zlacker

Tailscale is a great solution for this problem. I too run homeserver with Nextcloud and other stuff, but protected behind Tailscale (Wireguard) VPN. I can't even imagine exposing something like my family's personal data over internet, no matter how convenient it is.

But I sympathize with OP. He is not a developer and it is sad that whatever software engineers produce is vulnerable to script kiddies. Exposing database or any server with a good password should not be exploitable in any way. C and C++ has been failing us for decades yet we continue to use such unsafe stacks.

>>Algebr+(OP)
> C and C++ has been failing us for decades yet we continue to use such unsafe stacks.

I'm not sure — what do C and C++ have to do with this?

>>mattri+b1
They are not memory safe by design. See: https://xeiaso.net/blog/series/no-way-to-prevent-this/

Of course all languages can produce insecure binaries, but C/C++ buffer overflows and similar vulnerabilities are likely what AlgebraFox refers to.

>>Algebr+(OP)
Thanks, I've got a homelab/server with a few layers of protection right now, but had been wanting to just move to a vpn based approach - this looks really nice and turnkey, though I dislike the requirement of using a 3P IDP. Still, promising. Cheers.

>>timcam+U1
> They are not memory safe by design

I'm aware of that, but the C/C++ thing seemed more like a rant, hence my question.

I've searched up the malware and it doesn't seem to use memory exploitation. Rust is not going to magically protect you against any security issue caused by cloud misconfiguration.

>>Algebr+(OP)
C and C++ is not accountable for all evil of the world. Yes I know, some Rust evangelists want to tell us that, but most servers get owned through configuration mistakes.

>>Algebr+(OP)
What do you need Tailscale for? Why isn't Wireguard enough?

>>mattri+u2
What is the point you're trying to make here? Are you waiting for some malware that exploits a buffer overrun to infect you before conceding that C/C++ is a terrible choice for memory-safe code?

>>Algebr+(OP)
I just switched to Tailscale for my home server just before the holidays and it has been absolutely amazing. As someone who knows very little about networking, it was pretty painless to set up. Can’t really speak to the security of the whole system, but I tried my best to follow best practices according to their docs.

>>rane+k4
I think it’s easier to manage, plus you get ACL functionality. You can use Headscale for the control server and tailscale clients.

>>rane+k4
There's nothing wrong with wireguard at all if you already have the hosting service available. The core value add for Tailscale is that they provide/host the service coordinating your wireguard network.

If I'm not mistaken, there's a self-hosted alternative that let's you run the core of Tailscale's service yourself if you're interested in managing wireguard.

>>lopken+L4
It just seems totally unrelated to this post.

>>rane+k4
The author mentioned closing their VPN port so people would stop trying to break in, but this also cut off the author's access.

Tailscale allows you to connect to your home network without opening a port to allow incoming connections.

>>Algebr+(OP)
There are a lot of vulnerability categories. Memory unsafety is the origin of some of them, but not all.

You could write a similar rant about any development stack and all your rants would be 100% unrelated with your point: never expose a home-hosted service to the internet unless you seriously know your shit.

>>_heimd+55
I believe you are referring to Headscale https://github.com/juanfont/headscale

>>Algebr+(OP)
If you make a product that is so locked down by default that folks need to jump through 10 hoops before anything works then your support forums will be full of people whining that it doesn't work and everybody goes to the competition that is more plug and play.

Realize why Windows still dominates Linux on the average PC desktop? This is why.

>>_heimd+55
What kind of "hosting service" are you referring to? Just run wireguard on the home server, or your router, and that's it. No more infra required.

>>bennyt+Vm
I meant to say hosted service there, I.e. running a wireguard server to negotiate the VPN connections.

The main reason I haven't jumped into hosting wireguard rather than using Tailscale is mainly because I reach for Tailscale to avoid exposing my home server to the public internet.

>>mattri+u2
I think it was a rant, but still related to the post. Its point is that we need to minimize the attack surface of our infrastructure, even at home. People tend to expose services unintentionally, but what's so bad about that? After all, they are password protected.

Well, even when these exposed services are not built to cause harm or provide admin privileges, like all software they tend to not be memory secure. This gives a lucky attacker a way in from just exposing a single port on the network. I can see where comments on memory unsafe languages fit in here, although vulnerabilities such as XSS also apply no matter what language we build software with.

>>_heimd+BF
What could be the issue with exposing WireGuard at a random port to the public internet?

It works over UDP so it doesn't even send any acknowledgement or error response to unauthenticated or non-handshake packets.

>>rane+oY
There may not be an issue at all, I'm just gun shy about opening any ports publicly. I don't do networking often and have never focused on it enough to feel confident in my setup and maintenance.

>>Algebr+(OP)
c and c++ are not failing us and are not unsafe.

>>WaxPro+X1
You might like ZeroTier[0]. Similar solution to Tailscale but supports email registration.

[0]: https://www.zerotier.com/