Please be aware that when you use tailscale funnel you announce to the whole world that your service exists (through certificate transparency), and you will get scanned immediately. If you don't believe me just put up a simple http server and watch the scanning request come in within seconds of running `tailscale funnel`.

Do not expose anything without authentication.

And absolutely do not expose a folder with something like `python -m http.server -b 0.0.0.0 8080` if you have .git in it, someone will help themselves to it immediately.

If you are aware of this, funnel works fine and is not insecure.

Tailscale IMHO failing in educating people about this danger. They do mention in on the docs, but I think it should be a big red warning when you start it, because people clearly does not realise this.

I took a quick look a while ago and watching just part of the CT firehose, I found 35 .git folders in 30 minutes.

No idea if there was anything sensitive I just did a HEAD check against `.git/index` if I recall.

https://infosec.exchange/@gnyman/115571998182819369

We are developing a similar feature and is scheduled to be available really soon. We've discussed some details in our public slack. Any feedback there will be helpful.

Out of curiosity, why? I use TS for all my homelab bits (including my HA instance), but connect to TS before opening the HA app. Is it just a case of making it easier/ possible to connect if you’re on another VPN? Are you not concerned with having something from your local network open to the internet?

Agree, I use funnels and serves a lot as well. Very useful for homelabers.