Brainstorming: untrusted, guest, or non-standard networks

Hi,

I would like to have some inputs regarding my current usage of YunoHost, and see if it can give some ideas to others, or if I can get some feedback.

The problem

I have multiple YNH instances, including one on a RPi that follows me in my often-changing homes.
I have recently experienced two cases where I could not trust my network, or alter its settings.

  • First case, in a temporary flat sharing housing, I set my RPi with YNH and my shared drives… only to realize the next morning that my samba shares where open to anyone in the house.
  • Second case, my current flat, where I cannot open ports 80 and 443, because they are locked at the ISP level.

I think those issues also cover what is currently happening with Free sharing the same IPv4 address among multiple client (see Freebox - let's encrypt ne fonctionne plus).

A solution

You will tell me “use a VPN!”, and I would agree. But I find cumbersome relying on a main server that I would have to keep somewhere safe and stable. I had been looking to alternatives, which led to my packaging of ZeroTier for YNH, which basically creates a virtual Ethernet network between devices.

All my YNH instances are now connected to this private network. It has helped me solve both issues evoked above:

  • Samba shares are now only allowing connections from the ZeroTier network interface.
  • I can access my HTTP-locked RPi, bypassing the ISP constraints, through its ZeroTier IP address.

What do you think of this setup? What would you have done better/different?
I have found a couple of problems so far:

Emails

I think with this kind of setup, they are not fixable. I can rely on my regular-connected YNH instances, so it’s OK for my use case.

DNS

I am trying to figure out a way to have friendlier access to my devices, by dedicating a subdomain (e.g. zt.domain.tld) for the internal addresses (like rpi.zt.domain.tld pointing to my RPi’s zerotier address). But I am not sure where is the best to put this DNS record. Should it be:

  • at the domain provider level, leaking my internal network addresses to the public?
  • within each devices’ /etc/hosts file? It’s easy to set up, though a bit manual, except for phones…
  • dedicate one device as a DNS server, which would not solve the manual work, but fixes the phones problem.

This last one is working so far. I am trying to set up LetsEncrypt certificates, but HTTP challenge is not possible. I think DNS should work, however YNH does not handle it yet, correct? If it were to be supported, should one alter the DNS records locally during the challenge, or elsewhere?

I never used zerotiers, but it seems a great idea in your configurations.