> Question: do you use a different tool which require no maintenance or cost to run?
Answer: ZeroTier -- on Mac, Linux (home & cloud), Windows, Android
I actually setup DNS entries resolving to private IPs as configured in ZeroTier so I didn't have to login to dig them up but my default DNS provider won't resolve them. I guess newer ZeroTier versions optionally have DNS covered these days but I haven't looked into it.
IIRC, I tried both ZeroTier and Tailscale but at the time Tailscale did not yet have a simple setup to run as an unattended Windows service (and still does not have the equivalent for Mac). Being able to access a machine without staying logged in was table stakes so I decided Tailscale needed more time to bake.
Downsides I'm aware of:
- Less attention to their encryption implementation than the current hotness (WireGuard).
- Did not work with minimal effort from the local public library.
- Mac Activity Monitor shows unexpectedly high amounts of traffic even though I use it very rarely, it's not clear what's going on within that network. As in currently 100's of MB's I can't think of why would have passed through.
- It's 50 hosts + 1 admin per network for free, unlimited networks (unless you setup your own "controller"/proxy).
Re: access control brought up in another comment contrasting exposing only SSH vs. VPN connections, ZeroTier includes some off-puttingly complex access control configuration mechanism I will probably never look into.
Hope this detailed anecdata helps someone, I'm glad to be in a position to try to give back to the community by sharing my experience. Any other ZeroTier gotchas would be appreciated in case I have to dodge something in the future. I debated setting it up as permanent "route-all-internet-access-back-through-home-internet" VPN on my phone but was scared off by the complexity of setting up routing/bridging on the endpoint at home.
I also use ZeroTier for a few years now. Very useful. Unfortunately my current ISP use NAT instead of giving their subscribers routable ip address. This means ZeroTier reverts to using an external relay when accessing my machine from outside, which is very slow and has very high latency from my country.
So in addition to ZeroTier, I use AutoSSH [1] to setup and maintain a persistent ssh tunnel on a high port on my vps. It's a lot faster than ZeroTier's relay because the vps is in a neighboring city instead of in another country. It's pretty reliable too, automatically reconnect when the tunnel is down. I'm still using ZeroTier for backup connection though.
Simply use `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain` to forward port 22222 on your vps into your local machine. I also configured a supervisord instance to automatically start it on my machine so it'll always running.
My issue with their zerotier was their slow relay server, which is only used when NAT hole punching doesn't work. I got this impression that zerotier doesn't really seem to be interested to invest more into their relay servers (adding more location and increasing capacity). Tailscale might has better relay servers but I haven't tested it yet, but I plan to test them later when I got some free time.
The crypto part of ZeroTier is getting some love soon but we are taking our time to get it right and get peer review. Implementing ideas from WireGuard and Signal.
Also the pricing is for our controller SaaS. If you want to self host controllers you can for free. There is a free community developed control panel somewhere.
Please add webhooks for ZeroTier network endpoints coming online or going offline! I think some existing formal feature requests for this already exist?
Managing expectations re:v2 is not going well for me. I wasn't really aware WireGuard-ish crypto improvements were happening (hire the personalities™ freelance ASAP or at least for review), and timeline is basically a punchline at this point... I recommend just owning both (edit: start today!) as 'when it's finished' on the front page if you want to appeal to techs.
Managing expectations re:v2 has been a total failure on our part. We put far too many things in one basket. But the work is still happening.
Learning moment for us: don't give timelines and don't reveal too much. Just say "when it's finished." Only Elon Musk can use Elon Time(tm). :)
Edit: we also promised some things that are just brutally hard, like fully decentralizing the root backplane via full data set replication. We are still working on that but it proved tougher than we originally thought, especially in light of scaling needs and security concerns. Some interesting technology in development but still in private repos.
Our competition just builds SaaS with a single controller run by a single entity. That's easy. We make it hard on ourselves by trying to keep going on the decentralization and control your own security boundary mission. Part of why everything is getting centralized into silos is that that's just so easy to engineer.
