Fond memories of using DDNS on old Netgear routers at home in the aughts and port forwarding services with some rudimentary firewall rules and tcpwrappers to try and lock down access.
Now I use a combination of Tailscale[1] for private services only to me and Tailscale Funnels[2], and Cloudflare Tunnels[3] for public service exposure.
This accomplishes the same thing I was doing with DDNS and my ISP IP, but in a much more secure and stable manner.
Do you have any recommendations for tutorials on setting this all up with docker?
How do you connect outside the network?
I am running DDNS to access my home services and it has been very error prone and frustrating. I moved some services back to the cloud because the bots were using all my DSL upload that we didn’t have enough bandwidth to work even with cloudflare firewalls.
I have an artisanal handcrafted docker-compose stack for them, so everything is containerized. It's on my todo to write a blog post about the setup.
There's an nginx reverse-proxy container in the stack that routes traffic to the individual service containers via the servername; eg nitter.tail.net goes to the nitter container, teddit.tail.net goes to the teddit container, etc.
The nginx proxy only listens on the Tailnet interface and only accepts connections from the Tailnet CIDR, therefore any device I have on my tailnet can access them. Letsencrypt is also setup so everything is over https.
This allows me to access them from my phone, laptop, whatever when connected using Tailscale.
Tailscale essentially let me completely remove any need for port forwarding on my router and still have global access. It's truly amazing.
I have a similar-ish setup, but using nomad as my executor, and traefik running on a public machine doing the routing.
Basically all the services on nomad listen on the tailnet, and traefik straddles the tailnet and the public internet. It then loads the service configurations from nomad and exposes them using let’s encrypt certificates.
Not the internal services. I have Letsencrypt setup for services on my tailnet using the Cloudflare DNS plugin for certbot so they're all over https.
Combined with only allowing connections to hosts from the Tailnet and https, forgoing passwords makes them easier to manage and use.
Granted most these personal services are things like Audiobookshelf, Nitter, Plex, and Newsblur. While important to me, they're not exactly high value targets.
My internal Gitea is locked down more and has MFA enabled since I always see git as something to secure.
I don't use Tailscale Funnel as much, mostly on an adhoc basis since tailscale serve is relatively lightweight if a host is already connected to a Tailnet.
WARP is primarily used for long running services I have, like GotoSocial or Lemmy that need public ingress over https for federation.
Reddit's rationale for the C&D was that "Offering this login option misleads and confuses consumers by implying Reddit’s endorsement, association or sponsorship of your application", which is
1. complete bullshit; and
2. hypocritical, given that it's possible to log into reddit with one's Google and/or Apple account
Generally, Reddit is uninterested in being an OAuth provider for anything other than a few bot-related tools. I don't necessarily disagree with their prognosis that being a public OAuth provider sometimes looks like endorsement or association, as it has been used in a lot of phishing attacks. But it's surprising they aren't interested in the prospect of more Reddit accounts.
I was looking at the login links at the top… it's interesting eh.
- Persona is dead.
- Twitter has been rebranded and its future is uncertain.
- Reddit took them down
Github and Google are both reliable oauth providers. Though the github oauth is linked to a personal account, not an org, which is all kinds of awful for reliability of the app.
Since I use 1Password, I've started to always retain backup login+PW methods for every website I use oauth for anyway. And if I do use oauth, it's ALWAYS gonna be using Google (which is reliable and I pay for) or nothing except for very specific scenarios where oauth perms are relevant. I think the federated auth dream is just entirely dead at this point.
Why is persona dead? I've never used them, their site appears to be online (still), though.
> I think the federated auth dream is just entirely dead at this point.
That you had to support individual auth providers, none of which were reliable, was a major issue. Had they been "oh here's my auth provider" and you stuck it into a site, that would have been grand. No need to have a bunch of "login with" providers up top.
That sort-of worked with OAuth 1.0, IIRC that protocol had issues which is why we had OAuth 2.0 which sorta worked (and I've never seen an easy impl, where you just "stand up" an oauth server and then clients easily use it). Back when you could use the likes of Yahoo to OAuth you around.
As much as I appreciate what they offer at no cost, I have experienced more downtime from their service then I would like. My Uptime Kuma dashboard reports a 99.98% 30-day uptime from their service (mainly small 1-2min down-times every couple of weeks), but I have experienced at least one 7ish hour period a few months back where no duckDNS queries were resolving for any domains I checked. And I never found any official source giving a reason or even acknowledging this this outage. Again, free service, I do appreciate what they offer.
They probably don't want to have the extra headache of having made a promise of uptime in anyway, if anyone uses a free service for stuff that can't go down the fault is on them
Can someone inform me as to why some random dynamic DNS service is trending on HN? I went to their site, read their FAQ, etc. Nothing about this service seems unique compared to the countless other dynamic DNS services out there.
