zlacker

>>websku+(OP)
This posts lists inexpensive home servers, Tailscale and Claude Code as the big unlocks.

I actually think Tailscale may be an even bigger deal here than sysadmin help from Claude Code at al.

The biggest reason I had not to run a home server was security: I'm worried that I might fall behind on updates and end up compromised.

Tailscale dramatically reduces this risk, because I can so easily configure it so my own devices can talk to my home server from anywhere in the world without the risk of exposing any ports on it directly to the internet.

Being able to hit my home server directly from my iPhone via a tailnet no matter where in the world my iPhone might be is really cool.

>>simonw+g6
I'd rather expose a Wireguard port and control my keys than introduce a third party like Tailscale.

I am not sure why people are so afraid of exposing ports. I have dozens of ports open on my server including SMTP, IMAP(S), HTTP(S), various game servers and don't see a problem with that. I can't rule out a vulnerability somewhere but services are containerized and/or run as separate UNIX users. It's the way the Internet is meant to work.

>>drnick+ab
> I'd rather expose a Wireguard port and control my keys than introduce a third party like Tailscale.

Ideal if you have the resources (time, money, expertise). There are different levels of qualifications, convenience, and trust that shape what people can and will deploy. This defines where you draw the line - at owning every binary of every service you use, at compiling the binaries yourself, at checking the code that you compile.

> I am not sure why people are so afraid of exposing ports

It's simple, you increase your attack surface, and the effort and expertise needed to mitigate that.

> It's the way the Internet is meant to work.

Along with no passwords or security. There's no prescribed way for how to use the internet. If you're serving one person or household rather than the whole internet, then why expose more than you need out of some misguided principle about the internet? Principle of least privilege, it's how security is meant to work.

>>buran7+1o
> It's simple, you increase your attack surface, and the effort and expertise needed to mitigate that.

Sure, but opening up one port is a much smaller surface than exposing yourself to a whole cloud hosting company.

>>lmm+os
Ah… I really could not disagree more with that statement. I know we don’t want to trust BigCorp and whatnot, but a single exposed port and an incomplete understanding of what you’re doing is really all it takes to be compromised.

>>apppli+Dv
Someone would need your 256-bit key to do anything to an exposed Wireguard port.

>>heavys+Db1
In theory.

In the same theory, someone would need your EC SSH key to do anything with an exposed SSH port.

Practice is a separate question.

>>eqvino+pr1
SSH is TCP though and the outside world can initiate a handshake, the point being that wireguard silently discards unauthenticated traffic - there's no way they can know the port is open for listening.

>>bjt123+uU1
Uh, you know you can scan UDP ports just fine, right? Hosts reply with an ICMP destination unreachable / port unreachable (3/3 in IPv4, 1/4 in IPv6) if the port is closed. Discarding packets won't send that ICMP error.

It's slow to scan due to ICMP ratelimiting, but you can parallelize.

(Sure, you can disable / firewall drop that ICMP error… but then you can do the same thing with TCP RSTs.)

>>eqvino+MU4
That's why you discard ICMP errors.

>>apstls+8r7
If anything, that's why you discard ICMP port unreachable, which I assume you meant.

If you're blanket dropping all ICMP errors, you're breaking PMTUD. There's a special place reserved in hell for that.

(And if you're firewalling your ICMP, why aren't you firewalling TCP?)