fsebugoutzone.org:9999

       Post AUWhQtLXcj1cNKso2C by crawshaw@inuh.net
 (DIR) More posts by crawshaw@inuh.net
 (DIR) Post #AUWcRrPzmK3Eujbou0 by jgoerzen@floss.social
       2023-04-10T03:07:24Z
       
       0 likes, 0 repeats
       
       There are few #Internet options where I live.  Fiber is 2 years out.  I may need to use an ISP that uses #CGNAT, which means no open ports at all.  I see that #Tailscale and #Zerotier both use #STUN (or something like it) to solve this problem.  Are there any pure Open Source tools that can do this?  #Yggdrasil is great, but is TCP based, so can&#39;t do direct P2P with blocked ports (it can communicate, but via a public or private intermediary.)  Perhaps #Debian packages?  #askfedi
       
 (DIR) Post #AUWcRsPg4zOK02T52u by jgoerzen@floss.social
       2023-04-10T14:52:37Z
       
       0 likes, 0 repeats
       
       Update: Looks like some candidantes include: #Tinc (sort of the OG mesh network VPN, which I didn&#39;t realize can do NAT traversal), #Tailscale (fully Open Source if the #Headscale frontend is used), #Nebula, #Netmaker (not entirely clear but I THINK this is also open source).  Thanks for the suggestions everyone!
       
 (DIR) Post #AUWcRszpuYJZoBNxPE by bogosian@infosec.exchange
       2023-04-10T16:08:49Z
       
       0 likes, 0 repeats
       
       @jgoerzen Tailscale is magic.
       
 (DIR) Post #AUWcRtlh2cb0CbmB04 by jgoerzen@floss.social
       2023-04-11T00:05:50Z
       
       0 likes, 0 repeats
       
       @bogosian Hi @tailscale folks!  I have a question about the threat model for #Tailscale.  If somebody compromises either your control plane, or my account/identity provider, what is the potential damage?  I gather an intruder would not be able to sniff my traffic, but they might be able to add additional machines to my network and thus penetrate the network that way, correct?  Are there best practices to mitigate that risk?  Thanks!
       
 (DIR) Post #AUWcRuLqsBWG0kh3MO by crawshaw@inuh.net
       2023-04-11T00:07:04Z
       
       0 likes, 0 repeats
       
       @jgoerzen @bogosian @tailscale Good question! Check out tailnet lock: https://tailscale.com/blog/tailnet-lock/
       
 (DIR) Post #AUWhCrvc6EwNvH4KTQ by jgoerzen@floss.social
       2023-04-11T01:00:24Z
       
       0 likes, 0 repeats
       
       @crawshaw @bogosian @tailscale Very helpful, thank you.  That looks like a nice design.I guess with that, all the risk that&#39;s left would be someone messing with ACLs and such?   That could probably be mitigated with local firewalls too, I suppose.  And that would imply simply allowing more traffic from a machine that&#39;s already trusted, so not a terribly huge hole.  Am I on the right track?
       
 (DIR) Post #AUWhQtLXcj1cNKso2C by crawshaw@inuh.net
       2023-04-11T01:02:59Z
       
       0 likes, 0 repeats
       
       @jgoerzen @bogosian @tailscale that’s a good analysis
       
 (DIR) Post #AUYp8CG0HHtNTOoDse by jgoerzen@floss.social
       2023-04-12T01:38:39Z
       
       0 likes, 0 repeats
       
       @crawshaw @bogosian @tailscale How long does it take to get through the waitlist for tailnet lock, BTW?  I&#39;ve joined 🙂