I'd like to preface this by saying I actually dislike networking a great deal. I love playing with new things in my home lab; however, this means it's a necessary evil. I'm prone to typos, which makes setting up IP allocations and ports a somewhat fraught process, as I know I'm one misplaced finger away from breaking connectivity and having to troubleshoot while unable to connect to the network.
Then I realized Tailscale could be used to manage my Docker stack, or for subnetting, or connect to any of my devices with easily remembered names that populate a dashboard view, so I can see what's what. It feels like the future, when I'm used to complex firewall rules, port forwarding, and DNS records, and what's even better is that all my data is encrypted in transit.
I put Tailscale on my jailbroken Kindle because — why not?
Tailscale all the things!
Let's talk security
Leaving ports open is not a wise idea
When you need to reach a specific device on your home network from the internet side of things, one of the oldest options is to use port forwarding to tell your router to listen on those ports for incoming traffic and forward it to the game server, video conferencing software, or whatever else is using that port.
The problem is that opening a port is like leaving your back door open. Those ports are always open and are easily found by hackers or anyone else who might want to put malware on your network. If you've gone to the trouble of setting up a hardware firewall and other security software, port forwarding is like forgetting to arm your home alarm system; it completely negates your hard work.
And that's if you're even able to set it up, because many ISPs use CGNAT, which makes port forwarding all but impossible. That's actually a good thing, though, if you think about it, because it means you can't use insecure methods of getting traffic through your firewall. A better option is to use a VPN to make it appear as if your device is on your home network, so it can access resources without worrying about the firewall. And there's no easier way to do that than using Tailscale.
Tailscale
Security through obscurity and other internet security myths
If you exist, you're big enough to be a target
If you've been thinking that you're too small a target to worry about your online security, let's correct that notion right now. If you are alive, have a bank account, or use your computer for anything that requires a login, you are a target. That's not to fearmonger, it's a simple fact.
You don't have to be a large corporation to be worth money to hackers, and with how automated everything is nowadays, the cost of breaching your home network is negligible. And as a home user, you probably don't have a security team on hand to look at IDS/IDP or other network security software to identify breaches, whether successful or not.
That false confidence is what will get you, and every piece of data has a price, even if it's only pennies, and the data is sold as aggregate on the dark web. It's essential to have something securing your home network, and opening ports is like locking your front door, but leaving a window open when you go out, it's a tempting target.
Port scanning and malware delivery is mostly automated these days
In the past, hackers had to spend time watching port scanners to find open ports leading to self-hosted services or holes through your router's firewall, and then manually go poke at them to see if there was anything worth following up on. Those days are gone, and instead, they have automated scanners that scrub through the entire IP space to find open ports.
Don't believe me? Well, Shodan.io is constantly doing the same internet-wide port scanning, but on the side of cybersecurity professionals. At least, they're running the site that way, but how do you stop bad actors from using the same services? You can't, not easily, and this is only the most visible port scanning service.
The process of poking at that open port and getting past the firewall into your home network is also largely automated, and it's trivial for AI to identify your router hardware, pick known security exploits to try, and run through them to see if your hardware can be taken over. Sometimes, this is to make botnets like Mirai, which sleep until woken to send DDoS floods from hundreds or thousands of devices at once. Or it could be to sniff your network for unencrypted data that can be mined for passwords, banking details, or other things you'd rather keep secret.
The point is, opening ports through your firewall is not a smart thing to do anymore. The scanners will find you, it's just a question of how long it'll take, and then the automations will get inside your network and take over. Just like turning off UPnP, using port forwarding at home opens you up to issues, and it's better not to do it.
5 ways I'm using Tailscale for more than just remote access
Tailscale is far more powerful than a simple remote access tool
The more I use Tailscale, the more I realize how unsafe leaving ports open is
Tailscale is incredible not only for trivializing the issue of traversing NATs and firewalls, but also for making fairly complicated networking tasks simple. The more I use it, whether on devices, individual containers, or entire subnets, the more I love it. I don't love networking as a general rule, it's all too easy to mistype something and break the configuration, but with Tailscale, I don't have to worry about that.
In fact, I don't have to worry about much because everything is encrypted, and I've set up access control lists to limit access even further. All of this without having to open ports in my firewall, run UPnP, or use any of the insecure ways of opening my network to the wider internet.