• 0 Posts
  • 6 Comments
Joined 3 years ago
cake
Cake day: July 31st, 2023

help-circle
  • After installing tailscale with my Headscale server, I just left it as is. Maybe people in the comments can chime in but if you expose only your VPN server or broker (Headscale), you kinda narrowed down your attack vectors and a VPN itself is really solid. From my basic knowledge, it’s the server and client which are the bottleneck at that point, but there’s only so much you can do and if you continuously update both and maybe stay on stable / ltsc branches, you kinda did everything.

    I guess there’s something to say about the encryption algorithms used. What I remember from back in the day is everything elliptic curves that’s common is quite good so if you see “ECDSA” / “ECDH” you should be fine. RSA unfortunately is not that great anymore.




  • That’s the whole point of a domain. Your IP changes every now and again you need people to know where to reach you. You give them a domain, and you configure the name records so that the domain always points to the right IP address.

    Your options:

    • dynamic IP - you keep your setup as is and just periodically tell them the new IP you’re on. Annoying and exposed
    • static IP - you buy a static IP (from your ISP) and share it with your friends once. A little bit less annoying and still exposed
    • you use a VPN like hamachi or radmin - your friends install the software, they look for you IP in there, you’re done - very secure but also very annoying
    • you buy a domain - you have to configure an IP updater like ddclient or similar, then you jellyfin should be reachable - least annoying for your friends but also slightly less secure

    Domain is the cleanest option.

    I am telling you how annoying it is because that’s how likely your friends are to adopt it and how secure it is because depending on your country you are doing something illegal and you really don’t want anyone to find out and you gotta keep it updated more often if you don’t want people to exploit it. There’s an endless supply of very smart people out there who use known bugs to target public services.

    Edit: I forgot DDNS, see below comments.


  • Duplicati is at it’s base just a fancy ui for backups as opposed to custom bash scripts.

    It does support s3 storage, SFTP, ftp, and a bunch of other stuff so this might actually be on point for your off-site backup design.

    Of course off-site backups are superior. If my home burns down I’m fked. I do use different hdds though, so at least there’s some security isolation in that. Also if one of them breaks, the other one doesn’t necessarily.


  • I have different vms which all write to an smb mount.

    Then I have another VM that runs duplicati and mounts that smb share, but also another one just for the backups. And only this duplicati container has access to the backup share, which isolates my backups for security reasons. The only thing still involved and able to read and manipulate my data is the router which can see all the traffic.

    Now idk if this is the best setup, but it feels secure to me and it works for me. Maybe more experienced people can chime in to agree or disagree.