• 0 Posts
  • 11 Comments
Joined 1 year ago
cake
Cake day: October 13th, 2023

help-circle
  • As far as i understood tailscale funnel its just a TCP-tunnel.
    So you handle TLS on your own system, which makes sure tailscale cannot really interfere.

    If you already trust them this far, might aswell do the same with a VPS and gain much more flexibility and independence (you can easily switch VPS provider, you cannot really switch tailscale funnel provider, you vendor-locked yourself in that regard)

    I’d connect the VPS and your home system via VPN (you can probably also use tailscale for this) and then you can use a tcp-tunnel (e.g. haproxy), or straight up forward the whole traffic via firewall-rules (a bit more tricky, but more flexible… though not that easy with tailscale… probably best to use TCP-tunnel with PROXY-Protocol).
    This way you can use all ports, all protocols, incoming and outgoing traffic with the IP-Address of the VPS.

    Tailscale might even already have something that can configure this for you… but i dont really know tailscale, so idk…

    And as you terminate TLS on your home-system, traffic flowing through the VPS is always encrypted.

    If you want to go overboard, you can block attackers on the server before it even hits your home-system (i think crowdsec can do it, the detector runs on your home-system and detects attacks and can issue bans which blocks the attacker on the VPS)

    And yes, its a bit paranoid… but its your choice.
    My internet connection here isnt good enough to do major stuff like what i am doing (handling media, backups and other data) so i rent some dedicated machines (okay, i guess a bit more secure than a VPS, but in the end its not 100% in your control either)


  • Nyfure@kbin.socialtoSelfhosted@lemmy.worldI love Home Assistant, but...
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    9 months ago

    Many systems dont support subpaths as it can cause some really weird problems.
    As you use tailscale funnels, you really want incoming traffic from the internet. I am not sure thats a good idea for e.g. homeassistant that is limited in access anyways.
    Might aswell use tailscale and access the system over VPN.

    And for anything serious i wouldnt use something like funnel anyways. Rent a VPS and use that as your reverse-proxy, you can then also do some caching or host some services there. Much simpler to deal with and full support for such things as you then have an actual public IPv4/IPv6 address to use.
    Heck, dont even have to pay for it with the Oracle Always-Free system.









  • If its only you and you want best security, setup a VPN system. (Tailscale, Netbird, or others are quite easy)
    If someone else should also, and you dont want everyone to have to use a VPN, then you can expose some services directly. Of course behind CGNat you need some third-party system to allow this (e.g. cloudflare or a rented server).

    I am not a big fan of cloudflare, they are a huge centralized company, easily allowing tracking across websites with clear-text access and kinda discouraging learning how to secure things yourself (which you have to do anyways, because you are a service provider and only cloudflare is not enough if its still publicly accessible though them)
    But in the end its your choice. They easily allow you as service provider to protect yourself from DDoS attacks or allowing IPv4 access when you are behind CGNat, things you just cannot easily do yourself, certainly not without costs.