It's nice to hear that someone cares about this. I feel like a lunatic howling at the moon. We think decentralization (actual decentralization) is a good thing, but it would be so easy to just run a cloud silo. Everything becomes totally straightforward and simple.
I also hate the way scammy cryptocurrency shonk has sucked all the air out of the room on this topic, especially since most of "web3" is not even decentralized. Most of it goes through a few companies' centralized hubs. Total hot air. I'm thinking about trying to coin a new term for actual decentralization.
You might be into howling at moonshots, but when it’s dark outside you need a true luminary to reflect any light back to the rest of us. Many thanks for your continued lunacy.
I use ZeroTier, but only with Linux boxes (also used on a Mac when I had one), so instead of DNS I use nss-mdns and avahi. It is enough to install and it just works - computers are available under $HOSTNAME.local.
I tried using Zerotier a few years ago for personal devices/homenet (~10ish devices) and it frequently dropped/disconnected to the point I uninstalled. The Windows client was buggy/quirky and would get into a weird state where I couldn't click on a network to connect/disconnect properly and the app would have to be closed and client restarted before it would work properly again.
Ive since set up wireguard and use nginx for reverse proxy and haven't looked back. This has been rock solid, set and forget.
I want to love ZeroTier, but after wanting to contribute and reading some code I decided I'd rather use another VPN tech. Not saying it isn't good, but it was very incomprehensible and didn't look modern and nice, which the product should be.
I love Tailscale, but it’s not really designed for public tunnels. You can do it, but you typically need to provision some kind of proxy with a static IP (most likely cloud based) to handle your public stuff.
Tailscale must be properly configured on your client machine to access machines/ports on their respective private Tailscale network(s), setup of which typically requires administrative intervention. Without bridging to a public network, services exposed to the Tailscale network are not accessible publicly.
Tailscale does offer user-mode clients so it can be used similarly to SSH by those allowed to connect (I don't know how difficult user-mode Tailscale is without admin setup on various operating systems).
not sure where you're getting the idea you need admin intervention for tailscale. I've never needed to do anything beyond authenticate the machine with my account. tailscale has NAT traversal built into it.
If your network firewall is preventing the tunneling process, then that's on you. and if its not on you and its a company decision then its VERY unlikely they'd be okay with cloudflare's publicly exposed ports.
the tailscale devices you see are only accessible by other devices on the same tailscale network.
S/he's talking about accessing those machines from OUTSIDE that network. That's what would require admin intervention. So for example if I have a webserver on my home LAN that has Tailscale installed and authenticated, then sure, I can access that webserver from any of my other Tailscale devices from anywhere. But if I want a friend to be able to access that webserver without first being authenticated to the Tailscale network... Do you see the problem, yet?
I clearly understand that problem. but I'm just going to assert its not what you actually want. nor is it related to accessing ssh where you most definitely don't want to expose the port.
for starters, what you're describing is a load balancer. those already exist and are trivial to setup.
I'm talking about the one-time initial setup of the Tailscale client software.
Can you download and run Tailscale on a Windows client without Administrative access to install the software (setup the virtual NIC)? An SSH client is just a user-space app.
I have explained why I stated that 'setup of [Tailscale] typically requires administrative intervention'.
I appreciate that your approach is the more secure standard practice, yet want to make others aware of the edge cases here on a site called Hacker News rather than something like StackOverflow, where 'this is the way' reigns supreme.
I mean if I wanted to host a public blog on my private infrastructure, Tailscale alone isn’t going to cut it. I would have to make a instance on a cloud provider to allow public ingress, and I have to setup and configure Tailscale on it to allow it to punch a hole into my walled garden. If I just want plain VPN access to my instances from wherever, then that’s when Tailscale really shines.
A core offering of Cloudflare Tunnel is the ability to host web servers through tunnels. Tailscale requires you to run your own reverse proxy on a publicly-accessible node in order to accomplish this.
