Comment by lolinder
1 day ago
> Since my PKMS is hosted online to manage notes across devices, I have multiple layers of security to ensure my notes are kept private. {Screenshot of a login form}
The biggest life hack I can recommend for a self hoster is to set up a VPN on your local network and then just never expose your services on the public internet unless you're specifically trying to serve people outside your own household.
Before I did this I was constantly worried about the security implications of each app I thought about installing or creating. Now it's not even worth setting up auth on a lot of simple services I build because if someone is able to hit their endpoints I'm already in deep trouble for many other reasons.
Even better, set up Tailscale.
It's far easier to set up, is much more reliable (e.g. when devices are behind firewalls), and uses direct (encrypted) connections when possible.
You can get it to do what you want with just a few clicks. Things like exposing a IoT VLAN on your Tailnet or setting up an exit node to tunnel all internet traffic through your home are super easy. You can even share specific devices with friends, which is super useful. If you have anything particularly sensitive (e.g. a notes app that you wouldn't want your children / partner to have access to), you can limit access to specific users / devices on the TS side, without bothering with implementing auth.
I think there's even a way to look up the user and device based on their IP, which is one way to add painless authentication to your apps. There are reverse proxies that do it and inject the info as HTTP headers.
If you aren't comfortable with trusting them with control over your network, you can always host your own Headscale server.
What makes Tailscale more secure, or more reliable, than just a direct Wireguard tunnel?
Tailscale's complexity and features make sense when you have 200 nodes, or maybe 20 nodes at least. When you have 3-5 nodes, I think it's overkill, and a bunch of extra dependencies which may fail, and lock you out of your private nodes when you need it most.
The benefit of Tailscale is that it gives you “lots” of wireguard tunnels that work through NAT with near zero configuration and a central admin interface.
I use a personal plan and have multiple nodes. Desktop, laptop, tablet, phones, docker containers just for me and a couple of raspberry Pis on my families home networks.
Only once have I been “locked out” of a node and that was due to an expired key.
Sure, for just connecting one node to another with a known IP and accessible port it’s overkill, but for anything more complex it an awful lot of awesome for very little effort.
NAT busting, and no key management. What extra dependencies does Tailscale have?
8 replies →
> If you aren't comfortable with trusting them with control over your network
Wrt the possibility of Tailscale being compromised, there's the in-beta tailnet lock feature:
> Tailnet lock lets you verify that no node is added to your tailnet without being signed by trusted nodes in your tailnet. When tailnet lock is enabled, even if Tailscale infrastructure is malicious or hacked, attackers can't send or receive traffic in your tailnet. [1]
[1] https://tailscale.com/kb/1226/tailnet-lock
Thanks for the tip!
I've had the Device approval setting on, and wished there were more robust lock features, but not enough to want to run my own coordinator. So Tailnet lock seems like a good security upgrade.
The pricing page suggests this is only for the "enterprise" plan.
2 replies →
Or, for those who are paranoid about relying on a company, setting up headscake is relatively quick and painless too - currently using it to sync between devices across multiple cities.
headscale*
https://headscale.net/stable/
https://github.com/juanfont/headscale
Should I be paranoid? I never tried Tailscale, and the idea of trusting 3rd party with managing access to my network does give me chills. But IDK, honestly, maybe it's silly? Is it in all honesty less likely that I'll fuck things up setting my own Headscale server, than that Tailscale™ will (consciously or otherwise) fuck me up?
3 replies →
Tailscale is a VPN, how is it "better" than using a VPN?
Tailscale is more than just a VPN. It has a number of features and capabilities which make it more like a private overlay network that just seems to work wherever and whenever. Some of those features; WireGuard (the VPN bit), NAT punching, automatic key distribution, ACLs, split or full tunnel routing to internet resources, SSO. Just to name a few.
Unraid added native Tailscale support in 7.0, now you can just add an "app" (a docker container) and tick a checkbox and it'll appear in your tailnet directly.
