> Question: do you use a different tool which require no maintenance or cost to run?
Answer: ZeroTier -- on Mac, Linux (home & cloud), Windows, Android
I actually setup DNS entries resolving to private IPs as configured in ZeroTier so I didn't have to login to dig them up but my default DNS provider won't resolve them. I guess newer ZeroTier versions optionally have DNS covered these days but I haven't looked into it.
IIRC, I tried both ZeroTier and Tailscale but at the time Tailscale did not yet have a simple setup to run as an unattended Windows service (and still does not have the equivalent for Mac). Being able to access a machine without staying logged in was table stakes so I decided Tailscale needed more time to bake.
Downsides I'm aware of:
- Less attention to their encryption implementation than the current hotness (WireGuard).
- Did not work with minimal effort from the local public library.
- Mac Activity Monitor shows unexpectedly high amounts of traffic even though I use it very rarely, it's not clear what's going on within that network. As in currently 100's of MB's I can't think of why would have passed through.
- It's 50 hosts + 1 admin per network for free, unlimited networks (unless you setup your own "controller"/proxy).
Re: access control brought up in another comment contrasting exposing only SSH vs. VPN connections, ZeroTier includes some off-puttingly complex access control configuration mechanism I will probably never look into.
Hope this detailed anecdata helps someone, I'm glad to be in a position to try to give back to the community by sharing my experience. Any other ZeroTier gotchas would be appreciated in case I have to dodge something in the future. I debated setting it up as permanent "route-all-internet-access-back-through-home-internet" VPN on my phone but was scared off by the complexity of setting up routing/bridging on the endpoint at home.
I also use ZeroTier for a few years now. Very useful. Unfortunately my current ISP use NAT instead of giving their subscribers routable ip address. This means ZeroTier reverts to using an external relay when accessing my machine from outside, which is very slow and has very high latency from my country.
So in addition to ZeroTier, I use AutoSSH [1] to setup and maintain a persistent ssh tunnel on a high port on my vps. It's a lot faster than ZeroTier's relay because the vps is in a neighboring city instead of in another country. It's pretty reliable too, automatically reconnect when the tunnel is down. I'm still using ZeroTier for backup connection though.
Simply use `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain` to forward port 22222 on your vps into your local machine. I also configured a supervisord instance to automatically start it on my machine so it'll always running.
The crypto part of ZeroTier is getting some love soon but we are taking our time to get it right and get peer review. Implementing ideas from WireGuard and Signal.
Also the pricing is for our controller SaaS. If you want to self host controllers you can for free. There is a free community developed control panel somewhere.
Please add webhooks for ZeroTier network endpoints coming online or going offline! I think some existing formal feature requests for this already exist?
Managing expectations re:v2 is not going well for me. I wasn't really aware WireGuard-ish crypto improvements were happening (hire the personalities™ freelance ASAP or at least for review), and timeline is basically a punchline at this point... I recommend just owning both (edit: start today!) as 'when it's finished' on the front page if you want to appeal to techs.
I use ZeroTier, but only with Linux boxes (also used on a Mac when I had one), so instead of DNS I use nss-mdns and avahi. It is enough to install and it just works - computers are available under $HOSTNAME.local.
I tried using Zerotier a few years ago for personal devices/homenet (~10ish devices) and it frequently dropped/disconnected to the point I uninstalled. The Windows client was buggy/quirky and would get into a weird state where I couldn't click on a network to connect/disconnect properly and the app would have to be closed and client restarted before it would work properly again.
Ive since set up wireguard and use nginx for reverse proxy and haven't looked back. This has been rock solid, set and forget.
I want to love ZeroTier, but after wanting to contribute and reading some code I decided I'd rather use another VPN tech. Not saying it isn't good, but it was very incomprehensible and didn't look modern and nice, which the product should be.
I love Tailscale, but it’s not really designed for public tunnels. You can do it, but you typically need to provision some kind of proxy with a static IP (most likely cloud based) to handle your public stuff.
> Each port is also limited to a single machine, so you'd have to choose a different port for a different machine.
I would probably set up one gateway machine, and then from that machine log into other machines on the network; instead of exposing them all to the Internet. SSH allows you to chain logins thus:
ssh -A -t user@public-gateway ssh -A -t user2@server-behind-dmz
It's a lot less work to lock down one machine really tight enough to expose them to the public Internet than to do it on the entire network.
The big advantage of this (over ssh user@host1 ssh user@host2) is that the jump host only sees the encrypted inner connection – it doesn't get access to the client's SSH agent/keychain, nor to the target host (host2) or data transmitted over the connection.
Unfortunately it doesn't work if you're behind a NAT due to shitty ISP, like me. I use AutoSSH instead to expose my local machine's ssh port on a high port in the gateway machine: `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain`
ServerAliveInterval 30 is important because my ISP often drop idle connections, often not even 1 minute idle. Can probably tweak it to listen to a localhost only port instead of exposing them to internet.
What are you giving Cloudflare here? You're running a tunnel daemon and piping a network process to it. There's no exchange of for example your private SSH keys.
If anything this is letting people more easily self host their own version of 'BigCorp cartel' apps like mail, code hosting, etc.
Sure. Just make IPv6 work everywhere flawlessly, and then all of our devices can easily access all of our other devices, we can use whatever DNS scheme we want to return the IPv6 addresses to those devices, and then we won't need to punch through NAT firewalls and routers to reflect off corp-owned servers just to access machines trapped behind NAT firewalls! What could possibly go wrong?
Why is it always the free software people who are the most judgemental about what I do with my software and who I trust with my time and money? AWS and Microsoft never gave a shit about what other vendors I'm in bed with.
I like your GNU license, I do not like your GNU license people.
You can get virtual server for $4/month. Installing proprietary software and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.
My home firewall blocks all traffic except for incoming SSH from 3 IP addresses in the world. One of those is my virtual server.
If I'm in a hotel with my laptop I run the first command to set up an SSH tunnel to my "home" computer through the cloud virtual server. That listens on my laptop to port 8888 and forwards it through the cloud virtual server to my home computer's SSH daemon listening on port 22
I do the same thing! I'm hoping that some day hotels won't send every wireguard packet they see straight to the bit bucket. Until then I'm really grateful for ssh.
If they upgrade to premium tier, set up your virtual server then. Your total cost, $0 for the duration it's free + $4 * the rest is still lower than $4 * lifetime, and the cost for switching is only going to be marginal.
