Today I'm diving into Mutual TLS to securely expose my homelab services! TLS is already ubiquitous in the modern era, providing strong symmetric encryption, ...
I haven’t watched the video yet, but it’s generally not worth the hassle of setting up mutual TLS if you’re already using a peer-to-peer VPN like Tailscale, as the VPN software is already doing mutual authentication.
This is only true for the connection security. With mTLS you can also authenticate to the webapplication you’re trying to reach. So consider your use-case between vpn/mtls.
that’s not that same security. an observer will still know that you are connecting over HTTPS to a particular doman/IP, maybe they can also deduce that you are using mTLS, and all your other traffic is not protected by it at all. all the while with wireguard, they can see that it’s wireguard traffic, and where it goes, but anything inside is secret, plus if an app uses unencrypted traffic for some reason (smb, dns, custom and special protocols), wireguard will hide and protect that too.
I haven’t watched the video yet, but it’s generally not worth the hassle of setting up mutual TLS if you’re already using a peer-to-peer VPN like Tailscale, as the VPN software is already doing mutual authentication.
This is only true for the connection security. With mTLS you can also authenticate to the webapplication you’re trying to reach. So consider your use-case between vpn/mtls.
Oh yeah that’s a great point I didn’t consider. Thanks.
The whole point of mTLS is that you dont need to use a VPN to achieve that same security.
I get that, but a lot of people are already using a VPN to access their self-hosted system.
that’s not that same security. an observer will still know that you are connecting over HTTPS to a particular doman/IP, maybe they can also deduce that you are using mTLS, and all your other traffic is not protected by it at all. all the while with wireguard, they can see that it’s wireguard traffic, and where it goes, but anything inside is secret, plus if an app uses unencrypted traffic for some reason (smb, dns, custom and special protocols), wireguard will hide and protect that too.