This is the optimal way

Jeff Geerling would agree

Oh your latency must suck! Also, error correction would be a royal pain in the ass too huh?

@@kwithAnd there are Hawks out there that try to DoS you!

Kkk

To top this, we can self-host Tailscale server with Headscale open-source project.

@@nghiainthecloud yes headscale is great too if you don't mind the extra management effort.

Shhh. Don't talk about OCI always free tier. He has $43/mo VPS sponsors.

@@NetBandit70only our savior owl reads the comments.

​​@@NetBandit70OCI is $hit. My instances were destroyed 3 times without any reason.

I use RatHole on one of my OCI instance

Lol idgaf what you use but they give me credits so I use them

Big tru

Pro tip: Just don't use nginx proxymanager if you care about security. They don't have security policies and there have been really bad cases in the past where critical vulnerabilities have just been ignored. It's basically a one man org, which isn't necessarily bad, but there is also no one reviewing the PRs and the maintainer commits directly. Don't get fooled by the huge amount of stars, they don't mean anything.

Yeah. Exposing NPM makes me dubious of the setup

Same here nothing compares

for years i was abusing torrent trackers as a "stun server" for home vpn until zerotier.

Shucks. Were you using a VPS? Maybe their speeds aren’t good.

Make sure your tailscale is able to negotiate a direct connection without going through a relay.

@@GrishTechhow to do that

@@GrishTech it can’t behind cgnat

ill try this thanks@@GrishTech

You’re gonna have to trust somebody at some point if you’re publicly exposing stuff

I like the zero trust access controls, they are super convenient. Alternatively just use Tailscale alone with advertised routes and as an exit node if you don’t have public facing services and you don’t need Cloudflare at all

Yes Tailscale funnel works behind CGNAT; but for free, the ports are limited: 443 & 10000

As far as I know, you should be able to use nginx on your own network and use that to encrypt your services, similar to how he did it, just installing it on a raspberry pi or VM on your own network. Just make sure you are comfortable with port forwarding.

Yeah you’ll be limited by their bandwidth

There are security concerns anytime you open services to the outside world. Do you have a specific concern in mind?

There have been multiple CVEs and my understanding is that it took a considerable amount of time (> 1 year) to address them.

Was that not on the management page? I hope you do not open that to the internet.

nah its closed@

@@munroegarrett I've read the same thing so I am using HAProxy in pfsense instead. Also can use tailscale in pfsense. I am not bashing the devs of Nginx Proxy Manager as they have a very small number of maintainers and not alot of time to fix the issues.

I mean…you need somewhere to host the Tailscale client

​@@RaidOwljust use their Tailscale Funnel feature

You could also host a wireguard VPN or OpenVPN for more restrictive networks.

This way you're still opening things up to the internet, like with the normal reverse proxy, but you'll be hiding your IP from your DNS records. Adding a layer of privacy. With just Tailscale, you'd need to setup Tailscale on the server, and each client. It would be more secure, but not feasible for every use case. For me, this method fits my needs perfectly… can't believe I didn't already consider it.

Wireguard is secure enough to be exposed on the VPS

Tailscale is just a nice interface and uses Wireguard anyway plus I can just connect my personal machines to everything with the Tailscale client. Cloudflare tunnels are still great but with this you don’t have to worry about bandwidth limits (if you aren’t proxying via CF DNS).

@@RaidOwl Yeah I agree on this. Its something else than what everyone uses, nice to try something "new"! :)

Not today

If you can't expose 80 and 443, then you literally have to use a tunnel. Whether it's Tailscale or Cloud flare, that's up to you.

You can do it without Cloudflare dns. I just like their free proxy.

I return, The issue I have with NPM is it can't do TCP or UDP, it's only HTTP/S and Traefik is a mess.

The partnership period has ended :/ I’ll have to remove those links

@@RaidOwl ah ok no worries seems. Thanks again🙂

Maybe 🤷🏻‍♂️ try it and let me know

SSH would be a tcp tunnel, which isn't all that great in many situations. Also SSH is a user process, rather than a kernel process, so higher in the stack and maybe competing with other resources more. I've done both, SSH has it's place as temporary or roving needs may dictate (i.e. permit some non-business vendor entity a specific type of access), but you'd really prefer something that's "bolted on" lower in the kernel stack for infrastructure needs. You'll also need to build/write something to keep SSH running, and explore the timeout and keepalive options to get something that's more reliable and recoverable. It's doable, but you'd probably like something else better.

Depends on what you wanna do 🤷🏻‍♂️

Yes

Just safer and easier when everything comes in on 443. You can turn it off if you’re doing something that isn’t http/https traffic

Yeah I did show what the speeds looked like hosting on small LXC container on my server, much faster. The raspberry pi was basically like "hey look you can run tailscale on anything".

Rathole is only a reverse proxy like npm and can not connect a subnet via VPN like tailscale the hole point of the video is to bypass a cgnat

Cool Guys Never Act Tough

Can't Get Network Access. Thanks

So if you host a Wordpress site you are gonna approve every single public device that wants access?

Well it’s very unlikely that you’d use Tailscale or a tiny vps for anything that’s to be publicly accessible but you could try with split dns. If I want a family member to be able to access something I have running in my homelab I will invite them to Tailscale and use the ACL to give their device access to that one resource. If they try on another machine it will ask me for approval. Hosting the DNS yourself allows more magic to happen so much so that my family hasn’t even realised how much goes on in the background. They don’t even need Tailscale installed or connected once inside our LAN and if outside they connect to Tailscale and everything continues to work. 😊

Howdy! Yeah you can def do that! There are plenty of ways to go about this but I’ve always had good experiences with tailscale

@@RaidOwlTotally, but I think that your little "Hey Brett" interludes are always fun 🙂 And you left one here for the taking ;-)

You gonna have every person in the world install tailscale if you want to host a website?

What about tailscale funnel ? I know it has limitations still you can use it right ? any other cheaper solutions like I got the over all I got the over all I idea have been using it for months. Cant afford static ip which is 3$ a month My isp provides Needs to open ort for plex and torrenting cant on my static ip even if i am able to afford as it would be illegal need some otherway around like a cheap vps dmca ignored to do what you did or any other ideas ? Dont say seedbox.@@RaidOwl

@@RaidOwl Most people wouldn't host a public website from a home server.

Hetzner is not really useful for plex in this case as they are banning pledx server hosted on their ip, so mainly this is for huge traffic for file serve or a media server Hetzner kind of defeats the purpose lowand box vps seems way to go

holy crap your right. Thanks for mentioning