Headscale - Is it ok to use the default config (just editing the address/domain name)? will that be secure enough? Also which ports to I need to forward to my raspberry pi headscale server?

  • Jason2357@lemmy.ca
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    6 days ago

    In addition to a reverse proxy with mandatory TLS and some IP filtering, I have headscale running on a sub domain (subdomain dns is a wildcard). The main domain is a different, static web page, so anyone scanning IPs for headscale wont see its a headscale machines unless they can guess the subdomain. I figure that might be useful in case theres a zero day that pops up. It just looks like a regular web server to drive-by script kiddies.

    • tack@feddit.org
      link
      fedilink
      English
      arrow-up
      7
      ·
      5 days ago

      That will work as long as your tls certificate is a wildcard cert (of the parent domain), otherwise your subdomains can be found via their certificate records. You probably know this, but caught me out initially, so figured I’ll mention it.

      • Jason2357@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 days ago

        Absolutely! I should have said both the dns and certificate are subdomain wildcards. Thanks for clarifying.

  • A Mouse@midwest.social
    link
    fedilink
    English
    arrow-up
    10
    ·
    6 days ago

    Look at either putting it behind a reverse proxy or using the built in Let’s Encrypt / ACME configuration.

    Suggested documentation:

    The config linked to in their documentation states

    # Address to listen to / bind to on the server
    #
    # For production:
    # listen_addr: 0.0.0.0:8080
    listen_addr: 127.0.0.1:8080
    
    # Address to listen to /metrics and /debug, you may want
    # to keep this endpoint private to your internal network
    metrics_listen_addr: 127.0.0.1:9090
    

    Port 8080 TCP is used for the connection, 9090 TCP is for metrics and not suggested to port forward. If you use a reverse proxy, you do not need to port forward to either of those ports directly, and instead to the reverse proxy.

  • oyzmo@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    3
    ·
    6 days ago

    Thanks. enabled the acme service thingy in the config file. Took me some tries before I understood I had to add port 80:80 from the docker yaml in order for headscale to setup the certificate. I guess I need to keep forwarding both 8080 for Headscale and 80 for certificate renewal.

    should I, or is there a reason, to setup fail2ban too?

  • oyzmo@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 days ago

    Next one is the derp server… but that may be out of reach with my knowledge 😅

    • Spore@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 days ago

      The headscale integrated one is mostly enough, you can choose to include the tailscale official ones with their URL as well.