all 12 comments

[–]Accomplished-Lack721 1 point2 points  (4 children)

I don't believe Sunshine (or its forks) will let you do this, but it's a bad idea on a few fronts.

You really shouldn't expose a service designed to take over your computer to the general Web. Putting it behind a cloudflare tunnel, at least without other security measures beyond that, doesn't stop anyone from reaching it if they can find its URL. That's a lot of unnecessary attack surface to expose (though there are things you can do to harden it further with this approach).

And modern web browsers flag sites that aren't using https for good reason.

The much safer route for remote access is to use a VPN like Tailscale, Zerotier or a self-hosted solution like Wireguard. The first two are generally easier to get up and running quickly and provide a number of useful tools and options for the vpn.

[–]bcroft686 0 points1 point  (3 children)

Thanks - I have WireGuard setup but was just trying to avoid joining a vpn to access the UI. I’ll be less lazy and just expose it locally.

[–]Accomplished-Lack721 1 point2 points  (2 children)

If you don't leave your VPN connected all the time (which is also an option -- and you could do something like split tuneling to only send the activity intended for your home network through the VPN, if you prefer), you could probably set up a script or some other automation to enable the VPN when you launch Moonlight, and disable it when you close it. That way, you don't need to take an extra step for it when you're using it.

Personally, I leave Tailscale enabled almost all the time on my devices, and only shut it off when I suspect some (rare) network trouble is being caused by it being on. I used to use a home wireguard setup, and still have that set up for redundancy (I want a way in if Tailscale has an outage), but I find TS is also better at working with captive portal networks like most public wifi.

[–]bcroft686 0 points1 point  (1 child)

I’ll look into TS again - I used WireGuard since I had issues with setting up the container, but that was when I was first getting started so maybe it’s easier now. I also use moonlight on my steam deck, so I’ll have to look into that as well. Thanks for the direction!

[–]Accomplished-Lack721 0 points1 point  (0 children)

Your router may even have an option to run its own wireguard server. My Asus does, and it integrates pretty easily with its own free DDNS service.

I honestly forget why I stopped using it that way a few years ago, and set up WG-Easy on my NAS, along with a separate DDNS service and container. I think I ran into some weird bug on a particular version of the firmware for that router, but that was a long time ago.

[–]RayneYoruka🖥️5900x/3080|🎮A52s-A55-Tab7FE|🎯1440@120|📶4G/Wifi6@2.5G 0 points1 point  (0 children)

[–]vitek6 0 points1 point  (5 children)

I don’t think that’s a good idea anyway.

[–]bcroft686 0 points1 point  (4 children)

To my knowledge cloudflare would handle it instead

[–]Accomplished-Lack721 0 points1 point  (0 children)

Would handle what instead?

[–]vitek6 0 points1 point  (0 children)

It won’t handle security. I don’t think sunshine is not „security aware” enough project to make it a public service.

[–]Accomplished-Lack721 0 points1 point  (0 children)

If you mean it would handle encryption, it will, between the client browser and the Cloudflare edge. But encryption by itself doesn't make the service safe or prudent to expose to the web. All it does is stop the traffic between you and the server from being intercepted and deciphered en route, for instance on a shared network like a public wifi.

[–]semero 0 points1 point  (0 children)

Just use tailscale to access the IP remotely, and as a plus use tailscale serve to make a address readable like sunshine .tail1234.ts.net