I also have an OpenVPN as a backup option, running behind sslh. My same port on my router (443) serves both a webserver hosting photos, and that OpenVPN instance. This allows me to VPN into my home in most firewalled office networks.
tailscale is fine if you’re somewhat tech savvy, but it’s annoying to show all your friends and family how to “correctly” access your web server. Too much friction. First download the tailscale app, sign in, blah blah. Then you also are unnecessarily bogging down everyone’s smartphone with a wire guard VPN profile which is…undesirable.
I like tailscale and use it for some stuff. But for web servers that i want my whole family (and some friends) to easily access, a traditional setup makes much more sense. The tradeoff is (obviously) a higher security burden. I protect the web apps in my homelab with SSO (OIDC), among other things.
Keeping Tailscale as the only security layer will be foolish of course, but keeping the entry points hidden from general internet is a useful additional layer, if you ask me.
As a matter of principle, I like keep the number of open ports to a minimum. Let it be SSH or VPN, it doesn't matter. I have been burned enough times.
Thinking through how I would achieve this introduced me to the concept of a DMZ-zone. The DMZ places publicly accessible services in a highly locked down environment.
With OpenVPN it's hanging out there responding to everyone that asks nicely that yes, it's OpenVPN.
So anyone with a new exploit for OpenVPN just has to pull up Shodan and now they've got a nice list of targets that likely have access to more private networks.
Wireguard doesn't respond at all unless you've got the right keys.
Also, fwiw - we're approaching 11 years since it was announced, and 5 years since it was accepted into the Linux/BSD kernels.
I believe asing UDP mode and a ta.key go a long way towards making OpenVPN invisible to port scans. Double check docs for details.
age123456gpg•19h ago