Hi!

I often read suggestions to use something like Tailscale to create a tunnel between a home server and a VPS because it is allegedly safer than opening a port for WireGuard (WG) or Nginx on my router and connecting to my home network that way.

However, if my VPS is compromised, wouldn’t the attacker still be able to access my local network? How does using an extra layer (the VPS) make it safer?

  • Dark Arc@social.packetloss.gg
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    The thing about something like TailScale or ZeroTier or Nebula is that it’s dynamic. These all behave similar to a multiplayer game … a use case every residential firewall should “just get.”

    The ports that are “opened” can change regularly, they’re not some standard port that can just be checked to see if it’s open (typically).

    Compare that to the average novice opening port 51822 for wireguard or 22 for SSH and you start to see the difference. With those ports, you’ve got a pretty good idea what’s on the other side and it might even be willing to talk to you and give you error messages or TCP ACK packets to confirm it’s there (e.g. SSH).

    This advice is as you can probably imagine more relevant to things like OpenVPN that are notoriously hard to correctly configure or application protocols like SSH or HTTP.

    With these mesh VPNs you also don’t have to worry about your home dynamic IP changing and breaking your connection at inopportune times… And that’s a huge benefit (IMO). It’s also very easy to tie in new devices to the network.

    A lot of it is about outsourcing labor to programs that know how to set up a VPN and make management of it easy. That ties into security because … a LOT of security issues boil down to misconfiguration.

    • Netrunner@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 months ago

      Wireguard doesn’t send anything back if the key is not correct.

      Because of this, Tailscale port swapping is inconsequential vs wireguard here.

      Tailscale transfers trust of your VPN subnet to a third party, which is a real security concern.

      I agree SSH service will be attacked if they are plainly exposed, out of date and allow login challenges.

      Also agree that under or misconfiguration is a massive cause for security issues.