Hiker, software engineer (primarily C++, Java, and Python), Minecraft modder, hunter (of the Hunt Showdown variety), biker, adoptive Akronite, and general doer of assorted things.
AFAIK, Windows firewall is perfectly fine, usable in commercial spaces, etc. You’re probably going to be getting into more “hobbyist” firewalls even if you do find one … and a firewall isn’t something you particularly want that with. You want something that’s well designed and well maintained.
(I say this as a guy that has run Linux on basically everything for … over a decade)
If you’re going to use Windows … just use Windows firewall. There’s no real reason that I can think of anyways to replace that one component with something FOSS.
Something with 1-click installs like TrueNAS can help quite a bit. It’s still something that requires active involvement from the operator to do well though. If you’re self hosting, it’s like DIY construction, if something falls down … you can’t sue your contractor/nobody’s going to make you whole again except yourself.
There’s also the networking side of things. I just wrote up some thoughts on that as well… https://alexandrite.app/social.packetloss.gg/comment/1821545
Things like ZeroTier/TailScale/Nebula can make this monumentally more approachable and safer. It’s still far from for everyone though.
Yes, WireGuard was designed to fix a lot of these issues. It does change the equation quite a bit. I agree with you on that (I kind of hinted at it but didn’t spell that out I suppose).
That said, WireGuard AFAIK still only works well with static IPs/becomes a PITA once dynamic IPs are in play. I think some of that is mitigated if the device being connected to has a static IP (even if the device being connected from doesn’t). However, that doesn’t cover a lot of self hosting use cases.
Tailscale/ZeroTier/Nebula etc do transfer some control (Nebula can actually be used with fully internal control and ZeroTier can also be used that way as well though you’re going to have to put more work in with ZeroTier … I don’t know about TailScale’s offering here).
Though doing things yourself also (in most cases) means transferring some level of control to a cloud/traditional server hosting provider anyways (e.g, AWS, DigitalOcean, NFO, etc).
Using something like ZeroTier can cutout a cloud provider/VPS entirely in favor of a professionally managed SAS for a lot of folks.
A lot of this just depends on who you trust – yourself or the team running the service(s) you’re relying on – more and how much time you have to practically devote to maintenance. There’s not a “one size fits all answer” but … I think most people are better off doing SAS to form an internal mesh network and running whatever services they’re interested in running inside of that network. It’s a nice tradeoff.
You can still setup device firewalls, SSH key-only authorization, fail2ban, and things of that ilk as a precaution in case their networks do get compromised. These are all things you should do if you’re self hosting … but hobbyist/novices will probably stumble through them/get it wrong, which IMO is more okay in the SAS case because you’ve got a professional security team keeping an eye on things.
The company Tailscale is a giant target and has a much higher risk in getting compromised than my VPN or even accessible services.
One must be careful about this mindset. A bunch of smart lightbulbs that are individually operated aren’t a particularly appealing target either. However, in aggregate… If someone can write a script that abuses security flaws in them or their default configuration … even though you’re not part of a big centralized target, you are part of a class that can be targeted automatically at scale.
Self hosting only yields better security when you are willing to take steps to adequately secure your self hosted services and implement a disaster recovery strategy.
The thing about something like TailScale or ZeroTier or Nebula is that it’s dynamic. These all behave similar to a multiplayer game … a use case every residential firewall should “just get.”
The ports that are “opened” can change regularly, they’re not some standard port that can just be checked to see if it’s open (typically).
Compare that to the average novice opening port 51822 for wireguard or 22 for SSH and you start to see the difference. With those ports, you’ve got a pretty good idea what’s on the other side and it might even be willing to talk to you and give you error messages or TCP ACK packets to confirm it’s there (e.g. SSH).
This advice is as you can probably imagine more relevant to things like OpenVPN that are notoriously hard to correctly configure or application protocols like SSH or HTTP.
With these mesh VPNs you also don’t have to worry about your home dynamic IP changing and breaking your connection at inopportune times… And that’s a huge benefit (IMO). It’s also very easy to tie in new devices to the network.
