Today I'm diving into Mutual TLS to securely expose my homelab services! TLS is already ubiquitous in the modern era, providing strong symmetric encryption, ...
I haven’t watched the video yet, but it’s generally not worth the hassle of setting up mutual TLS if you’re already using a peer-to-peer VPN like Tailscale, as the VPN software is already doing mutual authentication.
Edit: A peer-to-peer VPN (or mesh VPN) is one where two systems that are connected to the VPN can directly communicate with each other, instead of needing to go through a central server as with something like OpenVPN. With Tailscale or Wireguard, the peers need each other’s public keys to communicate.
that’s not that same security. an observer will still know that you are connecting over HTTPS to a particular doman/IP, maybe they can also deduce that you are using mTLS, and all your other traffic is not protected by it at all. all the while with wireguard, they can see that it’s wireguard traffic, and where it goes, but anything inside is secret, plus if an app uses unencrypted traffic for some reason (smb, dns, custom and special protocols), wireguard will hide and protect that too.
This is only true for the connection security. With mTLS you can also authenticate to the webapplication you’re trying to reach. So consider your use-case between von/mtls.
I haven’t watched the video yet, but it’s generally not worth the hassle of setting up mutual TLS if you’re already using a peer-to-peer VPN like Tailscale, as the VPN software is already doing mutual authentication.
Edit: A peer-to-peer VPN (or mesh VPN) is one where two systems that are connected to the VPN can directly communicate with each other, instead of needing to go through a central server as with something like OpenVPN. With Tailscale or Wireguard, the peers need each other’s public keys to communicate.
The whole point of mTLS is that you dont need to use a VPN to achieve that same security.
I get that, but a lot of people are already using a VPN to access their self-hosted system.
that’s not that same security. an observer will still know that you are connecting over HTTPS to a particular doman/IP, maybe they can also deduce that you are using mTLS, and all your other traffic is not protected by it at all. all the while with wireguard, they can see that it’s wireguard traffic, and where it goes, but anything inside is secret, plus if an app uses unencrypted traffic for some reason (smb, dns, custom and special protocols), wireguard will hide and protect that too.
This is only true for the connection security. With mTLS you can also authenticate to the webapplication you’re trying to reach. So consider your use-case between von/mtls.
Oh yeah that’s a great point I didn’t consider. Thanks.