←back to thread

Knocker, a knock based access control system for your homelab

(github.com)
68 points xlmnxp | 1 comments | 22 Oct 25 08:37 UTC | HN request time: 0.208s | source
Show context
eastabrooka ◴[22 Oct 25 09:44 UTC] No.45666781[source]
Its 2025, Just use Tailscale.
replies(1): >>45666830 #
lucideer ◴[22 Oct 25 09:51 UTC] No.45666830[source]
If you're running a homelab, the likelihood that you're interested in removing cloud-dependencies from your stack is above average. If that's the case, Tailscale is out.

Tailscale is just an added unnecessary external dependency layer (& security attack surface) on top of vanilla Wireguard. And in 2025 it's easier to run vanilla Wireguard than it's ever been.

replies(4): >>45666870 #>>45667234 #>>45670582 #>>45672775 #
bakugo ◴[22 Oct 25 15:26 UTC] No.45670582[source]
Normally I'd agree with the philosophy, but I don't really see how you can say this about vanilla Wireguard in particular considering how involved it is, especially if you have more than 2 devices that you want to connect together.

Not only do you need to manually manage the keys for each device and make sure they're present in every other device's configuration, but plain Wireguard also cannot punch through NATs and firewalls without any open ports like Tailscale can, as far as I know.

Combine that with the fact that networking issues can be some of the hardest to diagnose and fix, and something like Tailscale becomes a no-brainer. If you prefer using plain Wireguard instead, that's fine, and I still use it too for some more specific use cases, but trying to argue that Tailscale is entirely unnecessary is just wrong.

replies(2): >>45673797 #>>45679682 #
Capricorn2481 ◴[23 Oct 25 08:47 UTC] No.45679682[source]
> but plain Wireguard also cannot punch through NATs and firewalls without any open ports like Tailscale can, as far as I know

I could be wrong, but I think Tailscale just does what you can do on Wireguard, which is `PersistentKeepAlive`. It lets a wireguard client periodically ping another to keep the NAT mapping open.

replies(1): >>45684399 #
1. bakugo ◴[23 Oct 25 17:20 UTC] No.45684399[source]
What that does is allow existing outgoing connections through a NAT to remain open long-term, it doesn't actually help with establishing an initial connection if both sides are behind a NAT or closed firewall.

Tailscale handles this, and can establish a direct connection between two machines without either of them needing an open port listening for new connections.

There's an article on their website that explains how they do it: https://tailscale.com/blog/how-nat-traversal-works