Use tailscale for host nodes, use tailscale docker container in a compose stack with an app that you sidecar to. That way that app is on your tailnet as if it is its own computer. Use tailscale serve for reverse proxying support of the apps. Then, setup a vps node (I use linodes $5 node) with tailscale and configure that to be your DMZ into your tailnet.
For DMZ, use Caddy, UFW, and fail2ban. Also take advantage of ACLs in the Tailscale admin console to only have the VPS able to route traffic to specific apps you want to expose. My current project is to work in Authelia into this setup so a user logs into one exposed app and is able to traverse to other exposed apps through header / token authentication.
Oh also, segment the tailnet using different authentication keys. Each host node should have its own key, all the apps on a host node should have a shared key, and all public facing clients should have a common shared key. That way in case of compromise you can revoke the affected keys without bringing down your network.
dan@upvote.au 1 week ago
Don’t. Use a VPN like Tailscale or Wireguard. Tailscale uses the Wireguard protocol but it’s very easy to configure, and will automatically set up a peer-to-peer mesh network for you (each node on the VPN can reach any other node, without needing a central server)
randint@lemmy.frozeninferno.xyz 1 week ago
Offtopic, but do you think it’s better to use HTTPS for non-public web services that must be accessed through ssh?
dan@upvote.au 1 week ago
I usually use HTTPS. A lot of web features only work over HTTPS.
randint@lemmy.frozeninferno.xyz 6 days ago
Thank you! I’ll try that out.
possiblylinux127@lemmy.zip 1 week ago
One thing to note: the NAT traversal doesn’t always work especially for symmetric NAT. If you want reliable p2p connections I would setup IPv6
dan@upvote.au 1 week ago
I think Tailscale has some methods for hole punching with double NAT (including CGNAT) and symmetric NAT, but it doesn’t work in 100% of cases. tailscale.com/blog/how-nat-traversal-works
IPv6 is definitely a good solution since then you don’t have to deal with NAT at all. IPv6 is pretty easily doable in the USA (at long as you’re not using Starlink) but can be harder in other countries that don’t have as robust IPv6 infrastructure.