zlacker

Tbh I prefer not exposing any ports directly, and then throwing Tailscale on the network used by docker. This automatically protects everything behind a private network too.

>>aaomid+(OP)
I would love to read a write-up on that! Are you doing something like https://tailscale.com/blog/docker-tailscale-guide ?

>>aaomid+(OP)
I agree, Tailscale FTW! You didn't even need to integrate it with docker. Just add a subnet route and evening just works. It's a great product.

>>aaomid+(OP)
Another option is using Cloudflare Tunnels (`cloudflared`), and stacking Cloudflare Access on top (for non-public services) to enforce authentication.

>>aaomid+(OP)
FOSS alternative is to throw up a $5 VPS on some trusted host, then use Wireguard (FOSS FTW) to do basically exactly the same, but cheaper, without giving away control and with better privacy.

There is bunch of software that makes this easier than trivial too, one example: https://github.com/g1ibby/auto-vpn/

>>aaomid+(OP)
Important to note that, even if you use Tailscale, the firewall punching happens regardless, so you still have to make sure you either:

1. Have some external firewall outside of the Docker host blocking the port

2. Explicitly tell Docker to bind to the Tailscale IP only

>>Manouc+S6
just fyi cloudflare closes any idle connection thats been around longer than 10 seconds.

>>bakugo+wm
> the firewall punching happens regardless

Does it? I think it only happens if you specifically enumerate the ports. You do not need to enumerate the ports at all if you're using Tailscale as a container.

>>smarx0+v1
Yep! That's very similar to what I do.

I have a tailscale container, and a traefik container. Then I use labels with all my other containers to expose themselves on Traefik.

>>aaomid+WC
Oh, I didn't realize you meant running Tailscale in docker, my bad. Then yeah, that's safe.

>>diggan+17
Or you can use headscale (BSD) with the Tailscale client (BSD), which is still FOSS but also very very easy to use.