I get the thought, you can build something now that is guaranteed to have a fixed cost, or you can risk going with a free product that might surprise you, causing you to rush to replace the solution with a tight deadline.
Just look at all the people panicking with the free Google Workspace shutdown.
I can use virtual server for many things (backup, vpn, webservices...) not just port forwarding.
Cost of my time for reading contract and learning new proprietary tool is not worth it for several years.
Cloudflare is arguably better from big tech. But cost of deployment some binary package on confidential server, keeping up with their marketing bs, etc is simply not worth it.
If I have to spend an hour or two setting up each solution, I could pay $4 a month many years before I'd feel like it was worth doing that twice. You're not wrong, but I would gladly pay the monthly to only have to set it up once.
You can build a physical server for $500 once. Relying on proprietary hardware and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.
not trying to be difficult, but $500 seems like an odd price tier to end up in. If I was going cheap, I'd do something between a rock64/raspberry pi and an Intel Nuc. If I was going powerful, it would be north of $1,500 for sure. That decision would probably be based on what I was running on it. If it's a VPN, the rock64 would be plenty. < $50
My home network has a dynamic IP. I'm using a home-baked dynamic DNS thingie, but a virtual server with a fixed IP could work too. Would update for the new IP much faster now that I think about it.
I have IPv6 at home with port 22 opened for one of my home server's IP's. But my work internet connection does not have IPv6 at all (lol) so I use one of my VPSes as a jump host.
Because in some countries, like .cz, it is pretty common that your home network is behind NAT, the ISP does not want to forward a port for you, and there is either no option to get a public IP or it costs $5 to $10/month and is a lengthy process to obtain (typical internet connection costs $20 to $30/month here).
Unfortunately the cloudflared software, while the source is available on GitHub, and there are pull requests open and accepted for it, is not under an open source license, and the license it is under does not allow modifications, so any modifications (including the aformentioned pull requests) are contrary to the license and thus copyright law and thus illegal. The issue I filed about this is still waiting for action since October 2021.
Hello from the Cloudflare team - thanks for the nudge. We're in the process of migrating away from the proprietary license to an Apache license. We'll update the GitHub issue too; should be wrapped up in the next couple of weeks but likely sooner.
PS: I note cloudflared uses some form of telemetry, although I have not looked at what data is transmitted and didn't try to remove it after seeing the above license.
PPS: I wish cloudflared were split up into client and server instead of one binary for both, it would be easier to audit and understand that way.
PPPS: I noted while auditing that cloudflared embeds its dependencies instead of depending on them and uses some golang libraries that are obsoleted.
hearing this I'm not sure I want cloudflared inside my network at all
it's already vast... and telemetry always seems to be the thin end of the wedge
a minimal version, not maintained by the company, under a proper open source license with no bullshit and a vastly smaller attack service would seem like a easy win...
(and even better if it supported more service providers than just cloudflare... killing their lock-in)
Thanks for pointing this out as it does appear even taking the source and applying a pull request ones self does break the license.
Just to clarify: many pull requests have been accepted and would thus from my perspective be covered by the license as having become part of the software.
Caveat: did not dig deeply enough to check if it's mostly Cloudflare employees developing publicly, etc.
Edit: worth mentioning here on HN customer support as well that 'opensource@cloudflare.com' is misconfigured.
No, pull requests are not illegal, at least when done on Github, because by posting code on Github (that you are allowed to post) you grant Github and its users certain rights:
> By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
In this specific case you might be correct but in the general case this is not true. The uploader agreeing to something does not affect the rights of other authors than the uploader.
Please explain? I've googled your sentiment and have found some links but not many answers. Breaking a contract is just as illegal (~ against the law) as breaking the law? This follows trivially from contract law being a part of law. More substantive: Both contracts and laws proscribe actions. One can find remedy for breaking either via the legal system. (Obviously the severity of punishment can differ several orders of magnitude.) Only if you limit 'illegal' to criminal law you might be right in some jurisdictions.
I'm under the impression that this is against CloudFlare's ToS, otherwise I'd probably be doing it myself.
See section 2.8 "Limitation on Serving Non-HTML Content." of their subscriber agreement:
use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service.
Last I checked, SSH is non-html content. I even opened a support ticket with their support, specifically asking about SSH and other traffic and this is what I received:
So if no matter what service you use, Once you breach this rule it will be applied.
EDIT: Looks like the CloudFlare CTO has clarified things below that this usage does not in fact violate the ToS.
This seems to be the license for cloudflared. But when you use cloudflared to create a tunnel via cloudflare network, aren't you also bound to Cloudflare's ToS because the software itself is useless without using the service provided by Cloudflare?
> By the end of this post, you'll be able to run: ssh $machine_name from anywhere ... a service by Cloudflare ... will filter traffic to your machines through Cloudflare's network, including authenticating you ... your machines won't directly be exposed to threat actors and "1337 haxors".
I set up something similar using ZeroTier "public" networks and the libzt Python userspace library.
My use-case was to allow bitbucket hosted instances to connect to private instances in my infrastructure to push code to as part of the build pipeline. They way they are running Docker at bitbucket, you can't run the normal zerotier processes (IIRC, it wasn't allowed to create a tun/tap device).
The zerotier public networks are networks that anyone can join given the network ID, without requiring an admin to authorize them.
I wrote a python-based "ztproxy" [1] which you can call from SSH as a ProxyCommand like: `ProxyCommand /usr/bin/python3 /path/to/ztproxy /tmp 1234567890abcdef 9994 10.3.2.1 22`. On top of that I had SSH public key authentication of both the remote host and the local user, so even if the network ID was exposed, it wouldn't have been wide open. I also had ZeroTier network level rules that only allowed the SSH traffic.
2. On server, ssh -R anythinghere:22:localhost:22 sishinstance
3. On client, ssh -J anythinghere sishinstance
The tunnel is kept internal to sish, meaning it isn’t exposed to the open internet. You need to auth first to sish (using SSH) and then auth with your server (using SSH) as well before you can gain access.
I have code that monitors Hacker News comments for mentions of various things (including cloudflare, my username). It runs once a minute and uses https://hn.algolia.com/ to find new comments. I actually saw this was on Hacker New via Twitter.
Why would I use someone elses tool to just do the same thing I have autossh running (in a script that gets restarted if it dies) doing? You can do this if you own a server on the net, or with a free tier at AWS/GCE/Azure. I feel, not sure, "dirty"? pulling down some client that I am unsure exactly what it is doing from cloudflare just to enable a reverse ssh tunnel.