A lot of it is about outsourcing labor to programs that know how to set up a VPN and make management of it easy. That ties into security because … a LOT of security issues boil down to misconfiguration.
Interesting; well it’s good info/good to know it exist … though, I’m probably going to stick to explicit listing. I like to be able to look at my DNS records and know what connects to what.
I’ve never used wildcard DNS, I’m not even sure that Namecheap DNS supports wildcard. But I’ve also never been in a situation where there’s a dominate single machine I want my DNS to resolve to.
After searching … I’m not entirely sure I would use wildcard DNS https://serverfault.com/a/483625
My preferred strategy is actually alias records and then one primary address record the alias records point to so if I change IPs I can move the machine. I forgot about that last night.
Wow the responses here are really off at the moment. I’m going to try and help.
So, what you’re going to want to do is add all the subdomain A records you need to you DNS (sounds like you’re using cloudflare for that, not required, but that should be fine).
Those DNS records are all going to be the same IP record, that’s fine.
What you need to do after that, so that you don’t have to enter ports is a bit more complicated. For web servers, some kind of reverse proxy like nginx, haproxy, apache, etc is what you need. The term you’re looking for is “virtual host”.
A virtual host setup is basically one where a reverse proxy looks at the domain name that was used to access the server over HTTP and then uses that to decide what server running on the machine you actually talk to.
It’s HTTP that actually is passing along the domain name you used, so if the service isn’t HTTP you may or may not be able to do anything depending on the underlying protocol.
So to recap:
It’s more like encrypted Evernote.
It’s a bit murkier, SimpleLogin remains an independent product that you can now login to with a proton account. They also added some of SimpleLogin’s features into Proton.
I wouldn’t be surprised if they do a similar thing where you can login to standard notes itself with a Proton account but they also start integrating pieces of the app more closely into the Proton suite.
They can also lobby more effectively for privacy respecting legislation and privacy rights. I don’t like lobbying, but so long as it’s around, it would be nice to have a big privacy company that’s as invested in that as the average privacy enthusiast.
The phrase Jack of all trades master of none really only applies to people. A company can just hire more people when it has more products.
Google’s issue is not that they’re “big” it’s that they’ve failed to truly innovate and invest in anything in years. The current leadership kills anything that isn’t an instant money maker despite the majority of the company’s profitable products taking years to become profitable. They’re also in a weird spot because their “magic” was always free services in exchange for advertising money and that’s a model that’s come under attack and been replicated to death by competitors.
Gotcha, I wasn’t sure if you were aware of an additional concerning development or it was just this 🙂
Ah, so it’s just a weird default you can still override in a poorly documented manner… That’s, maybe okay.
What are you referring to about them doing recently?
But does the self hostable option have a licensing system/cap?
The pricing page implies the self hostable option is limited to 25 seats.
They’re very commercial oriented. I don’t think you can host a free server with them with more than 25 people without paying out big $$$.
Yup, I also used to be up there. I’m pretty sure I’d get obliterated now if I went back and tried to play. I still play time to time with my buddy Cow Fu.
It was one of my first shooters and definitely has a first love kind of status for me.
I’ve largely moved on to Hunt Showdown which… While definitely not a continuous high speed slaughter fest, definitely has its own similarly intense moments and genuine weapon variety.
ZeroTier is also an option in the same vein as TailScale.
You will share your IP with something like TailScale or ZeroTier.
Reverse proxies can be good but with gaming … there’s only so much you can do because of the custom protocols. Most of that stuff isn’t going to care about the DNS. You’re also introducing additional latency if you use a VPS as a “middle man.”
I think you need to consider who you’re going to be giving access to and what threats you’re trying to protect against.
My advice would be to set up ZeroTier on all the machines that are going to play together and set it up so it only allows connections between clients and the server (there’s a guide for this in their documentation). Then give the gaming machine a ZeroTier IP you put in your DNS.
Most games use different ports so there really isn’t a need for lots of DNS names. However, you could assign multiple ZeroTier IPs to the same machine and give each game server its own DNS and its own IP.
I’m surprised, I was pretty sure anything with Battleye flat out rejected virtualization.
I thought Destiny used Battleye but I must be mistaken on one of these points.