port knocking in front of headscale server?

[unusualevent]

Why

The API server and STUN-like coordination usually need to happen on a public server.

For tailscale's own, they have it public.

Headscale could probably get away with having the coordination server itself have the host firewall (e.g., iptables) use a port knocking daemon. The cloud firewall would still be open on those port knocking ports.

Description

Is it possible to have a port knocking client on a device alongside the tailscale client?

is it possible to have headscale operate behind port knocking?

what would need to change for that to be the case?

This limits the ability of an attacker to try exploiting RCE without knowing the port knocking code. Or even knowing the headscale coordination server is there.

[unusualevent]

e.g., survivability onion: don't be there, don't be visible, don't be hit

[ohdearaugustin]

I don't think this is possible as you would need to implement port-knocking features in the tailscale client. This project doesn't implement the client and therefore I this feature would first need to be implemented there. This will only be the case if tailscale is going to implement this feature for their customers.

I don't see the headscale folks implementing this by themselves.

Furthermore I rather see it as an edge case, which is not realistic to be implemented. As usual PRs are welcome. I hope this will give a bit of an explanation to your concerns.

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity.

[SuperSandro2000]

I would mark this out of scope and close it as won't implement.

[kradalby]

Yes as mentioned, I think this is going to be too complicated for us to do. A requirement for headscale will continue to be that it is accessible of the public internet.