Hey there,
Have been running few nodes and always struggling to understand what's the best/secure/private/anonymous option to connect remotely to the node to perform some maintenance.
As ssh is not always available, have been exploring connecting to nodes remotely (outside the local network) with a Tor browser and also using the IP provided by TailScale
Any feedback on these two will be much appreciated or in case other options ara available please share your solution(s) below
Thanks in advance
I like WireGuard since I like to control the whole stack.
I rent a nanode on Linode (now Akamai) for $5 per month which acts as my VPN Gateway.
The hardest part is to configure that VPN Gateway but if you are interested, I can explain how to do it and share my config.
I wanted to do a blog post on my website about how to setup WireGuard to connect all your devices together anyway. Would even be my first blog post then :)
reply
Wireguard is good !
reply
A guide on how to set up Wireguard will be great and highly appreciated!
reply
Check out StaticWire (https://github.com/AndySchroder/StaticWire). It's a wireguard tunnel rental service that I've created that provides dedicated public static IPv4 addresses that's lightning enabled. You can skip all the fuss about dealing with a VPS and setting up and managing the wireguard server. Currently StaticWire has a simple command line interface to coordinate the rental of the tunnel, but I'm working on a web interface as well.
reply
You could use Tailscale just fine (ssh or full remote desktop). What you can do is to limit the access to that, only from specific IP(s) and users. For example you could use a specific VPN IP always to access your node. That way you limit drastically all possible intrusions. And if you travel a lot (so you will have a dynamic IP), using that VPN helps you also for many things.
But the general rule is to limit the times you were doing these remote maintenance.
reply
VPS Nginx rev proxy with let’s encrypt certificate routing to my local backend where the backend ports are ssh remote forwarded to the the VPS. Used that to expose 8080 ports (lnd rest).
reply
I used to do this, then I discovered Tailscale and switched everything over to it. It’s so easy to setup that it completely blew my mind.
reply
are you connecting via ssh throught tor? I think that's the best option.
reply
𝐇𝗼𝐰𝐝𝐲 𝐝𝗼 ? 🀠 πŸ‘‹
reply
I did a wireguard on a router level, it was easier to setup with my router so it now gives me access to the entire network and I can ssh or enter Thunderhub on my phone from anywhere. worth the effort imo.
reply
TailScale or Cloudflare tunnel, whatever works the best is a working premise
reply
Wireguard or OpenVPN are your best solutions.
reply
No public IPv4 needed, it is free of charge, but a bit slow of course.
reply
Running a own reverse proxy server, using https & fail2ban, login in your applications.
reply
Depending on use case this can be a good option but is considered fairly risky. Every application exposed is additional surface area for attack. If the services don't need to be exposed to the public than it is safer to not expose them. Tailscale/Wireguard/other-VPN will expose 1 thing (the VPN) and the rest of the services are safely behind the VPN.
reply
If you want more secure/private/anonymous option, I would suggest OpenZiti. Its an open source project I work on which allows anyone to embed zero trust networking and SDN principles into almost anything for any use case. Most important, it removes the need for inbound firewall ports, VPNs, public DNS and more. Think Tailscale but focused on connecting services rather than devices/hosts, with some concepts of Tor built into it.
I use https://www.netmaker.io - a mesh network built upon WireGuard, and It's open-source with self-hosted solution!
Here's a video that made me go for Netmaker: https://www.youtube.com/watch?v=X-BYDYoM_3w