Is there a way to safely use the Remote Binding over the Internet? [Solved]

Guys, with whole respect OP already has a VPN setup which works for him. I feel welcome that you wish to continue topic given scare low amount of new messages on this forum.

I rather consider it subject of extract friction which is impacted by actual network setup. Each network is different hence making a successful hole punching is a challenge. That’s why making a run with tcp is the most reliable way.

Hence it is easier to manage security of singular port and singular service than bunch of random ports across random services. I run wireguard myself, I did use ssh tunnels and with even a bit of self consciousness it can be made good enough so none of robots will crack it.

We don’t talk here about user errors but you advertising tailscale. Making arguments about default passwords within the context of vpn setup does not bring any value.

Hence for security reasons we agreed to have port 80 for http services. I get that VPN is different sort of service since it gives you the access to network and not only single application exposed by http server.

I appreciate your enthusiasm towards tailscale yet keep in mind it is a commercial product and not open source project. As experience says in multiple fields - if a service is free then you are the product. Even if tailscale is based on wireguard which is open, it still has closed bits.
I don’t think you would be so “hooray” if I would bring other commercial service offered for free to OH users and start advertising it in multiple topics to everyone because of smooth experience it gives.

Hence please enjoy the tailscale and keep calm.

If it was a service that takes something that is out of reach for most users to set up and use on their own and makes it so they can set it up and use it on their own then yes, I would welcome it and help promote it myself. I won’t apologize for trying to help users on this forum.

Raspberry Pi OS has closed bits too, should we not recommend it? Should we not build openHABian on it? InfluxDB, MySQL, Grafana and others have commercial versions. Should we not recommend their use?

You don’t like Tailscale. That’s fine. But I will continue to promote its use for those of whom setting up Wireguard or OpenVPN or some other purely open source option is out of reach. Better to use something that has closed bits than to put an unprotected openHAB on the internet directly.

Their business model is pretty much the same as any open source type company including many commonly used by OH users today such as Grafana, Influxdb, etc. as well as services many here use like CloudMQTT. They offer a free tier with limited capability with paid plans for those with higher needs.

All of the Tailscale client software is open source with a BSD 3-clause license. The “closed bits” is the coordination server, for which there are people who have already written and released alternatives that are fully open source (e.g. GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server). There’s no vendor lock-in here.

Please don’t use this comparison cause then you are spreading a large misinformation. In any of above cases situation is completely different. For Grafana MySQL and InfluxDB you can run whole thing on premises without letting them touch outside network and share any statistical information.
In case of CloudMQTT you have an online message broker which does not run agent in your local network (you manage an agent connected to it). More over none of these is managing your network traffic. Comparing also operating system which may include some proprietary drivers for specific hardware, user wish to use, is far abbreviation.

I don’t have any problem with Tailscale. I just reminded you that each free service is paid in some ways. Ways which you might not know upfront. Professionals and infrastructure which work on their product has to be paid by real money and not thankfulness. I saw multiple messages of yours advertising Tailscale and only first time see headscale mentioned. You’re making progress.
Here, in privacy concerned corner of universe, its worth to keep balance.

OK, you don’t like my comparisons. I don’t see them as spreading misinformation. Your objection was that Tailscale is a company offering something for free with some proprietary bits and a paid tier. All the software I mentioned also offer something for free with some proprietary bits with a paid tier where they make their money.

Maybe a more apt comparison would be Bitwarden.

At least in the US each company is required by law to disclose what information they collect and what they are allowed to do with it. Tailscale’s disclosure can be found at Privacy Policy · Tailscale

The relevant bits include:

