and is very secure (I use it to be able to view my security cameras—which I’ve blocked from accessing the internet—whenever I’m away from my network.

But even if you manage to set a VPN up, your secondary concern would be performance and latency. I seem to remember Peter or Rohit mentioning on here many years back that trying to run a shared Resolve collaboration server over the internet would be a very bad idea due to latency issues alone.

Thank you Mel, and Petter Flink, for your replies!

I'd crossposted the same question elsewhere and everybody said the same thing! So I've yanked out the ethernet cables to the server for now, and am in the process of researching Wireguard, Tailscale, and ZeroTier solutions!

If you have or get a ubiquiti router - wireguard is built into the dream machines now - very easy to setup.

I am trying to set up a zero-cost Resolve collaboration system

You should probably just pay the $5.