• dan@upvote.au
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    3
    ·
    edit-2
    3 days ago

    I haven’t watched the video yet, but it’s generally not worth the hassle of setting up mutual TLS if you’re already using a peer-to-peer VPN like Tailscale, as the VPN software is already doing mutual authentication.

    Edit: A peer-to-peer VPN (or mesh VPN) is one where two systems that are connected to the VPN can directly communicate with each other, instead of needing to go through a central server as with something like OpenVPN. With Tailscale or Wireguard, the peers need each other’s public keys to communicate.

      • WhyJiffie@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        2 days ago

        that’s not that same security. an observer will still know that you are connecting over HTTPS to a particular doman/IP, maybe they can also deduce that you are using mTLS, and all your other traffic is not protected by it at all. all the while with wireguard, they can see that it’s wireguard traffic, and where it goes, but anything inside is secret, plus if an app uses unencrypted traffic for some reason (smb, dns, custom and special protocols), wireguard will hide and protect that too.

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        2 days ago

        I get that, but a lot of people are already using a VPN to access their self-hosted system.

    • Antithetical@lemmy.deedium.nl
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      3 days ago

      This is only true for the connection security. With mTLS you can also authenticate to the webapplication you’re trying to reach. So consider your use-case between von/mtls.

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 days ago

        Oh yeah that’s a great point I didn’t consider. Thanks.