In the past two weeks I set up a new VPS, and I run a small experiment. I share the results for those who are curious.

Consider that this is a backup server only, meaning that there is no outgoing traffic unless a backup is actually to be recovered, or as we will see, because of sshd.

I initially left the standard “port 22 open to the world” for 4-5 days, I then moved sshd to a different port (still open to the whole world), and finally I closed everything and turned on tailscale. You find a visualization of the resulting egress traffic in the image. Different colors are different areas of the world. Ignore the orange spikes which were my own ssh connections to set up stuff.

Main points:

  • there were about 10 Mb of egress per day due just to sshd answering to scanners. Not to mention the cluttering of access logs.

  • moving to a non standard port is reasonably sufficient to avoid traffic and log cluttering even without IP restrictions

  • Tailscale causes a bit of traffic, negligible of course, but continuous.

  • MonkderZweite@feddit.ch
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    1 year ago

    I don’t get tailscale? In-kernel Wireguard is easy to setup. What does it add to this?

          • BinAmProkrastinieren@feddit.de
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I think I’ve been too ignorant about Tailscale, primarily about the fact that it actually does direct peer-to-peer connections which would indeed be a pain with just Wireguard and not always trivial. I’m starting to get why so many people here are recommending it so thanks for the answer, maybe I should consider using it myself. :)

        • drathvedro@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          Tailscale is built on top of wireguard. It just manages all the hassle of configuring it. In my case it was a godsend as I have like 10 devices all roaming and scattered across multiple countries. It’d be a massive headache to type down IPs and whatnot every time one changes networks.

          • BinAmProkrastinieren@feddit.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Thanks for enlightening me on that aspect, setting that up with just Wireguard would indeed be a pain or outright impissible without additional tools (e.g. for UDP hole-punching), maybe I should also consider it :)

    • stown@sedd.it
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I believe it adds a third party server to help facilitate communication between clients.

    • Justice@lemmygrad.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I think it’s just the ease of GUI for people. This isn’t to shit on anyone, btw. A lot of people don’t like dealing with the keys and IPs involved, few as there may be, with setting up wireguard.

      If someone else has a compelling difference or reason to use tailscale then I’d be happy to hear it. I tried it once and it worked fine enough. But wireguard works just as fine and takes the same time to setup if you already know what to do. Like wireguard seriously takes 2 minutes.

      • sasoiliev@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’m not using Tailscale, but I’d imagine that if you wanted to form a private network that involves devices controlled by non-technical people, the GUI becomes less of a “don’t like to deal with keys/IPs” and more of a “can’t deal”.