For the most part I like Tailscale, but there's weirdness on Android with their app + Private DNS.
This is also my big frustration. I've set it to an Adguard instance that's also on tailscale and the app keeps getting into a faulty state. I've been looking into hosting the Adguard instance on the open web and securing it another way but bit short on time lately.
or zerotier
+1. I have Wireguard set up on all my mobile devices and configured to automatically start when connecting to any wifi that isn't mine, so I can take my devices anywhere and I'm still on my home LAN. It works seamlessly and flawlessly.
I self-host a lot of services, and without Wireguard (or equivalent), remote access just wouldn't be realistic.
How did you automate it to start on networks which are not yours?
This is like the only piece of the puzzle for me.
Set the AllowedIPs wireguard setting (and/or the route, if you can set that separately) to one larger than your home network (i.e., if your home network is 192.168.1.0/24, use 192.168.0.0/23). Then, block wireguard packets from the internal network on your router. Then the tunnel will always be running; it just won't be used when you're at home because there's a more specific route
1 reply →
To answer my own question, looks like there's WG Tunnel[0] on android which does what I need.
[0]: https://play.google.com/store/apps/details?id=com.zaneschepk...
For the Tailscale app on Apple platforms it’s called VPN On Demand. Here's how you can configure it.
https://tailscale.com/kb/1291/ios-vpn-on-demand
2 replies →
All my regular mobile devices are Apple, so whoever said that has it right. I also have a Linux laptop but NetworkManager support for Wireguard was broken last I checked, and at the time I didn't care enough to set it up by hand.
This is a built-in feature of the Wireguard app on iOS, not sure about other platforms.
1 reply →
I have wg into home and wg into an aws instance. All my mobile and laptops can reach them.
On Android devices? If so: how? :)
I don't use it with wireguard, but Zerotier works just fine on Android.
4 replies →
Tailscale is actually great for this if you configure an exit node on a device in your home.
It doesn't need to be an exit node unless you want to direct all traffic through that node, like a traditional VPN.
The beauty of Tailscale is that it will only direct traffic to a node that is meant for that node, everything else goes via the internet.
The downside is that if you’re on a two-week vacation and your home network/server goes down on day two, there’s probably nothing you can do until you get home. If it’s hosted online, you can count on that 99.99…% uptime and SSH access no matter what.
I think what they meant is that if it's hosted online / home-network, only allow access to all services through a VPN. Wireguard is relatively easy to setup, and you can configure all your services to only be available through wireguard.
Ever since ssh almost got backdoor-ed, the only thing "exposed" on my servers is Wireguard, which is UDP based and therefore harder to know if it's running. SSH also goes over wireguard.
> ... Wireguard, which is UDP based and therefore harder to know if it's running.
Isn't it basically impossible to know if it's running unless you have an authorize key? I thought it didn't respond at all unless you ping a valid entry key off it.
1 reply →
Although not perfect, I added a couple features to help ensure uptime:
* LAN components are on a UPS, helps keep continuity between power blips and breaker flips
* Dynamic DNS, cron runs a script 4x per day to ensure a DNS name points to my IP, even if issued a new one by the ISP
* Rebooting everything occasionally to ensure the network and services come back up on their own and I didn't make a mistake with some config that loads at boot, etc.
I run Tailscale on an Apple TV which is on a UPS. The thing uses very little power so the UPS lasts a long, long time.
1 reply →
Ssh exposed on a non-standard port, with root disabled, using key-based auth should be pretty non-controversial.
The security through obscurity (non-standard port, no root) are both kinda silly but why not.
That said, with awesome services like TailScale, it's pretty hard to get locked out of your network. TailScale is so so good at "just working".
> The security through obscurity (non-standard port, no root) are both kinda silly but why not
I think these are decent controls when layered with others. The effectiveness differs depending on your threat models, of course, but at the very least it helps reduce the noise seen from most automated scans reducing the effort involved in monitoring your assets.