This is not my experience having recently set up web servers in a cloud virtual network with no inbound ports open. I can tailscale in and connect to web servers behind traefik configured to use the dns-01 challenge. The only way to access these webaps is through tailscale.
Sorry I meant specifically public web servers, ie hosting a website or sharing a Jellyfin server with your family without requiring them to have Tailscale accounts.
> Each port is also limited to a single machine, so you'd have to choose a different port for a different machine.
I would probably set up one gateway machine, and then from that machine log into other machines on the network; instead of exposing them all to the Internet. SSH allows you to chain logins thus:
ssh -A -t user@public-gateway ssh -A -t user2@server-behind-dmz
It's a lot less work to lock down one machine really tight enough to expose them to the public Internet than to do it on the entire network.
The big advantage of this (over ssh user@host1 ssh user@host2) is that the jump host only sees the encrypted inner connection – it doesn't get access to the client's SSH agent/keychain, nor to the target host (host2) or data transmitted over the connection.
Unfortunately it doesn't work if you're behind a NAT due to shitty ISP, like me. I use AutoSSH instead to expose my local machine's ssh port on a high port in the gateway machine: `autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -v -N -R 22222:localhost:22 user@my-vps-domain`
ServerAliveInterval 30 is important because my ISP often drop idle connections, often not even 1 minute idle. Can probably tweak it to listen to a localhost only port instead of exposing them to internet.
What are you giving Cloudflare here? You're running a tunnel daemon and piping a network process to it. There's no exchange of for example your private SSH keys.
If anything this is letting people more easily self host their own version of 'BigCorp cartel' apps like mail, code hosting, etc.
Sure. Just make IPv6 work everywhere flawlessly, and then all of our devices can easily access all of our other devices, we can use whatever DNS scheme we want to return the IPv6 addresses to those devices, and then we won't need to punch through NAT firewalls and routers to reflect off corp-owned servers just to access machines trapped behind NAT firewalls! What could possibly go wrong?
Why is it always the free software people who are the most judgemental about what I do with my software and who I trust with my time and money? AWS and Microsoft never gave a shit about what other vendors I'm in bed with.
I like your GNU license, I do not like your GNU license people.
You can get virtual server for $4/month. Installing proprietary software and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.
My home firewall blocks all traffic except for incoming SSH from 3 IP addresses in the world. One of those is my virtual server.
If I'm in a hotel with my laptop I run the first command to set up an SSH tunnel to my "home" computer through the cloud virtual server. That listens on my laptop to port 8888 and forwards it through the cloud virtual server to my home computer's SSH daemon listening on port 22
I do the same thing! I'm hoping that some day hotels won't send every wireguard packet they see straight to the bit bucket. Until then I'm really grateful for ssh.
If they upgrade to premium tier, set up your virtual server then. Your total cost, $0 for the duration it's free + $4 * the rest is still lower than $4 * lifetime, and the cost for switching is only going to be marginal.
I get the thought, you can build something now that is guaranteed to have a fixed cost, or you can risk going with a free product that might surprise you, causing you to rush to replace the solution with a tight deadline.
Just look at all the people panicking with the free Google Workspace shutdown.
I can use virtual server for many things (backup, vpn, webservices...) not just port forwarding.
Cost of my time for reading contract and learning new proprietary tool is not worth it for several years.
Cloudflare is arguably better from big tech. But cost of deployment some binary package on confidential server, keeping up with their marketing bs, etc is simply not worth it.
If I have to spend an hour or two setting up each solution, I could pay $4 a month many years before I'd feel like it was worth doing that twice. You're not wrong, but I would gladly pay the monthly to only have to set it up once.
