zlacker

> It's simple, you increase your attack surface, and the effort and expertise needed to mitigate that.

Sure, but opening up one port is a much smaller surface than exposing yourself to a whole cloud hosting company.

>>lmm+(OP)
Ah… I really could not disagree more with that statement. I know we don’t want to trust BigCorp and whatnot, but a single exposed port and an incomplete understanding of what you’re doing is really all it takes to be compromised.

>>apppli+f3
Even if you understand what you are doing, you are still exposed to every single security bug in all of the services you host. Most of these self hosted tools have not been through 1% of the security testing big tech services have.

>>apppli+f3
This felt like it didn’t do your aim justice, “$X and an incomplete understanding of what you’re doing is all it takes to be compromised” applies to many $X, including Tailscale.

>>apppli+f3
Using a BigCorp service also has risks. You are exposed to many of their vulnerabilities, that’s why our information ends up in data leaks.

>>apppli+f3
Same applies to Tailscale. A Tailscale client, coordination plane vulnerability, or incomplete understanding of their trust model is also all it takes. You are adding attack surface, not removing it.

If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.

If you are exposing a handful of hardened services on infrastructure you control, Tailscale adds complexity for no gain. If you are connecting machines across networks you do not control, or want zero-config access to internal services, then I can see its appeal.

>>apppli+f3
Someone would need your 256-bit key to do anything to an exposed Wireguard port.

>>Schema+B5
Now you are exposed to every security bug in Tailscale's client, DERP relays, and coordination plane, plus you have added a trust dependency on infrastructure you do not control. The attack surface did not shrink, it shifted.

>>lmm+(OP)
Headscale is a thing

>>heavys+fJ
In theory.

In the same theory, someone would need your EC SSH key to do anything with an exposed SSH port.

Practice is a separate question.

>>xnickb+EV
Headscale is only really useful if you need to manage multiple users and/or networks. If you only have one network you want to have access to and a small number of users/devices it only increases the attack surface over having one wireguard listening because it has more moving parts.

>>prmous+241
I think the most important thing about Tailscale is how accessible it is. Is there a GUI for Wireguard that lets me configure my whole private network as easily as Tailscale does?

>>prmous+241
I set it up to open the port for few secs via port knocking. Plus another script that runs on the server that opens connections to my home ip addr doing reverse lookup to a domain my router updates via dyndns so devices at my home don’t need to port knock to connect.

>>johnis+eJ
There was a time when people were allowed to drive cars unlicensed.

These days, that seems insane.

As the traffic grew, as speeds increased, licensing became necessary.

I think, these days, we're almost into that category. I don't say this happily. But having unrestricted access seems like an era coming to an end.

I realise this seems unworkable. But so was the idea of a driver's license. Sometimes society and safety comes first.

I'm willing to bet that in under a decade, something akin to this will happen.

>>eqvino+1Z
SSH is TCP though and the outside world can initiate a handshake, the point being that wireguard silently discards unauthenticated traffic - there's no way they can know the port is open for listening.

>>Schema+B5
How would another service be impacted by an open UDP port on a server that the service is not using?

>>eqvino+1Z
Not even remotely comparable.

Wireguard is explicitly designed to not allow unauthenticated users to do anything, whereas SSH is explicitly designed to allow unauthenticated users to do a whole lot of things.

>>b112+Ak1
Can you be more concrete what do you predict?

>>b112+Ak1
I'll take this to mean that you think arbitrary access to a computer's capabilities will require licensure, in which case I think this is a bad metaphor.

The point of a driver's license is that driving a ton of steel around at >50mph presents risk of harm to others.

Not knowing how to use a computer - driving it "poorly" - does not risk harm to others. Why does it merit restriction, based on the topic of this post?

>>mpalme+fI1
Your unpatched Wordpress install is someone else’s botnet host, forming part of the “distributed” in DDoS, which harms others.

It’s why Cloudflare exists, which in itself is another form of harm, in centralising a decentralised network.

>>oarsin+kK1
The argument is self-defeating:

1. "Unpatched servers become botnet hosts" - true, but Tailscale does not prevent this. A compromised machine on your tailnet is still compromised. The botnet argument applies regardless of how you access your server.

2. Following this logic, you would need to license all internet-connected devices: phones, smart TVs, IoT. They get pwned and join botnets constantly. Are we licensing grandma's router?

3. The Cloudflare point undermines the argument: "botnets cause centralization (Cloudflare), which is harm", so the solution is... licensing, which would centralize infrastructure further? That is the same outcome being called harmful.

4. Corporate servers get compromised constantly. Should only "licensed" corporations run services? They already are, and they are not doing better.

Back to the topic: I have no clue what you think Tailscale is, but it does increase security, only convenience.

>>Schema+B5
For every remote exploit and cloud-wide outage that has happened over the past 20 years my sshd that is exposed to the internet on port 22 has had zero of either. There were a couple of major OpenSSH bugs but my auto updater took care of that before I saw it on the news.