Wireguard, with dynamically-updated DNS resolution to a residential IP is very solid for a free tier and has the key benefit of zero third-party (i.e. not controlled by you) dependencies, other than the IP provider and the DNS resolver, which is a commodities business with low switching costs. Cloudflare is very nice and will be around for a long time, but it's still a third party dependency.
As it boils down, the OP's solution is "free" as in money but not as in freedom for a certain set of requirements.
Basically, going with CF trades-off some freedom for the considerable/legitimate protection benefits of being under the "cloudflare umbrella". It's probably a good trade for this moment in time. But rational people can disagree about whether it's a good trade when you broaden the time horizon to 5, 10, etc. years.
Like all things, it depends on the requirements you're building for.
WireGuard is great and is not too difficult to setup on something like a RPi.
I have one running on my home network which lets me access my local network remotely, including access to my local media server. I have another one running at my parents' house for times when I need to RDS into their windows machines for troubleshooting, or if I need to tweak settings on their router. You can also configure your clients (phone, laptop) to forward all traffic through the tunnel, which then secures your connection for when you're over an untrusted/public wifi.
There was a Cloudflare article posted a couple of days ago, I'll post my comment which agrees with you, Wireguard and a cheap VPS are hard to beat: "Similar, I use a cheap AWS Lightsail VPS $3.50 (Lightsail has DDOS protection)-> Wireguard -> Apache Reverse Proxy mod -> my local services."
So easy to set up too with docker. You can even generate a QR code to easily set up a mobile device. You do need a domain name, DDNS, or a static IP and the ability to port forward from the router
Never heard of Wireguard, so I went to their website and for a half second. I thought I cracked the screen on my new phone, because of their freaking background image....
But, it looks interesting. I'll have to check it out more.
Why not just run Wireguard on a raspberry pi, set up DDNS to send your home IP to a Dynamic DNS provider (if you're on a dynamic IP), and then SSH to your machines at home using keys (instead of passwords)?
Setting up a Pi and running the Wireguard install script is about half an hour of work.
I use a similar setup. The VPN is needed because it is the only port accessible outside my network. Wireguard is easy to setup right, and I already need it for accessing other stuff on my home network.
We have a ssh reverse-forwarding based solution. And unlike the Cloudflare solution you don't need to "give the keys of your house" (as someone here commented) to reach your private machines.
You can remotely open and close the tunnels through our web interface or our web API.
Plus, we have web API-based automated deployment solution if you have many clients.
This seems to be a cool service, I was actually thinking of creating something similar (but was deterred by the hassle of setting up billing and user management apart from the interesting technical stuff). I sometimes get asked by someone not owning a server/account they can use for ssh -R 0.0.0.0:1234:localhost:22, who are behind NAT and need to publish some service on the internet.
Why is the traffic rather limited? You seem to be hosting it on Linode and they offer like $5/TB traffic, I think you could easily offer several times more traffic, at least with the bigger plans.
“Your server creates a forwarding ssh tunnel to one of our publicly visible forwarding servers” seems like a huge risk for somebody else to own these “forwarding servers”. Worse than giving keys to your house? I dunno.
Your internal computer is still protected by password and/or public/private key-pairs, so even when the tunnel is open nobody can enter your computer without having those.
It is _your_ computer that makes connection to our servers, so you are in control of everything and there is literally nothing on our forwarding servers that would allow anybody to enter your computer.
It's much easier, much cheaper, and does not rely on a centralized cloud vendor. Here's how to do it in a few lines:
apt install tor
echo HiddenServiceDir /var/lib/tor/myserver\
HiddenServicePort 22 127.0.0.1:22 >> /etc/tor/torrc
systemctl restart tor
Now tor is generating the keypair for the server. It will take a few seconds: once that's done, read the onion address from /var/lib/tor/myserver/hostname and you can start using it from the client, either with explicit ssh proxy config or with global client SSH config AutomapHostsOnResolve which enables to transparently map .onion domains to local IPs that the tor daemon will tunnel right over to the onion.
Bonus point: you get automatic certificate verification as part of the onion name itself, and you can also restrict the tor server configuration to allow only specific public keys (those who don't have them will not even reach sshd).
So will cloudflare be able to ssh into my machine from anywhere? I dunno I just use ssh to ssh into my machines works pretty well so far but I have only been using it for the past 20 years.
This sounds a lot like https://tunnelto.dev/, which I've used and generally like. I'm not knowledgeable enough to know what, if any, the differences are, though.
What solution is available for smartphone with Android? I would like to setup unused phone with Android system and SSH server (there are apps) to make it a standalone server connected with internet only via LTE/GSM (using simcard). I learnt that it is impossible to connect to a device using LTE connection. It's "public" IP is not so public, LTE providers have a lot of infrastructure configurations (NAT?) to not allow incoming connections initiated outside the phone. What is the best solution here? What are free for fair use (just ssh, maybe a httpd with lightweight script page), what are paid solutions. Thanks!
And then some people will come to rely on it, and then some will eventually get blocked due to protection rules misfiring, but it's all free service so not much point in blaming the company. Gmail story waiting to repeat?
I'm using Deviceplane for this right now - it's designed for embedded linux machines but could be used on any linux distro. Is anyone else using Deviceplane still? It seems the project has gone dead, though the website and github pages are still up.
I like it because of the easy web interface, and ability to tag / organize machines. Authentication is really simple.
I used it for a while, but found it to be unreliable. Sometimes my Raspberry Pi’s became unavailable through the nebula network. I had to ssh into the Raspberry from home network and restart the nebula service. This happened once a week or so on Zero W, so I tried Tailscale. It was much easier to set up than Nebula and works better for me so far (3 months).
How do I achieve the following related task with minimal effort?
I have a domain and VPS. I want to expose a local dev server running on my laptop to something like mydomain.xyz/something temporarily. I want to host it myself and would prefer open-source tools.
SSH into the VPS from the laptop with port-forwading:
ssh -R 8000:localhost:80 mydomain.xyz
Now you should be able to access your local laptop on port 8000 of the VPS. There are a few easy steps you can add if you want to make it a bit more ergonomic or permanent. If you don't want to use an alternate port, you can just forward the port on the VPS with iptables.
You can directly expose the port to the internet, not only localhost, with ssh:
- put "GatewayPorts clientspecified" into /etc/ssh/sshd_config, restart sshd
- ssh -R 0.0.0.0:8000:localhost:80 (the first parameter is the address where the tunnel should listen -- you can also pass something like 192.168.0.123 and expose it only to LAN etc.)
It's then reachable on your_vps:8000.
