To open or NOT open ports (Port opening vs Tailscale), secure remote access

Started by muffin44, June 24, 2025, 06:36:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 24, 2025, 06:36:40 PM
Hi,

so I thought about these scenarios (Opening ports vs Tailscale) for a long time and I am still unsure what suits me better. For a long time I used Cloudflare tunnels and it was very convenient, but now I am more privacy conscious and want to ditch cloudflare because of their ability to see/read the data at their side (= data is unencrypted).

Now I am thinking of either using Tailscale where I don't have to open any ports or going the oldschool way: Opening port 443 or 80.
Back in the old days many people and blog posts suggested the latter one (probably because there were no other solutions back then) or just use a VPN.

The most negative point for me using Tailscale is that the VPN client has to be activated the whole time on my phone. I am using other VPNs too and have to disable the connection and connect to another VPN. Also I dislike the key symbol in the status bar when VPN is active :D.
Second negative point is that Taiscale gets meta data and maybe in future they decide to restrict things more, who knows?

On the second scenario with the opened port I plan to do the following:
-open port 443
-activate geoip block on opnsense to only allow my home country to connect
-set up caddy reverse proxy on opnsense and to use mTLS with my own certificate. Users who don't have the mTLS cert gets blocked.
-use authelia on my server where I put it in a separate vlan for safety
-use crowdsec
-put docker machines in a separate vlan (risky ones like vaultwarden also in a separate one)

So if we take these 2 scenarios: Is it now ok to open the port 443 or to just use Tailscale? I am asking because somehow everywhere nowadays it is not suggested to open ports anymore. Is it really this bad?

P.s. I don't want to pay for extra services like an extra VPS or something.

Thank you and I am excited to hear what you guys think and how you handle the secure remote access.
June 24, 2025, 07:07:07 PM #1
Why not set up WireGuard on your OPNsense and connect directly to that?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 24, 2025, 10:02:38 PM #2
moin Patrick :D,


right now I am using the wireguard vpn of fritzbox sometimes. But the problem with the vpn switching stays. So it's a little bit annoying for me to have the vpn activated and to switch from one vpn to the other. Of course it's more privacy friendly because of the omission of meta data. But another concern is that if someone grabs the wireguard conf he can also easily connect to it (without entering any password or so) I don't like the idea. So I think I would rather use Tailscale.

My question is: Would my setup with the open port (+mtls, authelia, crowdsec) be ok or should I go another path. Are here any users who went this way?
June 24, 2025, 10:37:48 PM #3
If it's strictly web applications or can be turned into a web application like e.g. with Guacamole for RDP I would sleep well with an SSL terminating reverse proxy and 2FA via e.g. Authelia or Keycloak.

I stopped using Crowdsec because the free lists are essentially useless.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 24, 2025, 11:55:24 PM #4
thanks, do you think the use of suricate makes sense in the scenario of opening the port (+caddy, mtls, authelia) ?
June 25, 2025, 02:42:53 AM #5
I don't believe in IDS but that's me 🙂
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions