• 0 Posts
  • 585 Comments
Joined 3 years ago
cake
Cake day: July 11th, 2023

help-circle




  • Yeah, I bind mount the config inside a config directory just below the compose file, and the state (databases, files, etc) to a seperate storage location that makes sense. The compose and config gets added to git and pushed to a forge, while the storage directories are backed up like normal (in my case, zfs snapshots pushed to another computer and then restic backs up those cold files to b2.













  • I absolutely agree, to the point where I thought you were agreeing with a different post I made. This is the way!

    There are lots of free or nearly free ways to host a static site with your domain, and basically walk away from it for years at a time just fine. I wouldn’t use Cloudflare just on principal for just static site hosting, but its fine I guess. All the software forges host pages for free, and a bunch of smaller outfits like Neocities. Even a static site on a VPS is nearly zero maintenance. When was the last time there was a CVE for remote code execution that would effect a Linux VPS hosting only a static webpage via Caddy or Ngnix and key-based SSH? (I don’t actually think there has been one).

    Absolutely, I use a VPN for self hosted services I can’t be bothered to secure properly and don’t need exposed to all that mess. Wireguard is amazing. I used OpenVPN for years and it was such a pain in the ass mobile. I remember when it first came out, I set it up and made a SIP VoIP call with my phone. I could toggle between WiFi and cellular networks without the audio even glitching, let alone a call dropping. That was honestly like black magic back then.


  • Sorry to have made you upset. I consider Cloudflare to be the “gatekeeper” here.

    I have seen all the walkthroughs and it looks like the worst of both worlds -false sense of security and more complexity and weird non-transferrable knowledge than first glance. I suggest they use a VPN to connect to anything you can’t secure easily, as there are lots of options, and far smaller attack surface than a Cloudflare “protected” (hint: its not protected from anything but the lazyest automated attacks) proxy.

    Note: I understand moderate sized businesses using Cloudflare because DDOS attacks for ransom are a thing and a days outage can cost a lot of money. But its a protection racket and I don’t blame victims.


  • At the moment, every time I want to access my server, I have to turn off my VPN so I can turn on tailscale.

    Yes, mobile devices typically cannot run two VPNs at once. There are two issues here, when at home and when out on other networks.

    At home, the solution is not to round-trip out to your VPN provider and then back into your network via the public Internet using your domain. Unfortunately. That creates a huge latency and bandwidth penalty when you are physically at home and unnecessary complexity.

    Instead, if you must use your VPN service while at home, you need to find the split tunnel settings to allow your phone to access the local network while connected to the VPN service. They usually hide that setting because it opens up the security of said services and allows some leaks, but it should be there.

    When out on other networks, it gets harder. If you get creative with networking, you could connect a computer to your commercial VPN service and have all your tailnet devices use it as an exit node, which has the nice benefit of paying the VPN service for “one device” and using as many as you want, but is dependent on your home network speed and a PITA to set up.

    Tailscale does integrate with one VPN provider so you can use one app for both tasks, but it may not be the provider you want. I don’t know If their direct competitors do the same, maybe shop around a bit. One VPN app for both use cases is what you want, not two different VPN apps.

    Finally, if none of the above works for you, then yes, you are back to accessing your self-hosted services via the public internet and your domain name while travelling and using your commercial VPN. You will have to secure the service, and that will take some learning to do safely. That will be a journey and not something you want to just throw together quickly. You might be able to restrict incoming connections to just your commercial VPN IP address range (in addition to all of the other proper config required) to further reduce the attack surface. Sorry, that is a bit of bad news.

    Edit: I have been seeing mTLS (client certificates) come up in selfhosting discussion more and more lately. If the particular service you are running has a walkthrough for that, including support for whatever client apps, it gets you almost to VPN level security. But most do not, and if they do, its alpha stage. However, keep an eye out for that in the self-hosting world as it may solve your issue in the future.


  • My understanding was tailscale is to connect different machines across the internet, but that a traditional VPN hides your information

    You got it! When you google VPN services, you get all these companies selling products for encrypting your internet traffic (90% snake oil IMHO). Main usecase nowadays seems to be making your browsing appear like you are in a different country. This is not what people are referring to in this thread by “VPN”, even though it is the exact same underlying technology.

    Tailscale is actually trying to simplify the original VPN idea, which is to create a secure private “network” over the internet, so your devices can securely talk to one another, no matter where they are physically (over the internet). When you are out on the road, your phone can see your home server just like they were on the same home network, and there’s no way for an attacker to see the traffic or get access to those machines. You might also read about Wireguard or Zerotier -same idea, the first is more rudimentary but is used by Tailscale for the actual encrypted traffic part, the second is their main compeditor (all three are legit good options depending on your priorities). Tailscale is pretty good at being easy to get going because it takes care of authentication, routing, and port forwarding for you. They even helpfully proxy your encrypted traffic if the machines fully cannot connect p2p with each other for whatever reason (slow, but can save your butt). The apps are pretty decent too. I used Tailscale for a long time then eventually self-hosted it once I knew what I was doing sufficiently. I still use their apps.