undefined | Better HN

0 pointscatlifeonmars1mo ago0 comments

Read the docs more closely.

- TCP/80 is only required to answer let’s encrypt challenges for certificate issuance

- UDP is only required to enable DERP.

These are both optional.

It’s not surprising that there are additional ports required on top of Wireguard. 443 is likely for key distribution and management. If you don’t want PKI then you don’t need headscale; you can always distribute the keys yourself and just run plain wireguard

0 comments

h4kunamata1mo ago

>If you don’t want PKI then you don’t need headscale; you can always distribute the keys yourself and just run plain wireguard

It makes more sense to me, WireGuard + SPA (fkwnop aka replacement of port knocking that requires pre-shared key to even talk with, only that IP can access to it (IP Table), any scan tool seems it as closed)

Headscale/Tailscale only has value if you are behind a CGNAT, otherwise, it just adds extra management and complexities.

catlifeonmarsOP1mo ago

Well, it also lets you federate access and manages the keys for you. But yeah, if it’s a personal setup and you have good key rotation hygiene, I agree with you: it doesn’t add much value on top of wireguard. I’ll hazard a guess that you can just run your own DERP relay too for the CGNAT case.

j / k navigate · click thread line to collapse