If you need it on the "correct" port and you are already running some other webserver (so you need to share that port), you need to set up a reverse proxy based on hostname or URL. I personally use haproxy, but for example nginx can do it too.
Hey mono-bob :), it really is cool, I only added it last night. I used to use utteranc.es, but now I use https://giscus.app. It's like utterances, but allows comment threads and reactions to the page (likes/emojis).
Tailscale (https://tailscale.com) is a great solution for this use-case. It's also just an absolutely excellent experience overall and I can't say enough nice things about it.
Can be used for the same, but serve kind of a different usecase.
Tailscale scan your host for all open ports and open a WireGuard connection between the installed machines. Like every machine is on the same network, even if they are not. Way harder to have a good access control compared to plain SSH. And you don't need extra SW for just SSH.
This article is specifically about using cloudflared to implement a tunnel without exposing anything to the public internet, which is definitionally extra software. Agreed however that Tailscale offers a much wider feature set—while also covering the basic "I want to access my machine from anywhere" use-case—at the cost of exposing an entire machine instead of a single port.
You mean, like just login to a server without going through layers of cloud providers? How would that work?
For real, I can't imagine running a straight port 22 ssh service on the modern internet, but I'm usually happy just moving it to an unprivileged port for obscurity on personal equipment (plus some other common sense hardening of course). For work stuff, I'd feel naked without some sort of VPN and it seems that's essentially what these services are.
Thanks, I was struggling to do this 2 weeks ago, since I use cloudflare tunnel for everything. Had to resort to another service. This will be super helpfull.
I think tunneling is going to be the core of the real web3 over the next 10 years, and my current primary side project is banking on it.
Imagine if you could take an old Android phone, install a Nextcloud app, do a quick OAuth2 flow to set up a tunnel, and now you have 100GB of cloud storage, sync, calendar, etc all running from a desk drawer.
Port forwarding is too hard. DNS is too hard. IPv6 is going to take another 10-100 years and people will still have to figure out how to manage firewalls.
IMO web3 is going to come by lowering the barrier of entry to self-hosting.
I actually am familiar with takingnames.io and boring proxy! I found it the other day when I was searching for the easiest way to self-host my own side project. I think you've got something promising and I encourage you to keep working on it. Ultimately, for my use case I went with fly.io just because it was so damn easy to use.
I am hesitant to commit to a tunnel-based approach because where I live I get frequent power/internet outages. I feel that tunneling is something I would explore if my application grows to the point where I would need to rent space in a colocation.
> Question: do you use a different tool which require no maintenance or cost to run?
Answer: ZeroTier -- on Mac, Linux (home & cloud), Windows, Android
I actually setup DNS entries resolving to private IPs as configured in ZeroTier so I didn't have to login to dig them up but my default DNS provider won't resolve them. I guess newer ZeroTier versions optionally have DNS covered these days but I haven't looked into it.
IIRC, I tried both ZeroTier and Tailscale but at the time Tailscale did not yet have a simple setup to run as an unattended Windows service (and still does not have the equivalent for Mac). Being able to access a machine without staying logged in was table stakes so I decided Tailscale needed more time to bake.
Downsides I'm aware of:
- Less attention to their encryption implementation than the current hotness (WireGuard).
- Did not work with minimal effort from the local public library.
- Mac Activity Monitor shows unexpectedly high amounts of traffic even though I use it very rarely, it's not clear what's going on within that network. As in currently 100's of MB's I can't think of why would have passed through.
- It's 50 hosts + 1 admin per network for free, unlimited networks (unless you setup your own "controller"/proxy).
Re: access control brought up in another comment contrasting exposing only SSH vs. VPN connections, ZeroTier includes some off-puttingly complex access control configuration mechanism I will probably never look into.
Hope this detailed anecdata helps someone, I'm glad to be in a position to try to give back to the community by sharing my experience. Any other ZeroTier gotchas would be appreciated in case I have to dodge something in the future. I debated setting it up as permanent "route-all-internet-access-back-through-home-internet" VPN on my phone but was scared off by the complexity of setting up routing/bridging on the endpoint at home.
I also use ZeroTier for a few years now. Very useful. Unfortunately my current ISP use NAT instead of giving their subscribers routable ip address. This means ZeroTier reverts to using an external relay when accessing my machine from outside, which is very slow and has very high latency from my country.
So in addition to ZeroTier, I use AutoSSH [1] to setup and maintain a persistent ssh tunnel on a high port on my vps. It's a lot faster than ZeroTier's relay because the vps is in a neighboring city instead of in another country. It's pretty reliable too, automatically reconnect when the tunnel is down. I'm still using ZeroTier for backup connection though.
Simply use `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain` to forward port 22222 on your vps into your local machine. I also configured a supervisord instance to automatically start it on my machine so it'll always running.
[1] https://linux.die.net/man/1/autossh
Have you tried using Tailscale. It does similar to Zerotier and I would interested to know if their NAT workaround is better than ZT in your use case
1 reply →
What about mosh?
1 reply →
The crypto part of ZeroTier is getting some love soon but we are taking our time to get it right and get peer review. Implementing ideas from WireGuard and Signal.
Also the pricing is for our controller SaaS. If you want to self host controllers you can for free. There is a free community developed control panel somewhere.
Please add webhooks for ZeroTier network endpoints coming online or going offline! I think some existing formal feature requests for this already exist?
Absolutely love ZeroTier!
1 reply →
Managing expectations re:v2 is not going well for me. I wasn't really aware WireGuard-ish crypto improvements were happening (hire the personalities™ freelance ASAP or at least for review), and timeline is basically a punchline at this point... I recommend just owning both (edit: start today!) as 'when it's finished' on the front page if you want to appeal to techs.
I updated re:free, thanks.
Their appear to be two (Node.js/GPL3) control panels: https://github.com/key-networks/ztncui and https://github.com/dec0dOS/zero-ui
6 replies →
I use ZeroTier, but only with Linux boxes (also used on a Mac when I had one), so instead of DNS I use nss-mdns and avahi. It is enough to install and it just works - computers are available under $HOSTNAME.local.
I tried using Zerotier a few years ago for personal devices/homenet (~10ish devices) and it frequently dropped/disconnected to the point I uninstalled. The Windows client was buggy/quirky and would get into a weird state where I couldn't click on a network to connect/disconnect properly and the app would have to be closed and client restarted before it would work properly again.
Ive since set up wireguard and use nginx for reverse proxy and haven't looked back. This has been rock solid, set and forget.