You can build a physical server for $500 once. Relying on proprietary hardware and registering to some service, that may "upgrade" to premium tier anytime, is pretty off-putting.
not trying to be difficult, but $500 seems like an odd price tier to end up in. If I was going cheap, I'd do something between a rock64/raspberry pi and an Intel Nuc. If I was going powerful, it would be north of $1,500 for sure. That decision would probably be based on what I was running on it. If it's a VPN, the rock64 would be plenty. < $50
My home network has a dynamic IP. I'm using a home-baked dynamic DNS thingie, but a virtual server with a fixed IP could work too. Would update for the new IP much faster now that I think about it.
I have IPv6 at home with port 22 opened for one of my home server's IP's. But my work internet connection does not have IPv6 at all (lol) so I use one of my VPSes as a jump host.
Because in some countries, like .cz, it is pretty common that your home network is behind NAT, the ISP does not want to forward a port for you, and there is either no option to get a public IP or it costs $5 to $10/month and is a lengthy process to obtain (typical internet connection costs $20 to $30/month here).
Unfortunately the cloudflared software, while the source is available on GitHub, and there are pull requests open and accepted for it, is not under an open source license, and the license it is under does not allow modifications, so any modifications (including the aformentioned pull requests) are contrary to the license and thus copyright law and thus illegal. The issue I filed about this is still waiting for action since October 2021.
Hello from the Cloudflare team - thanks for the nudge. We're in the process of migrating away from the proprietary license to an Apache license. We'll update the GitHub issue too; should be wrapped up in the next couple of weeks but likely sooner.
PS: I note cloudflared uses some form of telemetry, although I have not looked at what data is transmitted and didn't try to remove it after seeing the above license.
PPS: I wish cloudflared were split up into client and server instead of one binary for both, it would be easier to audit and understand that way.
PPPS: I noted while auditing that cloudflared embeds its dependencies instead of depending on them and uses some golang libraries that are obsoleted.
hearing this I'm not sure I want cloudflared inside my network at all
it's already vast... and telemetry always seems to be the thin end of the wedge
a minimal version, not maintained by the company, under a proper open source license with no bullshit and a vastly smaller attack service would seem like a easy win...
(and even better if it supported more service providers than just cloudflare... killing their lock-in)
Thanks for pointing this out as it does appear even taking the source and applying a pull request ones self does break the license.
Just to clarify: many pull requests have been accepted and would thus from my perspective be covered by the license as having become part of the software.
Caveat: did not dig deeply enough to check if it's mostly Cloudflare employees developing publicly, etc.
Edit: worth mentioning here on HN customer support as well that 'opensource@cloudflare.com' is misconfigured.
No, pull requests are not illegal, at least when done on Github, because by posting code on Github (that you are allowed to post) you grant Github and its users certain rights:
> By setting your repositories to be viewed publicly, you agree to allow others to view and "fork" your repositories (this means that others may make their own copies of Content from your repositories in repositories they control).
Uh, so I just realized how we are discussing how developers submitting pull requests to this project with this license are basically demonstrating publicly performance art style that they've broken copyright law. Or we give the benefit of the doubt and assume they are not testing their changes at all.
In this specific case you might be correct but in the general case this is not true. The uploader agreeing to something does not affect the rights of other authors than the uploader.
Please explain? I've googled your sentiment and have found some links but not many answers. Breaking a contract is just as illegal (~ against the law) as breaking the law? This follows trivially from contract law being a part of law. More substantive: Both contracts and laws proscribe actions. One can find remedy for breaking either via the legal system. (Obviously the severity of punishment can differ several orders of magnitude.) Only if you limit 'illegal' to criminal law you might be right in some jurisdictions.
Contracts themselves are not articles of contract law. - This is true, but the concept of inheritance holds.
'Illegal' ~ 'against the law'. What is doing something against the law? Doing something the law states you are not allowed to do. So in practice under continental law (Napoleonic / Germanic) a law states "do X" or "leave Y" and doing the opposite is illegal. Then, if the law states "you must (under good faith) fulfill your contract" and you do not fulfill your contract ... that's illegal. A legally binding contract has the force of law for the signing parties.
