i’m assuming because of the “web server hosting photos”. Probably Immich if i had to guess?
tailscale is fine if you’re somewhat tech savvy, but it’s annoying to show all your friends and family how to “correctly” access your web server. Too much friction. First download the tailscale app, sign in, blah blah. Then you also are unnecessarily bogging down everyone’s smartphone with a wire guard VPN profile which is…undesirable.
I like tailscale and use it for some stuff. But for web servers that i want my whole family (and some friends) to easily access, a traditional setup makes much more sense. The tradeoff is (obviously) a higher security burden. I protect the web apps in my homelab with SSO (OIDC), among other things.
I prefer to gatekeep "entry points" with Tailscale. A server can have HTTP/S exposed to the world, but its SSH can stay behind Tailscale to enable defense in depth.
Keeping Tailscale as the only security layer will be foolish of course, but keeping the entry points hidden from general internet is a useful additional layer, if you ask me.
As a matter of principle, I like keep the number of open ports to a minimum. Let it be SSH or VPN, it doesn't matter. I have been burned enough times.
I've applied the same principal to my network. Though, I do have plans to re-open some additional ports beyond just SSH / VPN.
Thinking through how I would achieve this introduced me to the concept of a DMZ-zone. The DMZ places publicly accessible services in a highly locked down environment.
DMZ is a very old concept, and applying it is easy when everything is in a single room, connected to a single network, and everything can be isolated there.
When the network is distributed on multiple sites, things get exponentially harder if you don't own a dark fiber from site to site and have essentially a single network.
I personally manage enough servers to scratch that itch, so I yearn for simplicity. If Tailscale gives me that isolation for free (which it does), I'd rather use that for my toy network rather than an elaborate multi-site DMZ setup.
tailscale is fine if you’re somewhat tech savvy, but it’s annoying to show all your friends and family how to “correctly” access your web server. Too much friction. First download the tailscale app, sign in, blah blah. Then you also are unnecessarily bogging down everyone’s smartphone with a wire guard VPN profile which is…undesirable.
I like tailscale and use it for some stuff. But for web servers that i want my whole family (and some friends) to easily access, a traditional setup makes much more sense. The tradeoff is (obviously) a higher security burden. I protect the web apps in my homelab with SSO (OIDC), among other things.