> Question: do you use a different tool which require no maintenance or cost to run?
I run Wireguard, Tailscale and Yggdrasil on my home network.
Same, zerotier on everything. Router, laptops, servers, phone. It makes things very easy to connect without public addresses.
I want to love ZeroTier, but after wanting to contribute and reading some code I decided I'd rather use another VPN tech. Not saying it isn't good, but it was very incomprehensible and didn't look modern and nice, which the product should be.
1 reply →
Which router support ZeroTier? Or are you using a custom router firmware?
Another ZeroTier user. Runs on few devices flawless.
If you like this, you’re gonna love Tailscale https://tailscale.com/
I love Tailscale, but it’s not really designed for public tunnels. You can do it, but you typically need to provision some kind of proxy with a static IP (most likely cloud based) to handle your public stuff.
what do you mean by public channels? if I was trying to ssh into my machines it works wonderfully for dns resolution.
12 replies →
> Each port is also limited to a single machine, so you'd have to choose a different port for a different machine.
I would probably set up one gateway machine, and then from that machine log into other machines on the network; instead of exposing them all to the Internet. SSH allows you to chain logins thus:
It's a lot less work to lock down one machine really tight enough to expose them to the public Internet than to do it on the entire network.
Use -J or ProxyJump in .SSH/config for a modern equivalent
Yes, please only use this!
The big advantage of this (over ssh user@host1 ssh user@host2) is that the jump host only sees the encrypted inner connection – it doesn't get access to the client's SSH agent/keychain, nor to the target host (host2) or data transmitted over the connection.
I guess my bash aliases are a bit oldfashioned :P
That's how we do it where I work. We have a bastion server we SSH into to access other systems in the network.
Pretty easy to setup SSH to use it to hop through with just one command.
https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump
Unfortunately it doesn't work if you're behind a NAT due to shitty ISP, like me. I use AutoSSH instead to expose my local machine's ssh port on a high port in the gateway machine: `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain`
ServerAliveInterval 30 is important because my ISP often drop idle connections, often not even 1 minute idle. Can probably tweak it to listen to a localhost only port instead of exposing them to internet.
I use this alias in my .ssh/config to connect through a gateway machine:
I can't remember what these flags actually do but they seem to get the job done
ProxyJump is slightly preferred in modern SSH. Does what you're doing, but with simpler syntax. Take a look.
2 replies →
Can we stop posting stuff that makes even more people give the keys of their house to the BigCorp cartel?
What are you giving Cloudflare here? You're running a tunnel daemon and piping a network process to it. There's no exchange of for example your private SSH keys.
If anything this is letting people more easily self host their own version of 'BigCorp cartel' apps like mail, code hosting, etc.
Most people here work for BigCorp cartel or aspire to do so
That's unfair! Many of us also own stock in them.
I'd take a big pay cut to work for a co-op, green energy focused or other social/ecological good company. I just don't wanna work for a startup.
Hacker News hasn't been very "hacker" in a long time. Still a decent place for tech news.
Sure. Just make IPv6 work everywhere flawlessly, and then all of our devices can easily access all of our other devices, we can use whatever DNS scheme we want to return the IPv6 addresses to those devices, and then we won't need to punch through NAT firewalls and routers to reflect off corp-owned servers just to access machines trapped behind NAT firewalls! What could possibly go wrong?
the cf tunnel key was separate than your sshd key, there is no leak here. It's just a way of port forwarding upon a CDN network.
This configured system, unlike the rest of the way CloudFlare works with http, is actually end to end encrypted.
Maybe an improvement:
s/http/https/
-or-
s/http/SSL/
since http is technically often referring to unencrypted port 80 transport.
Why is it always the free software people who are the most judgemental about what I do with my software and who I trust with my time and money? AWS and Microsoft never gave a shit about what other vendors I'm in bed with.
I like your GNU license, I do not like your GNU license people.
The crazy thing the OSS people have been right about the invasion of privacy and money grab of the modern internet.
The free software people care about your privacy, AWS and Microsoft don't.
They're not forcing you to do anything, just giving you advice.
You can get virtual server for $4/month. Installing proprietary software and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.
My virtual server is $1.67 a month (buyvm.net)
My home firewall blocks all traffic except for incoming SSH from 3 IP addresses in the world. One of those is my virtual server.
If I'm in a hotel with my laptop I run the first command to set up an SSH tunnel to my "home" computer through the cloud virtual server. That listens on my laptop to port 8888 and forwards it through the cloud virtual server to my home computer's SSH daemon listening on port 22
ssh -X -f -C -L 8888:home.mydomain.com:22 -N user@cloud.mydomain.com
ssh -p 8888 user@localhost
I do the same thing! I'm hoping that some day hotels won't send every wireguard packet they see straight to the bit bucket. Until then I'm really grateful for ssh.
1 reply →
If they upgrade to premium tier, set up your virtual server then. Your total cost, $0 for the duration it's free + $4 * the rest is still lower than $4 * lifetime, and the cost for switching is only going to be marginal.
I get the thought, you can build something now that is guaranteed to have a fixed cost, or you can risk going with a free product that might surprise you, causing you to rush to replace the solution with a tight deadline.
Just look at all the people panicking with the free Google Workspace shutdown.
I can use virtual server for many things (backup, vpn, webservices...) not just port forwarding.
Cost of my time for reading contract and learning new proprietary tool is not worth it for several years.
Cloudflare is arguably better from big tech. But cost of deployment some binary package on confidential server, keeping up with their marketing bs, etc is simply not worth it.
If I have to spend an hour or two setting up each solution, I could pay $4 a month many years before I'd feel like it was worth doing that twice. You're not wrong, but I would gladly pay the monthly to only have to set it up once.
You can build a physical server for $500 once. Relying on proprietary hardware and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.
not trying to be difficult, but $500 seems like an odd price tier to end up in. If I was going cheap, I'd do something between a rock64/raspberry pi and an Intel Nuc. If I was going powerful, it would be north of $1,500 for sure. That decision would probably be based on what I was running on it. If it's a VPN, the rock64 would be plenty. < $50
you can get them for even less: https://lowendbox.com/
You can also get a domain name for $4/year and completely own your content, but nobody does that either.
Why use a virtual server if you want to connect to your home network?
My home network has a dynamic IP. I'm using a home-baked dynamic DNS thingie, but a virtual server with a fixed IP could work too. Would update for the new IP much faster now that I think about it.
I have IPv6 at home with port 22 opened for one of my home server's IP's. But my work internet connection does not have IPv6 at all (lol) so I use one of my VPSes as a jump host.
