TL;DR: Assuming your self hosted item has a tailscale IP at 100.x.x.x, and has a service listening to 11434, connect
to clusters via the command.
ssh -R 11434 100.x.x.x:11434 clusterThen query services via curl http://localchost:11434 or similar.
My story of why I want this
I’ve wanted to utilize my powerful personal rig back at home to a self-hosted machine, as I feel like there are many
software services that seems “simple enough” to be handled by myself. The only problem is that hardening my machine
configuration to safely opening my personal machine to the wider internet is a can of worms that I don’t want to
attempt, given the potentially catastrophic consequences if I fail at something. Thankfully, there are existing
solution: tailscale is effectively a very thin VPN services, assigning registered devices an a unique forwarding IP
address (typically something like 100.x.x.x) that is seem by all other devices within the same register. This removes
a lot of the pressure of getting security configurations right, while still allowing any one of my devices talk to each
other.
If my personal machines were the only things that I need, then all problems are already solved. The problems is that a
significant fraction of my computing work happens on computing clusters that is hosted by our organizations. Can we
still have our computing clusters see our self-hosted services without having to change any permissions on the computer
cluster? Of course! Via the power of glorious SSH, in particular the remote forwarding
flag, that passed anything traffic targeting some port on the SSH Host to the back to the SSH client and forwards it to
a remote target. In command line form it is the command that you saw above. In the ~/.ssh/config format if you want a
less verbose commnad:
Host myhost.server
User myuser
RemoteForward 11434 100.x.x.x:11434A small note is that the full RemoteForward flag is localhost:11434 100.x.x.x:11434 meaning that only traffic that
originates from localhost as seen by the SSH host will have this traffic forwarded, so in principle, this method
should be as secure as your SSH host.
So there you have it! Self-hosting is not as expensive as you might think, at least when you are just starting out with small experiments on your own. As to the concrete service that I wanted to have running, this magic port number may have given it away; in any case, this is something that I will report back on when I conclude my experiment.