undefined | Better HN

0 pointssteerablesafe4y ago0 comments

Any reason you don't use some kind of VPN solution for that instead?

0 comments

8 comments · 2 top-level

ycuser24y ago· 6 in thread

Hidden services are very easy to configure (the basic config, if you want to be as anonym as possible you have to do more). Install tor, add a few lines to config, done. And: You don't have to change your firewall settings at all. Nothing is exposed to the clearnet.

You can also make your service be accessible only to certain clients which have a certificate. I consider this very secure.

conradev4y ago

Only recently has there been an easy to setup and secure alternative with the same properties – Tailscale

It is centralized, yes, but it is way, way faster if you care about latency

https://tailscale.com/

(you can also self-host it with the open source “headscale” project)

rattlesnakedave4y ago

+1 for tailscale, it is an absolute joy to use.

heavyset_go4y ago

> You can also make your service be accessible only to certain clients which have a certificate. I consider this very secure.

Are you talking about this? https://community.torproject.org/onion-services/advanced/cli...

ycuser24y ago

Yes, client authentification it is called.

1 more reply

steerablesafeOP4y ago

I guess I can understand that from an ease of configuration standpoint. Having said that I had no trouble with setting up zerotier VPN, which is also very easy to configure.

Karrot_Kream4y ago

I do the same but you still need to be careful when running Zerotier to listen only on IP addresses that the ZT link is assigned. I run a private mailserver and I've made sure that there are no sockets listening on any non-ZT externally routable IP address. (I guess for good measure I could have nftables drop traffic coming in on those ports on my WAN link.) But with Tor you just point it to a service listening on 127.0.0.1 or [::1] and you're in business. For me ZT is fine, but for folks who want to muck around a bit less, I can see the appeal of Tor.

goodpoint4y ago

Not only it's easier to configure, but it provides better security. The onion address works as a server certificate.

1) You don't have to pay or trust a VPN provider

2) It works on dynamic IP addresses and without relying on DNS

3) It exposes only one TCP service

j / k navigate · click thread line to collapse