top | item 46845613

(no title)

For someone who want to setup a private network between host/devices, I feel the dilemma is always:

1. Trust a third party like Tailscale by giving them the key to your kingdom, but everything is incredibly easy and secure.

2. Self-host but need at least one host with a fixed IP address and an open port on the Internet. What requires a set of security skills and constant monitoring. That includes headscale, selhosted netbird, zerotier or a private yggdrasil mesh.

discuss

abcd_f|1 month ago

You can conceal that open port with some form of port knocking. Though this does reinforce your "easy" point.

Also, if it's an UDP port, then using a protocol that expects first client packet to be pre-authenticated and not emitting any response otherwise gets you pretty damn close to having this port closed.

sunshine-o|1 month ago

Thanks for the suggestion !

I looked into it but it seems that port knocking and Single Packet AuthZ literally open the firewall and expose the port when used.

Meaning it is great to reveal the SSH port when needed, do your business quickly and close it back when you are done. But my guess is those overlay networks need to port available all the time, so...

CommanderData|1 month ago

When I look at these zero trust solutions need 80/443 for what seems some type of bootstrapping

Better it happens using the same approach wireguard takes (udp/stateless). Though I'm not sure if there's more than just bootstrap taking place, maybe constant routing updates etc

PLG88|1 month ago

Why do you think thats against the principles of zero trust? Wireguard is a wire transport, it has no control plane... I think what you are alluding to is the centralised control plane which makes it possible to operate at scale (and much more).

PLG88|1 month ago

You could use a solution that allows you to have E2E with private sovereign keys on the endpoint, as well as bring your own IdP/PKI, so the provider does not have your keys. Would that be good enough?