King, simply neg your collaborators into using overleaf

SSH lets you remotely control a computer It runs on port 22 If you forward port 22 to your computer, you will allow anyone on the internet to SSH to your computer

You can do that pretty safely by disabling root login and disabling password logins - only using keys to SSH in.

You can join the _borg botnet by enabling root login, setting a simple password (maybe even password as recommended!), and waiting.

King, all you must do is set up root ssh access with a short password and port forward port 22 to it. Super easy, super quick!

For extra spice, I’d recommend also hitting your hard drives with a hammer once or twice a day. They just don’t like vibrations; you’ve gotta weed out the weak ones. Only the strong data will survive.

The only thing that can get hacked is something that responds on the World Wide Web.

So you limit the scope of what talks to the WWW:

Wireguard VPN will not respond unless the magic keys are correct, it’s ideal security and obscurity. Put everything you can behind it.

For things I want on the WWW without a VPN, I split out two options otherwise.

1. Caddy checking mTLS certificates that basically allows a device access without extra steps - relying on Caddy to be strong and mTLS to be strong.

2. Authentik’s proxy check, I think Authelia has this too, but to access a site you hit an Authentik login first.

For both of those, you rely on those services not having 0-day hacks. More likely for these services to stay ahead of the game and/or fix quick than something that doesn’t exist just to do authentication. I run them in containers that are run by independent users and are read-only with capabilities limited, in a VM.

I’d say the Caddy route is more secure than Authentik, but it needs more effort to setup the certificate stuff. Authentik route needs a web browser to log in with. Obviously the WG VPN is primo.

Edit: also tailscale is just managed wireguard, so it has the same benefits as a wireguard vpn with the catch a company has access to your network also now. But really simplifies setup……

Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?

If you feel up for answering, what is your use case for wanting to manage your own mTLS?

Thanks for writing this up, really highlights the effective differences.

So for the internal delegation I’d SLAAC it and let things “just work” or DHCPv6 if I cared to specify IPv6s (which I will need to to have a static IPv6 address for a server to be reached at). Thanks again!

Thanks for taking the time to go into detail on this, it helps because I just haven’t been able to put acronyms to actionable meaning from just reading blogs and posts.

How do things outside the LAN talk to things inside the LAN that have ULA addresses (which I’m assuming are equivalent of 10.0.0.0/16 idea)? Will devices that are given ULA addresses be NAT’d just like IPv4 or will they not be able to talk to the outside world on IPv6?

Edit: I am getting more what you said; you answered this: the ULA addresses will not be able to talk to the outside world on IPv6 so those devices will be IPv4-only to websites that use IPv6 too. Follow-on Q would then be, is kludging NAT for IPv6 not a better solution versus ULA addresses? Or is the clear answer just use IPv6 as intended and let the devices handle their privacy with IPv6 privacy extensions?

Mobile devices are largely IPv6-only now, messing with VPN to home. The IPv6-to-4 conversion seems to be shoddy for my mobile carrier.

Not here for what it represents, just want it to work.

I haven’t run into NAT issues that I’ve noticed, would IPv6 avoid issues with cgnat that people complain about? (If/when it happens in the future)

I see people say “not worth it” but never expound on what exactly makes it not worth it?

Most I get is a vibe (using a metaphor) “python-like judging where people prefer to do it in a ‘pythonic’ way” but of course that’s silly. There must be more to it, but I never seen interoperability issues called out