Disabling root provides more than security-through-obscurity if your sudo config requires a password to elevate: it essentially means you need both your SSH private key and your password to gain root.
Fail2ban or rate-limiting SSH into a block table are useful layers to have as well.
Another option is port knocking. Super easy to set up and with 4 knocks it provides 64 bits of randomness.
These solutions are composable. Just run it on a VPS over a VPN.
But what if your home hypervisor goes down?
4 replies →
That’s a good point.
You can also enjoy your vacation instead :)
You can also set up DNS records pointing to your home server's VPN IP, which, with Tailscale, I've found to be pretty static and then a reverse proxy on your home server. So I have my home network apps running on app1.my-domiain.com app2.my-domain.com, app3.my-domain.com etc, which only work when I'm connected to the VPN.
The downsides are that I need to be connected to the VPN at home to use the domain and I currently don't have SSL set up on the domains, so browsers complain when I connect to them. The second problem I could fix, but I'm not sure if there's a solution for the first.
You can fix them both in one. In your local network you host a local DNS, in my case I’m using pihole. It has records which point to the local IP of a reverse proxy. With this setup you can have SSL for your domain names on your local network.
To make it then work outside your local network, in tailscale settings you use “split dns” to set your DNS to be the IP of your pihole in the tailnet for your domain. Now when you try hit your local domains you should receive the same local IPs that you do at home. Then in the tailscale route settings of your machine hosting the reverse proxy you make it advertise the subnet of those local IPs. Now when you receive the local IPs your devices using the tailscale VPN should go to your home server with SSL and no external DNS.
Hope that’s somewhat clear enough
There is a solution for the first. I have setup my home server torun Tailscale _and_ be a router to 192.168.2.x network (you can set this up in the Tailscale UI). I have server.mydomain.com to resolve to 192.168.2.x address and this way I can access it from the outside via Tailscale and from inside without the need to turn on Tailscale. I have https setup via DNS-01 challenge as well and updated automatically.
The internet is not a friendly place, so a VPN is a great idea.
With modern tools like Wireguard, you can even set it up relatively easy, either as Wireguard alone or as Tailscale (or ZeroTier, though that's not Wireguard).
Wireguard (and Tailscale) allows you to setup the tunnel so that only local (RFC1918 ie) traffic is routed over it, meaning it won't eat up your battery like when just routing all traffic over it.
I have Wireguard setup like that. It enables on any Wi-Fi network that isn't mine, as well as cellular, and the battery impact is less than 2% over a day.
For single page web apps I use pagecrypt [0] and just publish the html file (with inline scripts and styles) as public files.
[0] https://pagecrypt.maxlaumeister.com
Any idea on how to segment a VPN between friends? I have a few critical servers on my VPN I only want one or two devices to access, but no other devices. Mostly so that in case a rogue device enters or a friend gets hacked, there's no access to my sensitive services.
In my case I simply create two wireguard tunnels (one called "vpn", the other called "guest") and use firewall rules to block all traffic from the "guest" tunnel to all service except the one that should be "public" (in my case a minecraft server).
I think you could technically do it with a single tunnel by using firewall rules that refer to the IP address of the single peer but it's less convenient.
NOTE: I also added a dedicated dnsmasq instance only for the "guest" tunnel so that they have DNS working and can use hostnames instead of IP address.
This setup is trivial with both OpenWrt and OpnSense, but it should be doable also with manual setup
You can do this on tailscale with their ACL. It is super flexible for nailing down exactly which users/devices can talk to what on your network.
I do this too yes. It's a great extra level of security though probably not too smart to rely on as the only one.
It's true you're already screwed if they get past the VPN and I also don't set up Auth for stuff that doesn't have any private details. But don't count on just the VPN for sensitive stuff. Like password manager.
