Comment on Replacing Cloudflare Tunnels with Tailscale?
lemmyvore@feddit.nl 9 months ago
Is there a reason to expose your services to the whole internet? That’s what CF tunnels and Tailscale Funnel do.
I can’t really recommend either of them, Funnel forces you to use a .ts.net subdomain you can’t use your own domain. CF allows it but forces you to use their DNS service. Both CF and Tailscale play MITM with your HTTPS connection, meaning they decrypt and reencrypt it on the fly, meaning they are able to look at your unencrypted traffic.
If you really must expose your services publicly then get a cheap VPS, point your domain A and AAAA records at its public IPs, make a clear TCP tunnel from your server to the VPS, and forward connections to port 443 on the VPS public interface through the tunnel to the reverse HTTP proxy running on your server (with mandatory TLS encryption and Let’s Encrypt certificates for your domain).
This way you get an unbroken TLS connection all the way through, with nobody in the middle.
The tunnel that you use between your server and the VPS can work behind CGNAT because it’s outgoing, and it doesn’t necessarily need to be encrypted because it will only carry TLS connections anyway. Will be easier on the VPS CPU this way, too.
Both CF and Tailscale play MITM with your HTTPS connection
That’s not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.
The Tailscale server on your node terminates the Transport Layer Security (TLS) and passes the request to the local service you’ve exposed through Funnel.
There’s still going to be a gap where traffic is unencrypted and under their software’s control. The gap takes place on your node rather then one of their servers but it still exists. You can’t avoid the TLS gap when you switch domain names mid-connection.
Whether having the gap on their node rather than on Tailscale’s server is more acceptable is up to OP to decide; but they have to understand that the gap exists. The solution I proposed doesn’t have a TLS gap.
That’s just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no “gap” between your browser and that server.
Only if that nginx is advertising the .ts.net domain, and using the certificates for the .ts.net domain, which means you have to export and renew them manually via tailscale cert. If you let Tailscale manage them you will have a TLS gap.
Rather than a cheap VPS, what about hosting a reverse proxy on fly.io, something like this? github.com/AnimMouse/frp-flyapp
Should I install a reverse proxy on the VPS and link services on the local server, or should I install it directly on the local server?
Services and reverse proxy on your server. Tunnel host on the VPS.
Auli@lemmy.ca 9 months ago
According to tailscale they do not decrypt just relay.
zzzz@lemmy.world 9 months ago
Also, you can host your own server: headscale.net