A lot of the other free dynamic DNS services don't cut the mustard, or have vanished over the years. Some of them have weird rules like that your IP address has to be dynamic and change every once in a while, some of them have terrible software and don't have a clean API, some of them require you to check your email every month to click a renew button, and most of them don't have a web UI you can use to manually type in an IP address.
DuckDNS just kinda sits there and does its thing. So it may be interesting for a HN audience to know that a decent usable dynamic DNS service is still around.
(Side note: Earlier this year, Freenom has temporarily stopped giving away free domains due to an ongoing cybersquatting lawsuit from facebook. Very sad.)
- It's really free instead of "annoyingly free" that requires you to confirm every month that you are still using it.
- It lets you update with a simple HTTP request + token (e.g. "curl ..." command), no login protocol, nor any special login protocol that good luck if it's supported by your router or DVR.
- Simple copy-paste instructions for dozens of systems, instead of others DNSs that have no docs and their only instructions is to make you install their adware/spyware app
- No ads. Just a simple donate button at the end of the admin page which I haven't visited in months/years
No idea why it’s trending, but it is not very random. It’s probably the most popular DDNS out there right now. A lot of docker images have built in support or plugins to use it in conjunction with lets encrypt for HTTPS support.
Google's was actually a really good implementation that was pretty well supported (edgeOS and synology), too bad it's going away. Switched to namecheap and its implementation is OK but a bit crusty
I've been using them since I let my personal domain expire. The personal domain on Namecheap allowed for DynDNS updating, but I couldn't really justify the $10/y cost for no real gain.
I use DynDNS for a Wireguard VPN with WG Dashboard hosted behind my home firewall on a Proxmox CT (LXC). Works great for allowing me to tunnel traffic on untrusted Wifi, and of course, to hit LAN devices remotely. I'm lucky my home ISP (FIOS) doesn't cheap out and CGNAT me like so many seem to be doing now. In the past, I used to open 80/443 and self-host websites, but that's pretty silly nowadays.
It would be nice to be able to create an account that isn't linked to such large corporations. The future seems to be that these players will become gatekeepers, even for things that have nothing to do with them. Piss Google Off? Lose access to your DDNS account.
I use DuckDNS for letting Alexa and Google Assistant access my Home Assistant devices.
Not needing to click on a link to “renew” my host name every month is a huge plus.
The biggest issue however is that it doesn’t support CNAMEs so I can’t migrate to a Tailscale Funnel address without redoing the entire setup, since I have a VPS configured to reverse proxy Home Assistant from home, through Tailscale of course.
We can all have static IPs, but if you fragment the space too heavily (e.g. your home having an adjacent address as someone else on the other side of the country / world), no AS will want to carry your traffic. It's simply not feasibly to carry traffic to tiny prefixes that big giant routers can't handle in a few TCAM entries. This is kinda why we have IP in the first place (instead of no L3 at all).
This is also similar to the old way the phone system used to work. If you move across the country now, you can keep your cell number no problem (and maybe even landline too?), but in the Bell monopoly days, you most certainly could not move out of an area code and keep your number, as the number itself reflect some sort of hierarchical structure of the network. There may have even been further restrictions on the number prefix (XXX in XXX-YYYY), but I don't know that for sure.
I don't mind having a dynamic IP that changes from time to time (for example every time I restart my router or reconnect). The real troublemaker is CGNAT.
Actually, I prefer having a dynamic IP as it makes blacklisting individual IPs useless.
The solution should be to use IPv6 everywhere via 4to6 and 6to4 protocols. Then Ipv4 usage will become less important (as fewer people will want to maintain or use it), and ISPs will have an active incentive to switch (less network translation to maintain).
At that point, the main consumers of IPv4 will be old devices and legacy clients that for whatever reason can't support IPv6. Nobody will be paying for ip's otherwise, so ISPs can continue selling their business plans as normal, the rest of us can just use IPv6 and not worry about rent-seeking behavior from the exhausted IPv4 space.
I would guess, around 50-60% penetration, you will start to see real "only works with ipv6" behavior, and the trend will accelerate...its already at 30% which is enough incentive to at least try to get on IPv6 now if possible...
For dial up, sure, but given most home internet connections are now always-on connections, dynamic IPs is just shuffling deck chairs on the Titanic (OK, that's not a great analogy). Unless the ISPs two options are static IP and CGNAT, then a dynamic, non-CGNAT IP is just rent-seeking.
This is pretty neat. There used to be free secondary (slave) DNS and it was good. Nowadays not so much and I'm still looking for some way to have secondary ns on a separate network because that's how it's supposed to work.
Now I use a combination of Tailscale[1] for private services only to me and Tailscale Funnels[2], and Cloudflare Tunnels[3] for public service exposure.
This accomplishes the same thing I was doing with DDNS and my ISP IP, but in a much more secure and stable manner.
1. https://tailscale.com/
2. https://tailscale.com/kb/1223/tailscale-funnel/
3. https://developers.cloudflare.com/cloudflare-one/connections...