> Contracts themselves are not articles of contract law. - This is true, but the concept of inheritance holds.
Of 'inheritance'? What does this mean? Are you trying to apply the rules of OOP to contract law, as if an individual contract were an instance of contract law...?
Yeah I was trying to make an argument the target audience might find persuasive. Inheritance is a nice concept when reasoning about (continental) contracts since a contract is only a contract if and only if it abides by contract law. That's a strict inheritance there. In truth, it's a bit more flexible: a contract could still be a contract if there are illegal provisions in the contract since at first only the illegal provisions will be scrapped by a judge.
> a contract is only a contract if and only if it abides by contract law
That's true, but I don't quite see how that makes a contract the law. Someone who doesn't turn up to work isn't doing something illegal by dint of breaking their employment contract. IME, 'illegal' generally refers to breaking the criminal law, whereas I wouldn't say this even breaks civil law, sensu stricto. https://malesculaw.com/is-breach-of-contract-a-tort/
I'm under the impression that this is against CloudFlare's ToS, otherwise I'd probably be doing it myself.
See section 2.8 "Limitation on Serving Non-HTML Content." of their subscriber agreement:
use of the Services for serving video or a disproportionate percentage of pictures, audio files, or other non-HTML content is prohibited, unless purchased separately as part of a Paid Service or expressly allowed under our Supplemental Terms for a specific Service.
Last I checked, SSH is non-html content. I even opened a support ticket with their support, specifically asking about SSH and other traffic and this is what I received:
So if no matter what service you use, Once you breach this rule it will be applied.
EDIT: Looks like the CloudFlare CTO has clarified things below that this usage does not in fact violate the ToS.
This seems to be the license for cloudflared. But when you use cloudflared to create a tunnel via cloudflare network, aren't you also bound to Cloudflare's ToS because the software itself is useless without using the service provided by Cloudflare?
Hold up. I follow this space closely (I maintain the list of tunneling tools linked in OP). Everybody I've communicated with has been operating under the assumption that section 2.8 applies to Cloudflare Tunnel. See for example my post on another thread yesterday [0]. Are you saying this isn't the case? Is it even possible to use Tunnel without going through the CDN?
Ah ok I misread your comment as implying the CDN ToS doesn't apply to Tunnel. It doesn't if you aren't using it (ie SSH), in which case only the Tunnel ToS applies, but otherwise both apply.
> By the end of this post, you'll be able to run: ssh $machine_name from anywhere ... a service by Cloudflare ... will filter traffic to your machines through Cloudflare's network, including authenticating you ... your machines won't directly be exposed to threat actors and "1337 haxors".
I set up something similar using ZeroTier "public" networks and the libzt Python userspace library.
My use-case was to allow bitbucket hosted instances to connect to private instances in my infrastructure to push code to as part of the build pipeline. They way they are running Docker at bitbucket, you can't run the normal zerotier processes (IIRC, it wasn't allowed to create a tun/tap device).
The zerotier public networks are networks that anyone can join given the network ID, without requiring an admin to authorize them.
I wrote a python-based "ztproxy" [1] which you can call from SSH as a ProxyCommand like: `ProxyCommand /usr/bin/python3 /path/to/ztproxy /tmp 1234567890abcdef 9994 10.3.2.1 22`. On top of that I had SSH public key authentication of both the remote host and the local user, so even if the network ID was exposed, it wouldn't have been wide open. I also had ZeroTier network level rules that only allowed the SSH traffic.
2. On server, ssh -R anythinghere:22:localhost:22 sishinstance
3. On client, ssh -J anythinghere sishinstance
The tunnel is kept internal to sish, meaning it isn’t exposed to the open internet. You need to auth first to sish (using SSH) and then auth with your server (using SSH) as well before you can gain access.
I have code that monitors Hacker News comments for mentions of various things (including cloudflare, my username). It runs once a minute and uses https://hn.algolia.com/ to find new comments. I actually saw this was on Hacker New via Twitter.
