genuine, security newbie, question. What's the worst case scenario that can happen on using this type of solution from a security standpoint? I do get it the authentication would be compromised. Probably some internal ports would be exposed publicly too.. what else?

Good question. I think absolute worse case scenario the tunnel and VPS is compromised and someone is able to gain access to the private network. We advise people in the docs to always consider this a possibility and secure Newt and what is has access to. A slightly worse case is there is a bypass in the forward auth and someone can get access to the webpage of a private service without passing the user/pass auth etc.

We are always looking for security experts to review the code and to pen test the application. Please hammer it and let us know at security@fossorial.io if there are any issues!