Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

the day i deleted every port forward and felt better

Replacing a router full of port forwards and a fragile DDNS setup with Tailscale, and why a flat WireGuard mesh quietly solved problems I had stopped noticing.

John Mylchreest
John Mylchreest
2022-03-02 · 3 min read

Network patch cables plugged into a switch

For years my home network had a small graveyard of port forwards. 32400 for Plex, something high and arbitrary for SSH that I told myself was security through obscurity, a couple I had genuinely forgotten the purpose of and was afraid to remove. Bolted onto that was a dynamic DNS client, a CGNAT workaround I no longer fully understood, and the low background hum of knowing my router was advertising open ports to the entire internet.

I have deleted all of it. Tailscale now does the job, and I should have made the switch a long time ago.

What it replaced

The pitch is simple: every device gets a stable IP on a private mesh, the connections are WireGuard underneath, and the coordination of who-can-talk-to-whom happens through a control plane rather than through holes in my firewall. Nothing is exposed to the public internet any more. My phone can reach the homelab from a coffee shop, but a port scanner from the outside sees a router with nothing to say.

tailscale up --advertise-routes=192.168.1.0/24 --accept-routes
tailscale status

That subnet router line is the part that sold me. I do not have to install the client on every last device. One node advertises the LAN subnet, the rest of the mesh can reach the printer and the NAS through it, and the things that cannot run a client are no worse off than before.

A small datacentre aisle with racks of equipment

The bits that surprised me

A few things I did not expect to enjoy:

  • MagicDNS means I refer to machines by name rather than memorising an IP plan I designed at midnight and never wrote down.
  • The ACLs are a single JSON file, version controlled, so "who can reach the database host" is a reviewable change rather than a router setting I would forget I made.
  • It worked through CGNAT without me doing anything clever, which is the whole reason I started looking. NAT traversal that just happens feels close to magic when you have spent evenings fighting it.

I am not blind to the trade. I now depend on a coordination server I do not run, and that is a real consideration for a setup whose entire point was self-reliance. Tailscale can run against a self-hosted Headscale control plane if that bothers me enough, and one day it might. For now the convenience is worth the asterisk.

But the honest measure is this: I no longer think about my router's WAN side at all. The port forwards are gone, the DDNS client is gone, the nagging worry is gone. The network got simpler and safer at the same time, which almost never happens, and when it does you should take the win and stop poking it.