Genuine question; I’ve got a static IP (v4) to my only server that I run at home. Are there any real benefits I gain to using tools like this one (or Tailscale et al)?
Why would I use someone elses tool to just do the same thing I have autossh running (in a script that gets restarted if it dies) doing? You can do this if you own a server on the net, or with a free tier at AWS/GCE/Azure. I feel, not sure, "dirty"? pulling down some client that I am unsure exactly what it is doing from cloudflare just to enable a reverse ssh tunnel.
Wireguard, with dynamically-updated DNS resolution to a residential IP is very solid for a free tier and has the key benefit of zero third-party (i.e. not controlled by you) dependencies, other than the IP provider and the DNS resolver, which is a commodities business with low switching costs. Cloudflare is very nice and will be around for a long time, but it's still a third party dependency.
As it boils down, the OP's solution is "free" as in money but not as in freedom for a certain set of requirements.
Basically, going with CF trades-off some freedom for the considerable/legitimate protection benefits of being under the "cloudflare umbrella". It's probably a good trade for this moment in time. But rational people can disagree about whether it's a good trade when you broaden the time horizon to 5, 10, etc. years.
Like all things, it depends on the requirements you're building for.
WireGuard is great and is not too difficult to setup on something like a RPi.
I have one running on my home network which lets me access my local network remotely, including access to my local media server. I have another one running at my parents' house for times when I need to RDS into their windows machines for troubleshooting, or if I need to tweak settings on their router. You can also configure your clients (phone, laptop) to forward all traffic through the tunnel, which then secures your connection for when you're over an untrusted/public wifi.
There was a Cloudflare article posted a couple of days ago, I'll post my comment which agrees with you, Wireguard and a cheap VPS are hard to beat: "Similar, I use a cheap AWS Lightsail VPS $3.50 (Lightsail has DDOS protection)-> Wireguard -> Apache Reverse Proxy mod -> my local services."
So easy to set up too with docker. You can even generate a QR code to easily set up a mobile device. You do need a domain name, DDNS, or a static IP and the ability to port forward from the router
Never heard of Wireguard, so I went to their website and for a half second. I thought I cracked the screen on my new phone, because of their freaking background image....
But, it looks interesting. I'll have to check it out more.
Why not just run Wireguard on a raspberry pi, set up DDNS to send your home IP to a Dynamic DNS provider (if you're on a dynamic IP), and then SSH to your machines at home using keys (instead of passwords)?
Setting up a Pi and running the Wireguard install script is about half an hour of work.
I use a similar setup. The VPN is needed because it is the only port accessible outside my network. Wireguard is easy to setup right, and I already need it for accessing other stuff on my home network.
If I understand GP correctly, the goal is to SSH into an RPi on a home network. Since they mention DDNS, it's implied that they're connecting directly to their home router. What I'm saying is why not port forward directly to the RPi?
We have a ssh reverse-forwarding based solution. And unlike the Cloudflare solution you don't need to "give the keys of your house" (as someone here commented) to reach your private machines.
You can remotely open and close the tunnels through our web interface or our web API.
Plus, we have web API-based automated deployment solution if you have many clients.
This seems to be a cool service, I was actually thinking of creating something similar (but was deterred by the hassle of setting up billing and user management apart from the interesting technical stuff). I sometimes get asked by someone not owning a server/account they can use for ssh -R 0.0.0.0:1234:localhost:22, who are behind NAT and need to publish some service on the internet.
Why is the traffic rather limited? You seem to be hosting it on Linode and they offer like $5/TB traffic, I think you could easily offer several times more traffic, at least with the bigger plans.
“Your server creates a forwarding ssh tunnel to one of our publicly visible forwarding servers” seems like a huge risk for somebody else to own these “forwarding servers”. Worse than giving keys to your house? I dunno.
Your internal computer is still protected by password and/or public/private key-pairs, so even when the tunnel is open nobody can enter your computer without having those.
