Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
lwde 5 hours ago

But it's missing a tailscale funnel like feature, right? That's one of the main features that I use for some home assistant instances.

gnyman 4 hours ago | parent | next [-]

Please be aware that when you use tailscale funnel you announce to the whole world that your service exists (through certificate transparency), and you will get scanned immediately. If you don't believe me just put up a simple http server and watch the scanning request come in within seconds of running `tailscale funnel`.

Do not expose anything without authentication.

And absolutely do not expose a folder with something like `python -m http.server -b 0.0.0.0 8080` if you have .git in it, someone will help themselves to it immediately.

If you are aware of this, funnel works fine and is not insecure.

Tailscale IMHO failing in educating people about this danger. They do mention in on the docs, but I think it should be a big red warning when you start it, because people clearly does not realise this.

I took a quick look a while ago and watching just part of the CT firehose, I found 35 .git folders in 30 minutes.

No idea if there was anything sensitive I just did a HEAD check against `.git/index` if I recall.

https://infosec.exchange/@gnyman/115571998182819369

ethangk 5 hours ago | parent | prev | next [-]

Out of curiosity, why? I use TS for all my homelab bits (including my HA instance), but connect to TS before opening the HA app. Is it just a case of making it easier/ possible to connect if you’re on another VPN? Are you not concerned with having something from your local network open to the internet?

5 hours ago | parent | next [-]
[deleted]
m_santos 4 hours ago | parent | prev | next [-]

Besides the use cases listed, we see this as an opportunity for homelabers and organizations to add authentication with access control to already exposed services.

Galanwe 5 hours ago | parent | prev [-]

I use funnels for things like Vaultwarden, that are secure enough to be exposed on internet, and would be cumbersome if behind the tailnet.

I use serve for everything else, just for the clean SSL termination for things that should stay within the telnet, like *arr stacks, immich, etc.

ethangk 5 hours ago | parent | next [-]

Ah neat, that makes sense. Thanks.

Do you have anything that’ll trigger a notification if there’s suspicious traffic on your local network? I may be overly paranoid about exposing things on my local network to the internet.

Galanwe 5 hours ago | parent [-]

Not really, but these stuff are in an isolated DMZ vlan, so theres not much to escalate to.

I fancy a bit upgrading to a smarter router like unify's with integrated firewall and stuff like like though.

edentrey 5 hours ago | parent | prev [-]

After a decade with KeePass, I’ve finally moved to Vaultwarden. I’ll admit, self-hosting such a critical service still feels a bit scary, but the seamless syncing across all my devices is a huge upgrade. To balance the risk, I keep it tucked safely behind Tailscale for that extra peace of mind.

m_santos 4 hours ago | parent | prev | next [-]

We are developing a similar feature and is scheduled to be available really soon. We've discussed some details in our public slack. Any feedback there will be helpful.

Galanwe 5 hours ago | parent | prev [-]

Agree, I use funnels and serves a lot as well. Very useful for homelabers.