I use Headscale, an open source implementation of Tailscale control server. And it doesn't have funnel functionality implemented out of the box, but I use a custom Traefik proxy manager Web UI in which I can expose ports on different Tailnet nodes.

In order to avoid exposing something unnecessarily in the certificate transparency logs, I use a single wildcard certificate, so all the subdomains are not listed anywhere automatically.

I use the same approach for services hosted in the internal subdomain, because I don't want everyone to know what exactly I'm running in my homelab.

Yeah, I have mixed feelings about CT (certificate transparency) for this reason. Folks are just consuming the firehose and scanning.

And in this case, if the thing you're funnel'ing is on your residential connection, it basically amounts to you summoning a DDoS.

One (obvious?) tip I'd offer is to put your stuff on high non-standard ports if you can. It'll reduce the amount of connections you get dramatically.

All the dev servers I've used over the past 10 years come with warnings that they're not security hardened, so I'd be wary of using `tailscale funnel` even though it is awesome to share like that so easily.

Wait, so bots watch for new records added to this HTTPS cert public ledger, then immediately start attacking?

To me that sounds like enabling HTTPS is actually a risk here…

I don't see why people don't just run their own CAs more for private stuff.

If exposed for others I think the wildcard cert is also what I did, but most tutorials have you issuing certs via ACME for internal or local-only things which doesn't even need to happen.

I personally run my own CA and even setup an ACME server and internal DNS. Nobody knows what I am doing there.