• @[email protected]
    link
    fedilink
    English
    311 months ago

    Very good points all around.

    So far, I have WireGuard set up, and activate it when I need access.

    This year I have considered Cloudflare tunnels to enable them only to issue SSL certificates (instead of signing my own like I did last year). But not sure if it is worth it or if I should just keep signing myself.

    (Cert is mainly to avoid SSL warnings on iOS and browsers, so far I am the only one using what I host)

    Might also be nice to not have to configure each device to use a different dns server (my own), but not sure the benefit is worth having that dns record “out there” and Cloudflare “in here”.

    • Chewy
      link
      fedilink
      English
      211 months ago

      The DNS-01 challenge [1] allows for issuing SSL certificates without a publicly routable IP address. It needs API support from your DNS provider to automate it, but e.g. lego [2] supports many services.

      I personally leave my Wireguard VPN always on, but as its only routing the local subnet with my services, it doesn’t even appear in my battery statistics.

      [1] https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

      [2] https://github.com/go-acme/lego

      • @[email protected]
        link
        fedilink
        English
        211 months ago

        Thank you for the info and the links. That seems like a more sensible approach. Hope to try it out after the work week is done.