- TCP/80 is only required to answer let’s encrypt challenges for certificate issuance
- UDP is only required to enable DERP.
These are both optional.
It’s not surprising that there are additional ports required on top of Wireguard. 443 is likely for key distribution and management. If you don’t want PKI then you don’t need headscale; you can always distribute the keys yourself and just run plain wireguard
>If you don’t want PKI then you don’t need headscale; you can always distribute the keys yourself and just run plain wireguard
It makes more sense to me, WireGuard + SPA (fkwnop aka replacement of port knocking that requires pre-shared key to even talk with, only that IP can access to it (IP Table), any scan tool seems it as closed)
Headscale/Tailscale only has value if you are behind a CGNAT, otherwise, it just adds extra management and complexities.
Well, it also lets you federate access and manages the keys for you. But yeah, if it’s a personal setup and you have good key rotation hygiene, I agree with you: it doesn’t add much value on top of wireguard. I’ll hazard a guess that you can just run your own DERP relay too for the CGNAT case.
- TCP/80 is only required to answer let’s encrypt challenges for certificate issuance
- UDP is only required to enable DERP.
These are both optional.
It’s not surprising that there are additional ports required on top of Wireguard. 443 is likely for key distribution and management. If you don’t want PKI then you don’t need headscale; you can always distribute the keys yourself and just run plain wireguard