Because in some countries, like .cz, it is pretty common that your home network is behind NAT, the ISP does not want to forward a port for you, and there is either no option to get a public IP or it costs $5 to $10/month and is a lengthy process to obtain (typical internet connection costs $20 to $30/month here).
Unfortunately the cloudflared software, while the source is available on GitHub, and there are pull requests open and accepted for it, is not under an open source license, and the license it is under does not allow modifications, so any modifications (including the aformentioned pull requests) are contrary to the license and thus copyright law and thus illegal. The issue I filed about this is still waiting for action since October 2021.
https://github.com/cloudflare/cloudflared/issues/464
Hello from the Cloudflare team - thanks for the nudge. We're in the process of migrating away from the proprietary license to an Apache license. We'll update the GitHub issue too; should be wrapped up in the next couple of weeks but likely sooner.
Could you also provide an update on this issue about the Cloudflare open source contact address?
https://github.com/cloudflare/.github/issues/13
Excellent, thanks for the update. Apache isn't what I would have chosen but is reasonable enough.
2 replies →
As someone who watches this space closely and recommends Cloudflare Tunnel regularly, this is fantastic news.
Do you know if it will be feasible to add Cloudflare tunneling to 3rd party Golang apps?
everyone believes that statement because?
2 replies →
PS: I note cloudflared uses some form of telemetry, although I have not looked at what data is transmitted and didn't try to remove it after seeing the above license.
PPS: I wish cloudflared were split up into client and server instead of one binary for both, it would be easier to audit and understand that way.
PPPS: I noted while auditing that cloudflared embeds its dependencies instead of depending on them and uses some golang libraries that are obsoleted.
hearing this I'm not sure I want cloudflared inside my network at all
it's already vast... and telemetry always seems to be the thin end of the wedge
a minimal version, not maintained by the company, under a proper open source license with no bullshit and a vastly smaller attack service would seem like a easy win...
(and even better if it supported more service providers than just cloudflare... killing their lock-in)
Thanks for pointing this out as it does appear even taking the source and applying a pull request ones self does break the license.
Just to clarify: many pull requests have been accepted and would thus from my perspective be covered by the license as having become part of the software.
Caveat: did not dig deeply enough to check if it's mostly Cloudflare employees developing publicly, etc.
Edit: worth mentioning here on HN customer support as well that 'opensource@cloudflare.com' is misconfigured.
No, pull requests are not illegal, at least when done on Github, because by posting code on Github (that you are allowed to post) you grant Github and its users certain rights:
https://docs.github.com/en/github/site-policy/github-terms-o...
> By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
That license doesn't allow modifications, which is what pull requests are. The forking thing is only about making copies, not modifications.
4 replies →
In this specific case you might be correct but in the general case this is not true. The uploader agreeing to something does not affect the rights of other authors than the uploader.
Breaking a contract is not illegal. Seems to be a common misconception.
Please explain? I've googled your sentiment and have found some links but not many answers. Breaking a contract is just as illegal (~ against the law) as breaking the law? This follows trivially from contract law being a part of law. More substantive: Both contracts and laws proscribe actions. One can find remedy for breaking either via the legal system. (Obviously the severity of punishment can differ several orders of magnitude.) Only if you limit 'illegal' to criminal law you might be right in some jurisdictions.
6 replies →
Its copyright law that is being broken here that makes it illegal, not breaking the license/contract.
I think the misconception is between civil law and criminal law.
In civil law countries it is. Also you can be sued for it.
you may be interested on zSSH then. apache v2.
https://github.com/openziti-incubator
enables ssh without exposing sshd ports to the networks.
disclosure: founder of company who builds products on OpenZiti open source
I'm under the impression that this is against CloudFlare's ToS, otherwise I'd probably be doing it myself.
See section 2.8 "Limitation on Serving Non-HTML Content." of their subscriber agreement:
use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service.
Last I checked, SSH is non-html content. I even opened a support ticket with their support, specifically asking about SSH and other traffic and this is what I received: So if no matter what service you use, Once you breach this rule it will be applied.
EDIT: Looks like the CloudFlare CTO has clarified things below that this usage does not in fact violate the ToS.
That's for Cloudflare's CDN/reverse-proxy service.
This is the correct one for Cloudflare Tunnel: https://developers.cloudflare.com/cloudflare-one/connections...
This seems to be the license for cloudflared. But when you use cloudflared to create a tunnel via cloudflare network, aren't you also bound to Cloudflare's ToS because the software itself is useless without using the service provided by Cloudflare?
8 replies →
It's not clear to me what is allowed. Would I risk a termination if I used the service to proxy ~500 GB per month of video content?
(I'm looking for a way to get around bad traffic shaping I get in the afternoon between two locations streaming live TV.)
It was strange reading this comment on Hacker News..
You will also find comments from CloudFlare folks here which suggests this use-case is sanctified.
> By the end of this post, you'll be able to run: ssh $machine_name from anywhere ... a service by Cloudflare ... will filter traffic to your machines through Cloudflare's network, including authenticating you ... your machines won't directly be exposed to threat actors and "1337 haxors".
Won't they be exposed to CloudFlare?
CloudFlare CEO has personally said:
https://www.bizjournals.com/sanjose/news/2013/09/12/cloudfla...
that the company may be required to hand over data to the NSA, and would not be able to tell clients/users about it.
I use an SSH key to connect, so I assumed the traffic itself is end-to-end encrypted. However, I would like to be surer of this.
I set up something similar using ZeroTier "public" networks and the libzt Python userspace library.
My use-case was to allow bitbucket hosted instances to connect to private instances in my infrastructure to push code to as part of the build pipeline. They way they are running Docker at bitbucket, you can't run the normal zerotier processes (IIRC, it wasn't allowed to create a tun/tap device).
The zerotier public networks are networks that anyone can join given the network ID, without requiring an admin to authorize them.
I wrote a python-based "ztproxy" [1] which you can call from SSH as a ProxyCommand like: `ProxyCommand /usr/bin/python3 /path/to/ztproxy /tmp 1234567890abcdef 9994 10.3.2.1 22`. On top of that I had SSH public key authentication of both the remote host and the local user, so even if the network ID was exposed, it wouldn't have been wide open. I also had ZeroTier network level rules that only allowed the SSH traffic.