You can trust BugCorp all you want but there are more sshd processes out there than tailnets and the scrutiny is on OpenSSH. We are not comparing sshd to say WordPress here. Maybe when you don’t over engineer a solution you don’t need to spend 100x the resources auditing it…

>>b112+Ak1
If I threw my license away tomorrow, what would be insane about me driving without a license?

Are you saying "unlicensed" where you mean "untrained?"

>>sejje+V12
The point of massive fines, and in some cases jailtime for driving without a license is control.

If someone breaks regs, you want to be able to levy fines or jail. If they do it a lot, you want an inability to drive at all.

It's about regulating poor drivers. And yes, initially vetting a driver too.

>>oarsin+kK1
I would detest living in a world where regulators assign liability in this way, it sounds completely ridiculous. On a level with "speech is violence".

>>b112+xr2
I don't really know any adults who don't drive, and nobody ever told me they weren't capable.

I don't think it's about driving ability, besides the initial vetting.

>>johnis+KM1
I meant: does not increase security.

>>sejje+Zw2
I am ~30 years old and I do not drive. In fact, I cannot drive.

>>johnis+KM1
The comment I was replying to was claiming that using your computer 'poorly' does not harm others. I was simply refuting that. Having spent the last two decades null routing customer servers when they decide to join an attack, this isn't theoretical.

As an aside, I dislike tailscale, and use wireguard directly.

Back to the topic: Your connected device can harm others if used poorly. I am not proposing licensing requirements.

>>IgorPa+P12
If you only expose SSH then you're fine, but if you're deploying a bunch of WebApps you might not want them accessible on the internet.

The few things I self host I keep out in the open. etcd, Kubernetes, Postgres, pgAdmin, Grafana and Keycloak but I can see why someone would want to hide inside a private network.

>>lillec+HH2
Yeah any web app that is meant to be private is not something I allow to be accessible from the outside world. Easy enough to do this with ssh tunnels OR Wireguard, both of which I trust a lot more than anything that got VC funding. Plus that way any downtime is my own doing and in my control to fix.

>>sejje+Zw2
From the perspective of those writing the regs, speeding, running lights, driving carelessly or dangerously (all fines or crimes here) are indeed indicators of safe driving or not.

Understand, I am not advocating this. I said I did not like it. Neirher of those statements have anything totk do with whether I think it will come to pass, or not.

>>johnis+lJ
I run the tailscale client in it's own LXC on Proxmox. Which connects to nginx proxy manager also in it's own LXC, which then connects to Nextcloud configured with all the normal features (Passkeys, HTTPS, etc). The Nextcloud VM uses full disk encryption as well.

Any one of those components might be exploitable, but to get my data you'd have to exploit all of them.

>>Schema+At3
You do not need to exploit each layer because you traverse them. Tailnet access (compromised device, account, Tailscale itself) gets you to nginx. Then you only need to exploit Nextcloud.

LXC isolation protects Proxmox from container escapes, not services from each other over the network. Full disk encryption protects against physical theft, not network attacks while running.

And if Nextcloud has passkeys, HTTPS, and proper auth, what is Tailscale adding exactly? What is the point of this setup over the alternative? What threat does this stop that "hardened Nextcloud, exposed directly" does not? It is complexity theater. Looks like defense in depth, but the "layers" are network hops, not security boundaries.

>>lmm+(OP)
You could also use ZeroTier and get similar capabilities without a third-party being a blocker.

>>sejje+Zw2
Most inadequate drivers don't think they're inadequate, which is part of the problem. Unless your acquaintances are exclusively PMC you most likely know several adults who've lost their licenses because they are not adequately safe drivers, and if your acquaintances are exclusively PMC you most likely know several adults who are not adequately safe drivers and should've lost their licenses but knew the legal tricks to avoid it.

>>mycall+zS3
or netbird

>>bjt123+6s1
Uh, you know you can scan UDP ports just fine, right? Hosts reply with an ICMP destination unreachable / port unreachable (3/3 in IPv4, 1/4 in IPv6) if the port is closed. Discarding packets won't send that ICMP error.

It's slow to scan due to ICMP ratelimiting, but you can parallelize.

(Sure, you can disable / firewall drop that ICMP error… but then you can do the same thing with TCP RSTs.)

>>JasonA+9t1
> SSH is explicitly designed to allow unauthenticated users to do a whole lot of things

I'm sorry, what?

>>eqvino+os4
That's why you discard ICMP errors.

>>apstls+KY6
If anything, that's why you discard ICMP port unreachable, which I assume you meant.

If you're blanket dropping all ICMP errors, you're breaking PMTUD. There's a special place reserved in hell for that.

(And if you're firewalling your ICMP, why aren't you firewalling TCP?)

>>johnis+aA3
And, Proxmox makes it worse in this case as most people won't know or understand that proxmox's netoworking is fundamentally wrong: its configured with consistent interface naming set the wrong way.

>>woleiu+sZ3
Interesting product here, thanks although I prefer the p2p transport layer (VL1) plus an Ethernet emulation layer (VL2) for bridging and multicast support.