| 21 Aug 2021 |
 matthewcroughan - nix.zone | give me access to machines without a vpn | 02:35:03 |
| matthewcroughan - nix.zone | the way the internet was supposed to be | 02:35:17 |
| matthewcroughan - nix.zone | but 6in4 means I have to go through hurricane electric, which I don't want to do on youtube, and youtube isn't ssh, so yeah :D | 02:35:39 |
 6aa4fd | you should really use a VPN, these admin tools are not properly hardened | 02:35:46 |
| matthewcroughan - nix.zone | admin tools? | 02:35:57 |
| matthewcroughan - nix.zone | what one are you referring to/ | 02:36:04 |
| matthewcroughan - nix.zone | * what one are you referring to? | 02:36:06 |
| 6aa4fd | the stuff on the machines you want access to | 02:36:16 |
| matthewcroughan - nix.zone | The machines I'm accessing are just NixOS machines in Wales, meanwhile I'm in Liverpool. | 02:36:43 |
| 6aa4fd | SOP for any machine is basically locally initiated connections and VPN is all that should go through the firewall | 02:37:01 |
| matthewcroughan - nix.zone | The NixOS machines in Wales have access to ipv6 natively thanks to BT. Whereas in Liverpool, the ISPs aren't IPv6 enabled. | 02:37:05 |
| matthewcroughan - nix.zone | So, I just did 6in4 on my openwrt router at home, and voila, I can ssh into that machine without a VPN. | 02:37:18 |
| matthewcroughan - nix.zone | * So, I just did 6in4 on my openwrt router at home, and voila, I can ssh into that machine in Wales without a VPN. | 02:37:22 |
| matthewcroughan - nix.zone | In reply to @6aa4fd:tchncs.de
SOP for any machine is basically locally initiated connections and VPN is all that should go through the firewall NixOS runs its own firewall, and it's quite decent by default. | 02:37:44 |
| matthewcroughan - nix.zone | NAT isn't security, either. | 02:37:58 |
| 6aa4fd | yeah I'm saying you shouldn't be punching holes in it | 02:38:05 |
| matthewcroughan - nix.zone | In reply to @6aa4fd:tchncs.de
yeah I'm saying you shouldn't be punching holes in it I'm not punching holes through it, the only thing open is ssh. | 02:38:19 |
| 6aa4fd | Nat is not security but stateful, TCP aware firewalls are | 02:38:24 |
| matthewcroughan - nix.zone | Maybe you misunderstand what I'm doing? There's no hole punching happening. | 02:38:53 |
| matthewcroughan - nix.zone | At least I can't see how I'm punching holes through anything. | 02:39:11 |
| matthewcroughan - nix.zone | Are you telling me to turn off ipv6? | 02:39:15 |
| matthewcroughan - nix.zone | * Are you telling me to turn off ipv6 for security reasons? | 02:39:29 |
| 6aa4fd | no I'm saying I wouldn't open a port for ssh | 02:39:39 |
| matthewcroughan - nix.zone | Oh. In my view that is definitely overly paranoid. | 02:39:54 |
| matthewcroughan - nix.zone | But that is only my view. | 02:39:59 |
| 6aa4fd | especially not both ssh and VPN, it all adds to your attack surface | 02:39:59 |
| matthewcroughan - nix.zone | You have to open something. When you use a VPN you are also exposing some sort of port. | 02:40:20 |
| matthewcroughan - nix.zone | You simply prefer the VPN binary and its ports and networking. I prefer OpenSSH. | 02:40:35 |
| matthewcroughan - nix.zone | But both are binaries, both use networking, both require a single open port. | 02:40:51 |
| matthewcroughan - nix.zone | Don't get me wrong, I like Wireguard and Tailscale, but those are only ran on machines I fully control. | 02:41:25 |
