Why would one expose services when WireGuard exists?

Nocterminalist@alien.top · 11 months ago

Why would one expose services when WireGuard exists?

hi65435@alien.top · 11 months ago

Can you though? I used to do exactly these things and either on Android or iOS I had trouble installing a certificate. Well, in a way it’s not a a big issue anyway, probably it’s smart to go with public domains anyway (even for private resources)

ConfusionSecure487@alien.top · 11 months ago

I have no issue at all on Android. I don’t use iOS, so I cannot verify on there.

But I meant client certificates in this context. What I do:

Use a public domain, pointing A and AAAA *.domain.tld to an traefik lb/reverse proxy. I use it on Kubernetes.
use LE for that *.domain.tld, instead of direct domain certs to be more private (as all public CAs disclose the signed certs (https://crt.sh/))
create a own CA for Client authentication
set the own CA as trust anchor for clients in traefik for domains which require authentication
create client certificates + keys for my users. (I don’t use the CSR way, as that makes it complicated for them). I use the pfx format, as this widely accepted by the browsers and systems. p12 should also work
Add the client certificate on the devices. But I don’t but the CA as trust anchor on them. This would lead to warnings on the devices, as that would allow MITM attacks.

hi65435@alien.top · 11 months ago

Ah ok that’s smart, so you don’t have to mess with installation and still can manage your own CA from the *.domain.tld. I just double-checked, I’m very sure it was on iOS but some years ago. Apparently it’s possible to install custom certs there as well but it’s a little painful

edit: ok I think the general problem on iOS is to install custom certs globally, e.g. to use for the calendar I guess

Personal Certificates can only be installed in Safari.
NO other browsers are supported.

https://kb.mit.edu/confluence/display/mitcontrib/Installing+Root+and+Personal+Certificates+on+iOS