We collect and use information only on behalf of our Customers, and do not use such information for any other purpose except as set out in this privacy policy or as required or permitted by applicable laws.
…
To create and administer your account: You do not have to create a Tailscale account to visit our website or download our client applications. However, you will be required to create an account in order to use the Tailscale Service. To create and administer your account, we will collect information such as your email address, as well as your first and last name. We will ask you to authenticate, using your email address, with your domain’s corresponding OAuth2 or SAML provider.
…
When you log into our product through these third-party sites, we may collect certain information associated with your account on the third party’s site (e.g., name, username, email address, profile picture, gender) in order to create and manage your account, or as part of the operation of the third party’s website, plug-in or application.
…
We collect information about our Customers’ use of the Tailscale Service, including information about each device used (such as the type of device hardware, hostname, all IP addresses, internal and private network routing information, operating system version, cryptographic public key, user agent (where applicable), the version of the Tailscale software installed, aggregate usage information (such as timestamps and connection logs between devices, as well as the sum of data transferred between devices by a given user), language settings, and the date and time the app accesses our servers). We use this information to provide, monitor, and manage the quality of our services, as well as to provide technical assistance. In some cases, The Tailscale Service uses this information to assist in establishing connections between pairs of devices.
…
We do not sell or disclose your personal information to third parties without your consent, except as set forth below or as required or permitted by law.
…
Service providers: Your personal information will be transferred (or otherwise made available) to certain third parties that provide services on our behalf. We use service providers to provide services such as hosting the website, operating certain of its features, processing payments, providing authentication services, data analysis to better understand and improve product and website usage, and providing advertising and marketing services. Our service providers are only provided with the information they need to perform their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes. Our service providers may be located in the U.S., Canada or other foreign jurisdictions.

…Legal and compliance: We and our Canadian, U.S. and other foreign service providers may provide your personal information in response to a search warrant to other legally valid inquiry or order, or to another organization for the purposes of investigating a breach of an agreement or contravention of law or detecting, suppressing or preventing fraud, or as otherwise may be required or permitted by applicable Canadian, U.S. or other law or legal process, which may include lawful access by U.S. or foreign courts, law enforcement or other government authorities. Your personal information may also be disclosed where necessary for the establishment, exercise or defence of legal claims and to investigate or prevent actual or suspected loss or harm to persons or property.

Sale of business: We may transfer any information we have about you as an asset in connection with a proposed or completed merger, acquisition or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of Tailscale Inc. or as part of a corporate reorganization or other change in corporate control.

tl;dr: they collect what they need to make the service work and monitor the health and status of the system. They share just what is required by their service providers to do their job or where required to by law. And of course if they are bought, the data goes to the new company.

This is not a company that makes money off of selling information about its customers. They make money because if you are trying to use it for anything more than a home network you will need to pay for a plan.

Believe it or not I really did do my homework on this. I’m not just blindly promoting them. I looked at who they are, where they came from, the company’s history, how it works technically, the licenses, privacy policy, and more.

I’ve also set up and used OpenVPN configured by hand, Wireguard configured by hand, PIVPN, various OpenVPN wizards on various firewalls and gateways.

Tailscale is the first where I was able to send an email to my dad with three simple steps to install it and get connected that he was able to follow. This is the same person who I constantly have to answer “I saved a file, where did it go?” questions. And so I promote it to users for whom setting up a VPN using these other methods is too hard for them or too daunting.

Of course not. Why would I? If a user has the ability to install and set up headscale they would have the ability to set up Wireguard or OpenVPN in the first place and wouldn’t need Tailscale. And if they wanted Tailscale but not want to use their “closed bits”, they can do the same search in DuckDuckGo that I did after reading in Tailscale’s own documentation that it’s possible to code your own coordination service.

I’ve never said everyone should use Tailscale. I didn’t recommend the OP switch to Tailscale. I’ve always said people who are unwilling or unable to deal with the complexities of setting up a VPN on their own should look at Tailscale. And I stand by that recommendation. And I will keep making that recommendation.

I believe you can distinguish situation where client code is open source and server code is not. By pulling into same category MySQL with Tailscale etc you miss compared tools. In case of MySQL you have client and server which is fully open source. You can run both at your wish. With Tailscale you have only client code.
Not that I expect anyone to flush all their code because of my or somebody else wish, but that makes quite big difference in what people can audit. A difference which you should be are aware of.

Anyhow, I guess we put everyone to sleep so its about the time to wrap up whole discussion and let OP do his own thing.

gosh… I thought it was just me who noticed

@BigGeorgeTx : can you mark my first response as a solution for your question ?
I am so stupid that I don’t find how to do that / where to click !

Only the original poster or a moderator can do that I think.