„Inspired“ from https://lemmy.world/post/287146 and many related questions (also on reddit before).

Why don‘t people like opening Port 443 on their Homerouter? An open Port itself is not a vulnerability because nothing is listening on it, therefore there cannot be any connection established. When forwarding Port 443 From Router to e.g. The Homeservers LoadBalancer / Proxy, this Proxy is the final resolver anyways.

So why doing the more complex and more error prone Route via the VPS / Tailscale / CloudFlare?

I did that some years ago too, but just because i did not have an static IPv4 at home. But speeds were awful and i switched to Routerport + DynDNS and now everything is super performant.

    • jalim@jalim.xyz
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      This doesn’t really apply if you’re port forwarding to a specific device. In that case you know that you have told your firewall to forward port 80 & 443 (for example) to your web server and you know what ports that has open. I would not be using UPNP on the other hand as that seems dangerous especially in the IOT era.

    • Edo78@feddit.it
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      and, even if you scan them, how do you know that a port knocker isn’t there waiting to the secret knock?

    • nif@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Opening a port on consumer routers does not mean that all devices are open. Normally you forward a port to a host+port in the local network. In most cases some server which you control. All other devices are not affected by opening a port.

  • donnnnnb@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    It’s typically against the terms of service to open ports less than 1024 (well known ports) of most ISP’s for personal internet. That, and there are bots that probe for insecure and misconfigured stuff constantly. Spin up a VPS and take a look at the SSH logs. What if a zero day vulnerability occurs? Are you going to be able to react quick enough to prevent someone from doing damage?

    Cloudflare is nice because you no longer need to update your DNS A records, plus it caches data, automatically enables SSL, and absorbs bot traffic for you. Have also tried the Wireguard + VPS route, but that gets expensive because most charge ingress and egress.