[1]: https://github.com/linsomniac/ztproxy
If you are all about self hosting, here’s my method (disclosure, I made this tool):
1. Run https://github.com/antoniomika/sish on any free tier instance or fly
2. On server, ssh -R anythinghere:22:localhost:22 sishinstance
3. On client, ssh -J anythinghere sishinstance
The tunnel is kept internal to sish, meaning it isn’t exposed to the open internet. You need to auth first to sish (using SSH) and then auth with your server (using SSH) as well before you can gain access.
Can also use our auditable terminal so no need for an SSH client: https://blog.cloudflare.com/ssh-raspberry-pi-400-cloudflare-...
Thank you for the link.
Do you have a Cloudflare on first page of HN alert?
And will Cloudflare Tunnel stay free and included for free accounts?
I have code that monitors Hacker News comments for mentions of various things (including cloudflare, my username). It runs once a minute and uses https://hn.algolia.com/ to find new comments. I actually saw this was on Hacker New via Twitter.
https://blog.cloudflare.com/tunnel-for-everyone/
2 replies →
Why would I use someone elses tool to just do the same thing I have autossh running (in a script that gets restarted if it dies) doing? You can do this if you own a server on the net, or with a free tier at AWS/GCE/Azure. I feel, not sure, "dirty"? pulling down some client that I am unsure exactly what it is doing from cloudflare just to enable a reverse ssh tunnel.
Personally I’m happier to use wireguard to access my network. I don’t know when I’d ever want a pure SSH tunnelling solution.
Wireguard, with dynamically-updated DNS resolution to a residential IP is very solid for a free tier and has the key benefit of zero third-party (i.e. not controlled by you) dependencies, other than the IP provider and the DNS resolver, which is a commodities business with low switching costs. Cloudflare is very nice and will be around for a long time, but it's still a third party dependency.
As it boils down, the OP's solution is "free" as in money but not as in freedom for a certain set of requirements.
Basically, going with CF trades-off some freedom for the considerable/legitimate protection benefits of being under the "cloudflare umbrella". It's probably a good trade for this moment in time. But rational people can disagree about whether it's a good trade when you broaden the time horizon to 5, 10, etc. years.
Like all things, it depends on the requirements you're building for.
WireGuard is great and is not too difficult to setup on something like a RPi. I have one running on my home network which lets me access my local network remotely, including access to my local media server. I have another one running at my parents' house for times when I need to RDS into their windows machines for troubleshooting, or if I need to tweak settings on their router. You can also configure your clients (phone, laptop) to forward all traffic through the tunnel, which then secures your connection for when you're over an untrusted/public wifi.
There was a Cloudflare article posted a couple of days ago, I'll post my comment which agrees with you, Wireguard and a cheap VPS are hard to beat: "Similar, I use a cheap AWS Lightsail VPS $3.50 (Lightsail has DDOS protection)-> Wireguard -> Apache Reverse Proxy mod -> my local services."
So easy to set up too with docker. You can even generate a QR code to easily set up a mobile device. You do need a domain name, DDNS, or a static IP and the ability to port forward from the router
Cloudflare Tunnel uses Wireguard under the hood.
I believe they use WireGuard internally but the client connections are terminated over HTTP/2 frames, with QUIC support in the works.
https://blog.cloudflare.com/getting-cloudflare-tunnels-to-co...
Never heard of Wireguard, so I went to their website and for a half second. I thought I cracked the screen on my new phone, because of their freaking background image....
But, it looks interesting. I'll have to check it out more.
Why not just run Wireguard on a raspberry pi, set up DDNS to send your home IP to a Dynamic DNS provider (if you're on a dynamic IP), and then SSH to your machines at home using keys (instead of passwords)?
Setting up a Pi and running the Wireguard install script is about half an hour of work.
If you're using ddns why do you need WireGuard at all?
I use a similar setup. The VPN is needed because it is the only port accessible outside my network. Wireguard is easy to setup right, and I already need it for accessing other stuff on my home network.
Wireguard needs an endpoint
2 replies →
shameless self-promotion: https://sshreach.me
We have a ssh reverse-forwarding based solution. And unlike the Cloudflare solution you don't need to "give the keys of your house" (as someone here commented) to reach your private machines.
You can remotely open and close the tunnels through our web interface or our web API.
Plus, we have web API-based automated deployment solution if you have many clients.
This seems to be a cool service, I was actually thinking of creating something similar (but was deterred by the hassle of setting up billing and user management apart from the interesting technical stuff). I sometimes get asked by someone not owning a server/account they can use for ssh -R 0.0.0.0:1234:localhost:22, who are behind NAT and need to publish some service on the internet.
Why is the traffic rather limited? You seem to be hosting it on Linode and they offer like $5/TB traffic, I think you could easily offer several times more traffic, at least with the bigger plans.
“Your server creates a forwarding ssh tunnel to one of our publicly visible forwarding servers” seems like a huge risk for somebody else to own these “forwarding servers”. Worse than giving keys to your house? I dunno.
Your internal computer is still protected by password and/or public/private key-pairs, so even when the tunnel is open nobody can enter your computer without having those.
It is _your_ computer that makes connection to our servers, so you are in control of everything and there is literally nothing on our forwarding servers that would allow anybody to enter your computer.
You can also do this using the Tor network, by setting up onion services.
It's much easier, much cheaper, and does not rely on a centralized cloud vendor. Here's how to do it in a few lines:
Now tor is generating the keypair for the server. It will take a few seconds: once that's done, read the onion address from /var/lib/tor/myserver/hostname and you can start using it from the client, either with explicit ssh proxy config or with global client SSH config AutomapHostsOnResolve which enables to transparently map .onion domains to local IPs that the tor daemon will tunnel right over to the onion.
Bonus point: you get automatic certificate verification as part of the onion name itself, and you can also restrict the tor server configuration to allow only specific public keys (those who don't have them will not even reach sshd).
So will cloudflare be able to ssh into my machine from anywhere? I dunno I just use ssh to ssh into my machines works pretty well so far but I have only been using it for the past 20 years.
This sounds a lot like https://tunnelto.dev/, which I've used and generally like. I'm not knowledgeable enough to know what, if any, the differences are, though.
What solution is available for smartphone with Android? I would like to setup unused phone with Android system and SSH server (there are apps) to make it a standalone server connected with internet only via LTE/GSM (using simcard). I learnt that it is impossible to connect to a device using LTE connection. It's "public" IP is not so public, LTE providers have a lot of infrastructure configurations (NAT?) to not allow incoming connections initiated outside the phone. What is the best solution here? What are free for fair use (just ssh, maybe a httpd with lightweight script page), what are paid solutions. Thanks!
