Comment on Safely exposing services to the Internet
ClownStatue@piefed.social 1 day ago
I used swag, dockerproxy, and cloudflare in the past. That allowed me to run things without exposing ports on my home router.
I recently moved to Pangolin cloud. Still not exposing any ports on my home server. Also repositioned my VPS to use pangolin as well. Haven’t hashed out the details, but the idea will be to allow port 443 on public IP, and anything else over tailnet.
Moral of the story: look very hard for ways to do what you want to do without having to expose ports on your router. Unless you want your hobby to become your second job. I enjoy self hosting. I don’t enjoy being paranoid about some script kiddie pummeling my setup with some AI-generated attacks while I’m asleep.
Australis13@fedia.io 1 day ago
Yeah, I don't like the thought of worrying about vulnerabilities either, hence my asking this question!
I haven't heard of Pangolin cloud before -- I'm assuming this is a competitor to tailscale. Are you self-hosting it or using one of their paid plans, and if you're self-hosting, how hard was it to set up?
ClownStatue@piefed.social 1 day ago
Pangolin handles proxying (it runs traefik under the hood) and cloudflare-like protection (crowdsec). I did self-hosting it, but the free tier does what I need.
It does set up a wireguard tunnel between itself and the Newt resources you set up. That’s hard for proxy traffic. I have Tailscale set up for any other traffic between my resources.
I asked a similar question as you a few months ago (I think in this community), and one of the responses kind of put the fear in me. I went forward anyway, and never really did anything with my VPS. I’m still setting this new arrangement up, but so far really happy with it.
Australis13@fedia.io 1 day ago
Thanks. I think I'll need to do a bit more reading - I have no experience with any of the wireguard technologies (my VPN experience is with OpenVPN and enterprise-grade networking hardware that uses IPsec tunnels), but Pangolin's abilities do sound useful.
I guess I need to work out if something like tailscale (as per one of the other comments) set up on just the small group I want to share with will do the job, or whether I really need to expose services to the Internet and hence would benefit from a VPS with something like Pangolin.
ClownStatue@piefed.social 17 hours ago
If you’re not going the VPS route it’s even easier. Pangolin handles the wireguard tunnel for you with a docket container running newt. Very straightforward.
My goals have been:
There’s plenty of YT stuff out there for Pangolin, but I haven’t seen a lot for their cloud service. Personally, I prefer it to self-hosting it. Similar to tailscale, the free tier meets my needs, and their security team is (hopefully) more competent and better staffed than… me.
Of course, you get what you pay for, but I see this as a similar position as Tailscale & Cloudflare. With my free account, I’m piggy-backing off the security infrastructure of their enterprise offerings. Obviously I don’t get all the fine-grained controls of those tiers, but like the other two companies, they have a reputation to uphold, and from that perspective a breech is a breech. Even if it only affects free tier users, it makes them look bad.