undefined | Better HN

0 pointsh4kunamata3mo ago0 comments

>If you don’t want PKI then you don’t need headscale; you can always distribute the keys yourself and just run plain wireguard

It makes more sense to me, WireGuard + SPA (fkwnop aka replacement of port knocking that requires pre-shared key to even talk with, only that IP can access to it (IP Table), any scan tool seems it as closed)

Headscale/Tailscale only has value if you are behind a CGNAT, otherwise, it just adds extra management and complexities.

0 comments

catlifeonmars3mo ago

Well, it also lets you federate access and manages the keys for you. But yeah, if it’s a personal setup and you have good key rotation hygiene, I agree with you: it doesn’t add much value on top of wireguard. I’ll hazard a guess that you can just run your own DERP relay too for the CGNAT case.

j / k navigate · click thread line to collapse

0 comments

catlifeonmars3mo ago

j / k navigate · click thread line to collapse