And then some people will come to rely on it, and then some will eventually get blocked due to protection rules misfiring, but it's all free service so not much point in blaming the company. Gmail story waiting to repeat?
I've been using tmate for quite a while and it works great, minimal setup needed.
Can anyone shed some light on the pros/cons of each?
I'm using Deviceplane for this right now - it's designed for embedded linux machines but could be used on any linux distro. Is anyone else using Deviceplane still? It seems the project has gone dead, though the website and github pages are still up.
I like it because of the easy web interface, and ability to tag / organize machines. Authentication is really simple.
https://deviceplane.com/
No one uses Nebula [1] developed by Slack?
> Nebula is a mutually authenticated peer-to-peer software defined network based on the Noise Protocol Framework.
It's self-hosted and I think it's a great alternative to ZeroTier, or Tailscale.
I believe its been powering Slack's overlay network for ~5+ years.
[1]: https://github.com/slackhq/nebula
I used it for a while, but found it to be unreliable. Sometimes my Raspberry Pi’s became unavailable through the nebula network. I had to ssh into the Raspberry from home network and restart the nebula service. This happened once a week or so on Zero W, so I tried Tailscale. It was much easier to set up than Nebula and works better for me so far (3 months).
YMMV, of course.
How do I achieve the following related task with minimal effort?
I have a domain and VPS. I want to expose a local dev server running on my laptop to something like mydomain.xyz/something temporarily. I want to host it myself and would prefer open-source tools.
SSH into the VPS from the laptop with port-forwading:
ssh -R 8000:localhost:80 mydomain.xyz
Now you should be able to access your local laptop on port 8000 of the VPS. There are a few easy steps you can add if you want to make it a bit more ergonomic or permanent. If you don't want to use an alternate port, you can just forward the port on the VPS with iptables.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8000
If you want the link to be more permanent, I'd suggest using wireguard instead of ssh. That's a little more effort, but not ridiculous.
You can directly expose the port to the internet, not only localhost, with ssh:
- put "GatewayPorts clientspecified" into /etc/ssh/sshd_config, restart sshd
- ssh -R 0.0.0.0:8000:localhost:80 (the first parameter is the address where the tunnel should listen -- you can also pass something like 192.168.0.123 and expose it only to LAN etc.)
It's then reachable on your_vps:8000.
If you need it on the "correct" port and you are already running some other webserver (so you need to share that port), you need to set up a reverse proxy based on hostname or URL. I personally use haproxy, but for example nginx can do it too.
Minimal effort is use Cloudflare Tunnel (it supports more than SSH, including HTTPS). For self-hosted alternatives check the list linked in OP.
Lookup SirTunnel and Boringproxy on GitHub
Or just use a Tor Onion Service.
I knew cloudflared could support https but never knew it works with other protocol as well.
TIL `ProxyCommand cloudflared access ssh --hostname %h`
I assume in this way we can even host mincraft servers (or any binary TCP protocol service) with cloudflared?
I am utilizing a Tor hidden service to access LAN services from the internet.
It is free, runs on my hardware (Raspi Zero) and I do not have to open ports.
With client authentification, only clients with a certain key can access the service.
Wow, that commenting system is so nice. I was looking for something like that! Amazing :)
Edit: it sees https://utteranc.es/ is used.
Hey mono-bob :), it really is cool, I only added it last night. I used to use utteranc.es, but now I use https://giscus.app. It's like utterances, but allows comment threads and reactions to the page (likes/emojis).
Correct link: https://utteranc.es/
Have you seen http://cactus.chat?
Nice! Thanks for the tip
Aaaand rate limited.
> Question: do you use a different tool which require no maintenance or cost to run?
Tailscale - does everything outlined here, free for 20 devices plus a full subnet router.
Potentially a dumb question but is it a bad idea to just use port forward 22 and use a (free) dns service? Can then ssh with a key as normal no?
Tailscale (https://tailscale.com) is a great solution for this use-case. It's also just an absolutely excellent experience overall and I can't say enough nice things about it.
Can be used for the same, but serve kind of a different usecase.
Tailscale scan your host for all open ports and open a WireGuard connection between the installed machines. Like every machine is on the same network, even if they are not. Way harder to have a good access control compared to plain SSH. And you don't need extra SW for just SSH.
This article is specifically about using cloudflared to implement a tunnel without exposing anything to the public internet, which is definitionally extra software. Agreed however that Tailscale offers a much wider feature set—while also covering the basic "I want to access my machine from anywhere" use-case—at the cost of exposing an entire machine instead of a single port.
Their documentation is excellent too. Also worth mentioning the open-source derivative: https://github.com/juanfont/headscale
wasn't that the idea of ssh to begin with?
You mean, like just login to a server without going through layers of cloud providers? How would that work?
For real, I can't imagine running a straight port 22 ssh service on the modern internet, but I'm usually happy just moving it to an unprivileged port for obscurity on personal equipment (plus some other common sense hardening of course). For work stuff, I'd feel naked without some sort of VPN and it seems that's essentially what these services are.
With passwords disabled and just using key authentication, is there a big risk of just doing a straight port 22 ssh?
Genuine question, my knowledge of server security is low-to-middle.
2 replies →
Thanks, I was struggling to do this 2 weeks ago, since I use cloudflare tunnel for everything. Had to resort to another service. This will be super helpfull.
I feel like CF is conducting a guerrilla marketing campaign on HN. I've seen so many posts about tunnel in the past few weeks.
I think tunneling is going to be the core of the real web3 over the next 10 years, and my current primary side project is banking on it.
Imagine if you could take an old Android phone, install a Nextcloud app, do a quick OAuth2 flow to set up a tunnel, and now you have 100GB of cloud storage, sync, calendar, etc all running from a desk drawer.
Port forwarding is too hard. DNS is too hard. IPv6 is going to take another 10-100 years and people will still have to figure out how to manage firewalls.
IMO web3 is going to come by lowering the barrier of entry to self-hosting.
I actually am familiar with takingnames.io and boring proxy! I found it the other day when I was searching for the easiest way to self-host my own side project. I think you've got something promising and I encourage you to keep working on it. Ultimately, for my use case I went with fly.io just because it was so damn easy to use.
I am hesitant to commit to a tunnel-based approach because where I live I get frequent power/internet outages. I feel that tunneling is something I would explore if my application grows to the point where I would need to rent space in a colocation.
1 reply →
goteleport.com is OSS, does this with certificates, not keys, and has a free community edition. No contracts to break.
IPv6 tunnels also help