Tailscale funnel will tell the whole world about your service trough the certificate transparency log.
I just discovered this after watching someone from a Russian IP identifying as "scanner.ducks.party" crawling my little test.
I don't think @tailscale makes it clear at all that anything exposed with tailscale funnel is announced to everyone listening thanks to certificate transparency.
A small warning when running tailscale funnel would be in place because I very much did not expect anyone to find my little funnel. And I doubt others do either.
@tannerprynn also noticed this already a while ago and did a bit of scanning to see what people are putting up. And it was mostly Plex and other hobbyist thing. But I think nowadays Tailscale has moved into enterprise so I would guess there is a lot more "interesting" things being exposed.
Tailscale has a feature called Tailscale Funnel that kind of does the opposite of everything else Tailscale does? It exposes nodes directly to the Internet. And all the hostnames are published in CT, so I scanned it #appsec #nmap #tls #tailscale https://tprynn.github.io/2023/07/10/tailscale-funnel-scanning.html
Yup, turned on Tailscale funnel, brought up Honk. Funnel came up very easily once I spent 5 minutes coming to grips with the "tailnet policy file". Like most good Tailscale stuff it's basically magic.
This instance is super temporary in that it has totally the wrong name, and I am not sure of the right name yet.
The honk mission is to work well if it's what you want.Honk is super lightweight, especially compared to Mastodon. Single binary, low memory consumption. The terminology is just confusing enough - emus are in the funzone, for instance - to ensure that it will never get mass adoption.
honk 0.9.8
Raspberry Pi 4 (8 GB)
Tailscale Funnel (alpha)
This is a temporary setup, which may be taken offline at any time for any reason. (Famous last words.)
cc @tedu
cc @zev
cc @tailscale
cc @w8emv
cc @Raspberry_Pi
Tarnkappe.info
Gabriel N
Samuel Norbury
w8emv