Yeah, definitely don't do turn off auth for things that matter, if only because I'm not perfectly disciplined at keeping my guests off my main network. I'm talking about tiny services that do one thing—ollama, tts/stt, and similar. Stuff where the worst case scenario is someone using up some processor cycles, not data leaks.
I built a home server project that manages many of the rough edges around deployment of self-hosted apps. It includes DDNS, router+firewall, headscale, automatic setup of apps, and automatic deployment of subdomains and TLS certs for each app.
Apps are blocked to the public by default but accessible using a Tailscale client.
It's built on top of NixOS and completely configurable through a single module.
Still in heavy development but I've replaced an entire rack in my closet with an Intel NUC.
https://homefree.host
Good point. I also use my PKMS as a CMS for my blog. Might just split out the services and go this route.
This is what Tailscale is great at.
welcome to the world when not TailScale, not a private WireGuard, not aL2TP, OpenVPN works. No, SSTP doesn't too. HTTPS works. Even on the devices you don't or can't control.
So you've managed to unlearn the last decade of security learnings in regards to zero-trust and similar concepts?
I'm not running a business, I'm running a home. The threat models are totally different and I adjust my security posture accordingly.
Besides, I don't bother with auth for simple services, not stuff that actually hosts data. If someone unauthorized is inside my network they're not going to be interested in using my TTS/STT service or in finding out the last barcode I scanned or in using my tiny consumer GPU to generate tokens on an LLM—there are way worse things they could be doing at that point than fiddling with the many tiny services I have set up.
Also: I couldn't set up so many silly, inconsequential services if I didn't have a VPN. With my setup, every new idea I have can be a quick service on my network accessible by me anywhere in the world. If I had to expose each of these things to the internet I wouldn't bother running them at all lest they have an exploit that ends up being an entrypoint into my network.
You need to understand your own risk tolerance and, more importantly, effort/resource threshold. Zero-trust is great if you have the resources to put to it, and companies should do it. But individuals trying to manage multiple companies worth of services, alone, on their own network? There's going to be corners cut.
That's a comically uncharitable extrapolation on what was said.
self hosting is entirely different than enterprise security practices. You're a little out of touch with reality if you don't realize this.
I'm being serious - please educate us, how do you think that we can do better in a homelab setting? How do you apply zero-trust principles in homelab environment with reasonable effort and without relying on 3rd party services?
Your "life hack" is not a good advice. There's plenty of well-written explanations for why perimeter based security doesn't work. What is strange is that you've started in the right place: by being "constantly worried about security implications of each app". Unfortunately it's annoying and time consuming, but that's the right way to keep your data private. And if that's too much hassle, it means it's worth it to pay others to do it.
When I'm thinking about a hypothetical situation when I need to save the world by hacking into a hypothetical villain, my best hope will be him using your approach to security.
Any serious approach to security begins with a reasonable and clearly defined threat model, and my threat model for my home network doesn't currently include a team of superheros targeting my file backups in an effort to save the world. But I'll definitely keep your advice in mind when I do decide to start executing on my evil plots.
For now my threat model consists of script kiddies and abusive corporations. Self-hosting gets me away from the corporations and keeping my stuff off of the public internet keeps me away from script kiddies.
> There's plenty of well-written explanations for why perimeter based security doesn't work
It certainly helps when your attack surface consists of numerous web apps of unknown quality.
Drive-by RCEs (e.g. log4j) then suddenly become much less of a headache when none of it is reachable by the world at large.
Exactly how you do that, whether via an authenticating reverse proxy or VPN doesn’t really matter.
Could you provide an example of one of the well written explanations?
just go and look at any of the vendors selling “zero trust” solutions. They all have white papers available about how a) perimeter security is “dead” and b) how their specific flavor of zero trust is the One True zero trust and the only thing you can trust to protect your data.
You will without exception need to provide an email address to access these white papers, so their inside sales team can ensure you fully understand the importance of trusting their zero trust, and not trusting anyone else’s.
I’m not kidding - even a little.
2 replies →