It is _your_ computer that makes connection to our servers, so you are in control of everything and there is literally nothing on our forwarding servers that would allow anybody to enter your computer.
It's much easier, much cheaper, and does not rely on a centralized cloud vendor. Here's how to do it in a few lines:
apt install tor
echo HiddenServiceDir /var/lib/tor/myserver\
HiddenServicePort 22 127.0.0.1:22 >> /etc/tor/torrc
systemctl restart tor
Now tor is generating the keypair for the server. It will take a few seconds: once that's done, read the onion address from /var/lib/tor/myserver/hostname and you can start using it from the client, either with explicit ssh proxy config or with global client SSH config AutomapHostsOnResolve which enables to transparently map .onion domains to local IPs that the tor daemon will tunnel right over to the onion.
Bonus point: you get automatic certificate verification as part of the onion name itself, and you can also restrict the tor server configuration to allow only specific public keys (those who don't have them will not even reach sshd).
So will cloudflare be able to ssh into my machine from anywhere? I dunno I just use ssh to ssh into my machines works pretty well so far but I have only been using it for the past 20 years.
This sounds a lot like https://tunnelto.dev/, which I've used and generally like. I'm not knowledgeable enough to know what, if any, the differences are, though.
What solution is available for smartphone with Android? I would like to setup unused phone with Android system and SSH server (there are apps) to make it a standalone server connected with internet only via LTE/GSM (using simcard). I learnt that it is impossible to connect to a device using LTE connection. It's "public" IP is not so public, LTE providers have a lot of infrastructure configurations (NAT?) to not allow incoming connections initiated outside the phone. What is the best solution here? What are free for fair use (just ssh, maybe a httpd with lightweight script page), what are paid solutions. Thanks!
And then some people will come to rely on it, and then some will eventually get blocked due to protection rules misfiring, but it's all free service so not much point in blaming the company. Gmail story waiting to repeat?
I'm using Deviceplane for this right now - it's designed for embedded linux machines but could be used on any linux distro. Is anyone else using Deviceplane still? It seems the project has gone dead, though the website and github pages are still up.
I like it because of the easy web interface, and ability to tag / organize machines. Authentication is really simple.
I used it for a while, but found it to be unreliable. Sometimes my Raspberry Pi’s became unavailable through the nebula network. I had to ssh into the Raspberry from home network and restart the nebula service. This happened once a week or so on Zero W, so I tried Tailscale. It was much easier to set up than Nebula and works better for me so far (3 months).
How do I achieve the following related task with minimal effort?
I have a domain and VPS. I want to expose a local dev server running on my laptop to something like mydomain.xyz/something temporarily. I want to host it myself and would prefer open-source tools.
SSH into the VPS from the laptop with port-forwading:
ssh -R 8000:localhost:80 mydomain.xyz
Now you should be able to access your local laptop on port 8000 of the VPS. There are a few easy steps you can add if you want to make it a bit more ergonomic or permanent. If you don't want to use an alternate port, you can just forward the port on the VPS with iptables.
You can directly expose the port to the internet, not only localhost, with ssh:
- put "GatewayPorts clientspecified" into /etc/ssh/sshd_config, restart sshd
- ssh -R 0.0.0.0:8000:localhost:80 (the first parameter is the address where the tunnel should listen -- you can also pass something like 192.168.0.123 and expose it only to LAN etc.)
It's then reachable on your_vps:8000.
If you need it on the "correct" port and you are already running some other webserver (so you need to share that port), you need to set up a reverse proxy based on hostname or URL. I personally use haproxy, but for example nginx can do it too.
Hey mono-bob :), it really is cool, I only added it last night. I used to use utteranc.es, but now I use https://giscus.app. It's like utterances, but allows comment threads and reactions to the page (likes/emojis).
Tailscale (https://tailscale.com) is a great solution for this use-case. It's also just an absolutely excellent experience overall and I can't say enough nice things about it.
