+1 for Tailscale. Stupid simple to setup, free for non-business users, and it just works.
Even without the agent running, which is super cool
I’m another vote for Tailscale here. I use it myself to share my media hoard with my brother’s family and my mom and to admin their networks and servers remotely. It’s simple to set up and simple to use for the basic features like SSH. Some of the more advanced features like subnet routing have a small learning curve, but they’re easy enough to figure out if you invest a little time.
Tailscale + VSCode is an amazing combo. If you install tailscale ssh on your vm with `sudo tailscale up --ssh` you can then use the TS extension for Tailscale as a file explorer for all of your VM’s at once, along with a terminal.
Tailscale involves a 3rd party and you gotta trust Tailscale, and also removes the “home” from homeserver a bit IMHO.
Wireguard on a random 5 digit port and have router forward only udp packets for that specific port, should be very safe. Bonus if it runs in an unpriviledged container.
Should I also disable port 22 if the password auth is disabled? I’m debating between something like a WireGuard-easy docker container or Tailscale.
Letting anyone on the internet hit my port 22 sounds like I’m asking for a breach, but idk.
If you don’t mean behind a VPN I’d have to disagree as RegreSSHion CVE-2024-6387 is a prefect example of why it’s a bad idea. You can certainly get by with locking down to specific IP addresses, but if you’re having to deal with dynamic users, that’s a real pain. Another option that the OP could consider is Port Knocking.
I already use rsa keys for ssh, but I need to disable SSH passwords. I’ll make sure I do that ASAP. I totally don’t use a waterfall for my root…
You have a guide on how to set this up?
I recently switched to tailscale. It is a great service. You can share access to any of your devices with other tailscale accounts.
I shared SSH access to a web server via tailscale that a friend and myself maintain and it was ezpz.
Yeah Tailscale is amazing
Should I put in on the main machine or can I throw it in a docker container?
and also removes the “home” from homeserver a bit IMHO
If this was /r/selfhosted I could see this being a valid complaint but this is /r/HomeServer. All VPN traffic in Tailscale is peer to peer.
Tailscale servers are primarily used for NAT Traversal so that clients can talk to each other without ports needing to be forwarded.
While that’s technically all true, the OP was also asking about port forwarding 22, so Tailscale is a worlds better situation in terms of security but still at an achievable level for someone new to networking.
Don’t let perfect be the enemy of good. Make incremental, understandable changes.
Then go with Headscale
This is how I’ve got it. One forwarded UDP port, with wireguard behind it.
If you had to have SSH directly rather than a VPN protocol, fwknopd isn’t a bad way to hide it.
Your SSH server needs a port. i dont know if your homeserver is directly attached to the internet or a NAT/Firewall is inbetween. You can setup your Port Forwarding that the outside port is e.g. 6789 and the target port on your homeserver is still Port 22, in that case, don’t disable Port 22. Your Firewall in your NAT should block Port 22 tho.
Change the listening address from 0.0.0.0 to the server address. Then setup your firewall to reflect this. So that you have to be connected to wireguard or tailscale to get ssh.