I had seen some of the people working there comment on twitter, but I don't think those blog posts were written when I last looked them up and I didn't understand what they were actually doing.
This looks like the answer for most people if you don't need to give public access to the stuff you're hosting.
If you do though, I'm still not sure what the thing to do is. If I wanted to host my blog from home instead of via github pages or digital ocean, what's the right way to do that? Is there a reason nobody does this?
When I was young I served my websites off my home network. Dynamic DNS would update my A record if my IP changed, but I managed to trick my ISP into effectively giving me a static IP. DMZ'd a host on my network and set up a firewall, and you're off to the races.
Nowadays I just pay for a $5 VPS somewhere -- my uptime is significantly better this way!
Do you use the $5 VPS as like a reverse proxy and you're still self-hosting at home? Or did you move your self-hosted applications to the VPS?
I am setting up a self-hosted lab and looking at (securely) setting up remote access. Was leaning towards OpenVPN as pfSense supported it, but have been considering a locked down VPS remote proxy too (at least for some services) and happy to hear thoughts.
[Tailscale founder] One thing you can do here is use tailscale to connect all your devices together, including that VPS, and then set up a reverse proxy on the VPS that forwards queries to your various devices over tailscale.
Tailscale runs on WireGuard and therefore requires elevated permissions on each client device. That shouldn't be required for simply proxying a local port.
Does Tailscale offer domain registration and TLS certs?
Also, is there any way to allow public access to certain ports on certain machines, ie if you wanted to run your personal blog on your RPi?
I mean I suppose it requires elevated permissions but frankly it doesn't require any more permissions than most software, so this feels like a weird point to pick on. You need elevated permissions to bind 80 and 443, etc., right?
You mentioned accessing your own devices from anywhere, and that's what I use Tailscale for. It was a dream to set up, and for my own services, I don't need TLS or custom domains, really. I have a few shortcuts on my phone that work everywhere, Tailscale IPs are static.
> Also, is there any way to allow public access to certain ports on certain machines, ie if you wanted to run your personal blog on your RPi?
This is sorta outside the scope of what Tailscale aims to solve, but one of the cool things you could do is just run a proxy somewhere publicly accessible and route requests to your RPi.
> I mean I suppose it requires elevated permissions but frankly it doesn't require any more permissions than most software, so this feels like a weird point to pick on. You need elevated permissions to bind 80 and 443, etc., right?
I think maybe you're misunderstanding what my goal is. If I have a local webserver running on my laptop on port 8080, I want to expose that via HTTPS on a public domain. The server that terminates the HTTPS connection needs root to run on port 443, but my laptop doesn't need root to start the upstream webserver on 8080, and it shouldn't need root to tunnel it to the public server either.
[Tailscale founder here] If you're using a mac, you can just install Tailscale from the app store, which does not require root (thanks to the "magic" of Apple's extension signing).
I haven't dug into the WireGuard spec yet, so this might be an ignorant question: Do you think it would be possible to create a client that can talk with WG servers normally, but on the local side it forwards to a specific port, rather than a network interface? That would avoid the root requirement. I'm guessing the answer is no since it sounds like you guys are working on integrating a custom non-WG solution.
Unless I'm mistaken, wireguard-go[0] only runs the WireGuard protocol code in userspace rather than the kernel. It still requires configuring network interfaces which requires root.
