Security Considerations for nSolo (1:1 NAT)
Understanding nSolo
nSolo provides a dedicated public IPv4 address mapped directly to your device via 1:1 NAT. This means your equipment is reachable from anywhere on the internet.
How Pro Differs from Other Tiers
| Feature | Basic/Plus | Pro (nSolo) |
|---|---|---|
| External IP | None / Shared | Dedicated |
| All ports accessible | No | Yes |
| Inbound connections | No | Yes |
| Outbound connections | Yes (Plus) | Yes |
| Use case | Private mesh, outbound only | Hosting public services |
Security Considerations for Vintage Hardware
Retro and legacy systems are typically designed for trusted networks. These systems often:
- Predate modern network-based threats
- Fail to meet modern encryption standards
- Are unpatched for years, if not decades
- Have little to no protection against brute-force attacks
- Transmit credentials in plaintext
Before You Enable Public Access
Ask yourself:
- Do I need this system reachable from the entire internet, or just from specific locations?
- What services am I exposing, and do they transmit credentials in plaintext?
- If someone acquires access to my retro system, can they attack other devices on my network?
- Am I prepared to monitor logs and respond to incidents?
If you simply want to access your retro equipment remotely yourself, full public exposure may not be necessary.
Protection Options
SSH Tunnelling
Run a small Linux box (Raspberry Pi, VM) on your network that accepts SSH connections. Access legacy services by tunnelling through it. The retro systems never need direct exposure.
IP Whitelisting
Apply restrictive access controls to limit who can reach your services. The Nekotopia dashboard allows you to configure basic firewall rules for your nSolo public IP.
Teleport ZTNA
Nekotopia offers Teleport for zero-trust access. Instead of exposing services directly, users authenticate through Teleport and access your services via a secure proxy. This provides:
- Authentication with 2FA
- Audit logging of all access
- No direct port exposure
- Fine-grained access control
Bastion Host with Fail2ban
If you have a Linux gateway in front of your legacy gear, deploy fail2ban to block IPs after failed authentication attempts.
nSolo vs nColo
If you need more than one IP address or want full routing control, consider nColo instead. nColo provides a routed IPv4 prefix (/29 to /32) via BGP peering — no NAT involved. See the nSolo and nColo page for details.
Recommendations
| Risk Level | Recommendation |
|---|---|
| Low | Internal services only (Basic tier) |
| Medium | Use Teleport ZTNA for remote access |
| High | Full public exposure with monitoring |
When in doubt, start with less exposure and expand only as needed.