Security audit?

[marcelmindemann]

Hi, as an avid but paranoid self-hoster, I am considering hosting headscale on a cheap VPS in order to establish VPN connections between my devices. The distrust of the closed-source Tailscale coordination server has driven me in this direction. However, I realize that self-hosting headscale makes this thing a single point of failure for my network infrastructure. An authentication bypass vulnerability in headscale could allow an attacker to infiltrate my network easily.

As headscale grows in popularity, and even got endorsed by Tailscale multiple times, I wonder if a security audit would be a worthwhile undertaking? It would certainly provide a lot more trust when opening up my headscale process to the public internet. Alas, it's the only thing I cannot hide behind a VPN, for obvious chicken-and-egg reasons :)

[jgonzm]

Hi,

Yes, I agree with you, but in the meantime, you could filter some ports to access only by specific IP: office & datacenters.

node_key is another history...

[github-actions[bot]]

This issue is stale because it has been open for 180 days with no activity.

[svenstaro]

This shouldn't get stale botted.

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity.

[fortitudepub]

maybe you can use the taillock to lock you devices

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity.

[marek22k]

Anti-Stale comment

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity.

[marek22k]

Bump

[GalaxySnail]

Not stale.

(Honestly, the stale bot is annoying.)

[marek22k]

Stale bots are always annoying!