undefined | Better HN

0 pointsdigiown2mo ago0 comments

Where will you host the wg endpoint to open up?

- Each device? This means setting up many peers on each of your devices

- Router/central server? That's a single point of failure, and often a performance bottleneck if you're on LAN. If that's a router, the router may be compromised and eavesdrop on your connections, which you probably didn't secure as hard because it's on a VPN.

Not to mention DDNS can create significant downtime.

Tailscale fails over basically instantly, and is E2EE, unlike the hub setup.

0 comments

hamandcheese2mo ago

To establish a wg connection, only one node needs a public IP/port.

> Router/central server? That's a single point of failure

Your router is a SPOF regardless. If your router goes down you can't reach any nodes on your LAN, Tailscale or otherwise. So what is your point?

> If that's a router, the router may be compromised and eavesdrop on your connections, which you probably didn't secure as hard because it's on a VPN.

Secure your router. This is HN, not advice for your mom.

> Not to mention DDNS can create significant downtime.

Set your DNS ttl correctly and you should experience no more than a minute of downtime whenever your public IP changes.

digiownOP2mo ago

> one node needs a public IP/port

A lot of people are behind CGNAT or behind a non-configurable router, which is an abomination.

> Secure your router

A typical router cannot be secured against physical access, unlike your servers which can have disk encryption.

> Your router is a SPOF regardless

Tailscale will keep your connection over a downstream switch, for example. It will not go through the router if it doesn't have to. If you use it for other usecases like kdeconnect synchronizing clipboard between phone and laptop, that will also stay up independent of your home router.

j / k navigate · click thread line to collapse