If you're going to that level, just put it behind a VPN.

Tailscale is a VPN...

The context of the conversation is that the address becomes publicly visible so you get hit with port scanners and script kiddies looking for vulns. Moving off standard ports does help but many of those are also going to look at ports like 2222 or 8022 and treat them as ssh.

It's not hard to just send something like `nmap -sV -p- <ADDRESS>` (or better, use like rustscan.) and you'll discover those ports and the services.

On the other hand, just install something like knocked and you don't have to do much. Knocking is not a difficult thing to set up.

> Tailscale is a VPN...

And if you use it as a VPN and don't turn on the funnel feature, your service won't be exposed.

> On the other hand, just install something like knocked and you don't have to do much. Knocking is not a difficult thing to set up.

Neither is wireguard.

lol your solution to a problem caused by a feature is "don't use that feature?" LGTM

Presumably wireguard was already being used?