Headscale - Is it ok to use the default config (just editing the address/domain name)? will that be secure enough? Also which ports to I need to forward to my raspberry pi headscale server?
In addition to a reverse proxy with mandatory TLS and some IP filtering, I have headscale running on a sub domain (subdomain dns is a wildcard). The main domain is a different, static web page, so anyone scanning IPs for headscale wont see its a headscale machines unless they can guess the subdomain. I figure that might be useful in case theres a zero day that pops up. It just looks like a regular web server to drive-by script kiddies.
That will work as long as your tls certificate is a wildcard cert (of the parent domain), otherwise your subdomains can be found via their certificate records. You probably know this, but caught me out initially, so figured I’ll mention it.
Absolutely! I should have said both the dns and certificate are subdomain wildcards. Thanks for clarifying.
Thanks. enabled the acme service thingy in the config file. Took me some tries before I understood I had to add port 80:80 from the docker yaml in order for headscale to setup the certificate. I guess I need to keep forwarding both 8080 for Headscale and 80 for certificate renewal.
should I, or is there a reason, to setup fail2ban too?
Next one is the derp server… but that may be out of reach with my knowledge 😅
The headscale integrated one is mostly enough, you can choose to include the tailscale official ones with their URL as well.
