Maybe because it doesn’t have anything in common with OP’s stated use case? Not to mention it’s the third time you’ve shifted the goalposts in this conversation.
I haven’t said, don’t say, and wouldn’t say that Tailscale is always the answer. Clearly it isn’t in the use cases you continue to dream up–so by all means, don’t use it, not that you need my approval for that. I think it’s a very good answer in cases where you want to share certain resources among a relatively-small group of people, which is how I understood OP’s question. And OP seems to think it’s at least worthy of consideration.
Wife and I use Tailscale, you literally do nothing once it’s installed and configured as it knows if your home or not. So, it starts the VPN automatically when not home or however you set it up, if home, stops it, etc. No need for split DNS, etc. There is no way I would EVER expose Truenas to the internet. If I needed to, then, time to do something else other than expose it.
So, my address book, calendar (both nextcloud), Emby, SSH, you name it, all run over Tailscale when not home, on trips, etc. It’s seamless, and fast.
There has been some excellent discussion in here, but I have to say I’m also throwing my hat in with Tailscale. I run the occasional game server and have Jellyfin running 24/7, and giving access to family and friends has been absolutely trivial.
I get that if you just want an equivalent service as, say, OneDrive sharing links for files, you’re going to be doing orders of magnitude more work for something that is never quite as good. 99 times out of 100, Tailscale or equivalent is also going to be more secure than any home-brewed solution.
I don’t know of any perfect solution for you, they all suffer in one way or another, but personally I’d always rather fall on the safer and less convenient side than vice versa.
What a great discussion and learning experience this turned out to be! Thanks to everyone for taking a moment to share their thoughts, I clocked in multiple hours following up on information shared in the comments.
Moving forward, I will give Tailscale a try at this stage. I think it will work well for the basic use cases and I expect no issues setting it up for the family members involved. Time will tell how reliable it works on people’s mobile phones in a background and whether it truly enables a set-and-forget solution for apps I’d like to give access to.
In parallel, I am increasingly convinced that solutions along the lines @dasunsrule32 introduced are adequate and will set that as my aspirational goal. My current network hardware is not able to support such solutions so I will keep that in mind as the home network setup continues to evolve. Perhaps I can get a new router as a birthday present!
Better late than never. I’ve gone down this road before. I used cloudflare to proxy my public hosts along with nginx proxy manager to “reflect” them outside. NPM allows you to integrate authentication schemes as simple as usernames/passwords, or as complex as MFA with the username and pw so you’ve got three factors.
The glue that made it work was Authelia integrated with NPM. It’s because Nginx Proxy Manager has that advanced tab for each proxy host that allows Authelia to get hooks in. I’m pretty sure Authelia is an app available for Scale now, but at the time I just managed it with Portainer on a virtual machine (on Core).
Looks like everyone has decided on Tailscale and there are obviously better solutions available now than the hoop-jumping I did to make my stuff work. But the nice thing was, my apps were fairly safely exposed with real SSL certs (thanks to cloudflare) along with my choice of authentication schemes even for apps that didn’t support any kind of basic authentication.
If you read this far, great. More stuff to consider in different circumstances.
Thanks for chiming in, never too late as this is something I will be dealing with for a while still.
I am aware of Authelia and its integration options with NPM, and agree it can be powerful. My impression, though, was that it works for personal access control for people, but not so well for apps accessing resources from the TNS - can you confirm this and share your experience? What kind of apps were you accessing behind Authelia? For instance, I host my own Zotero library - AFAIK, Zotero clients do not support any kind of authentication infrastructure apart from a simple username and password saved in the app itself, so I don’t immediately recognize how would I extend that setup for extra security, apart from trying with a client certificate in the computer’s certificate store (not sure that would work either, it’s on my to-do list to try). Besides Zotero, how might Immich work with Authelia, as another example?
I can also share first impressions of Tailscale usage - definitely easy to set up, works well, but so far not quite set-and-forget as mobile phones tend to kill Tailscale app after a while. Perhaps battery optimization, something else, I don’t know. I am sure there exists a solution for it, but as devices start multiplying, the effort to maintain becomes tangible… So I am still thinking the best solution will ultimately going to hinge on NPM receiving traffic via port forwarding, with additional security around it. I just need to work out the best and attainable scenarios for the “security” part and make sure I can implement it in my home network.
Just like other best practices, you separate your lan from internet-facing hosts using a DMZ and a ruleset to allow the dmz pinholed access to your database host or whatever on the inside. But that’s another box of worms.
Authelia is what I wanted to talk about, because working together with NPM, you get special options that shove Authelia in between a visitor and their destination host. It’s designed to authenticate even using MFA and OTP keys before letting the client reach the host’s web page/services. It wedges between them. Let’s say you’re using it with a standard web server, one that doesn’t authenticate. Your visitor goes to, for example, foo.com but instead of the site, they get Authelia butting in, asking for a username and password. If this is satisfied, the client is forwarded to the real site without any other input.
I had my machines, including authelia (a docker instance), dns controlled and proxied in Cloudflare. A visitor would punch in the URL, would resolve via cloudflare dns, they’d land on the authelia page for whatever site it was, then contend with it. Cloudflare was pointed at my http and https exposed NPM instance to perform the internal header matching so visitors got to the right site. This also had the benefit of edge cloudflare https services that didn’t require any effort since their proxy hosts always presented as https.
This all started with an excellent tutorial heavily focused on Authelia since it’s the glue. Hope youtube links are allowed, this really puts it all together. https://youtu.be/4UKOh3ssQSU?si=XMqNmYQf5Z6S6cMD