Can be used for the same, but serve kind of a different usecase.
Tailscale scan your host for all open ports and open a WireGuard connection between the installed machines. Like every machine is on the same network, even if they are not. Way harder to have a good access control compared to plain SSH. And you don't need extra SW for just SSH.
This article is specifically about using cloudflared to implement a tunnel without exposing anything to the public internet, which is definitionally extra software. Agreed however that Tailscale offers a much wider feature set—while also covering the basic "I want to access my machine from anywhere" use-case—at the cost of exposing an entire machine instead of a single port.
You mean, like just login to a server without going through layers of cloud providers? How would that work?
For real, I can't imagine running a straight port 22 ssh service on the modern internet, but I'm usually happy just moving it to an unprivileged port for obscurity on personal equipment (plus some other common sense hardening of course). For work stuff, I'd feel naked without some sort of VPN and it seems that's essentially what these services are.
I've seen servers get hit with so many ssh login attempts that it runs out of resources to respond, effectively DOSing ssh at least. Moving it to a high port usually cuts out all the chatter.
Thanks, I was struggling to do this 2 weeks ago, since I use cloudflare tunnel for everything. Had to resort to another service. This will be super helpfull.
I think tunneling is going to be the core of the real web3 over the next 10 years, and my current primary side project is banking on it.
Imagine if you could take an old Android phone, install a Nextcloud app, do a quick OAuth2 flow to set up a tunnel, and now you have 100GB of cloud storage, sync, calendar, etc all running from a desk drawer.
Port forwarding is too hard. DNS is too hard. IPv6 is going to take another 10-100 years and people will still have to figure out how to manage firewalls.
IMO web3 is going to come by lowering the barrier of entry to self-hosting.
I actually am familiar with takingnames.io and boring proxy! I found it the other day when I was searching for the easiest way to self-host my own side project. I think you've got something promising and I encourage you to keep working on it. Ultimately, for my use case I went with fly.io just because it was so damn easy to use.
I am hesitant to commit to a tunnel-based approach because where I live I get frequent power/internet outages. I feel that tunneling is something I would explore if my application grows to the point where I would need to rent space in a colocation.
I don't think tunneling is necessarily a great for hosting large-scale things or businesses that need to stay online 24/7. Self-hosted services for friends and family or maybe small communities seems like the best use case.
It's annoying but ok if your media server goes down once in a while.
Answer: ZeroTier -- on Mac, Linux (home & cloud), Windows, Android
I actually setup DNS entries resolving to private IPs as configured in ZeroTier so I didn't have to login to dig them up but my default DNS provider won't resolve them. I guess newer ZeroTier versions optionally have DNS covered these days but I haven't looked into it.
IIRC, I tried both ZeroTier and Tailscale but at the time Tailscale did not yet have a simple setup to run as an unattended Windows service (and still does not have the equivalent for Mac). Being able to access a machine without staying logged in was table stakes so I decided Tailscale needed more time to bake.
Downsides I'm aware of:
- Less attention to their encryption implementation than the current hotness (WireGuard).
- Did not work with minimal effort from the local public library.
- Mac Activity Monitor shows unexpectedly high amounts of traffic even though I use it very rarely, it's not clear what's going on within that network. As in currently 100's of MB's I can't think of why would have passed through.
- It's 50 hosts + 1 admin per network for free, unlimited networks (unless you setup your own "controller"/proxy).
Re: access control brought up in another comment contrasting exposing only SSH vs. VPN connections, ZeroTier includes some off-puttingly complex access control configuration mechanism I will probably never look into.
Hope this detailed anecdata helps someone, I'm glad to be in a position to try to give back to the community by sharing my experience. Any other ZeroTier gotchas would be appreciated in case I have to dodge something in the future. I debated setting it up as permanent "route-all-internet-access-back-through-home-internet" VPN on my phone but was scared off by the complexity of setting up routing/bridging on the endpoint at home.