Is portforwarding actually dangerous?

I’m curious about setting up the ability to play outside my house and I would like to set up Wake on WAN but I hear it’s risky?

Any time you open ports to the public internet, there is risk involved. Anyone anywhere in the world can now reach your personal computer. It would be safer to port forward a vpn to a dedicated device on your network, than to port forward your PC directly. Still risk involved, but less so.

You should assume and plan for, the service behind the open port, being accessible and vulnerable. In general, if the service has two-factor auth, I’d consider that secure for home or even small business. I wouldn’t risk it with just password, unless it was backed by fairly restrictive brute-force protection (e.g. Fail2Ban or similar) and strong passwords.

For WOL, I don’t see much risk. Port 9 would only allow someone to wake your device which, while annoying, isn’t exactly the end of the world.

But a VPN would probably be a better, more secure solution. And adds the benefit of giving you a reasonably secure way to access your internal network, so you can keep more services local.

So I have a port forwarded to access Sunshine remotely, set up in my router for that specific PC. It works great but I’m concerned it would give someone complete desktop access. What can I do to secure it? I could do something like tailscale, but are there any other options?

Yes, but how risky depends on what services you’re forwarding TO.

The safest way to do this would be to set up a VPN service in your network, connect to that, then do Wake on LAN and your Moonlight connection as if you were in your local network.

Many routers can run a Wireguard or OpenVPN service along with a free DDNS to facilitate the connection. That will require opening the VPN ports to the Internet (the router may do that automatically). But the connections for those services are considered highly secure.

If you can’t do that, installing Tailscale on your desktop as well as the remote device will work (and actually doesn’t involve exposing any ports to the Internet).

I’m curious about setting up the ability to play outside my house and I would like to set up Wake on WAN but I hear it’s risky?

Wake on LAN isn’t particularly risky, but port forwarding is risky in some sense. You’re suddenly exposing your computer to the world, and in doing so you become highly reliant on security systems within the service that you’ve exposed.

I had to buy a mini pc with two ethernet ports, one for WAN and another for LAN, i installed the pfSense and my router and my devices are connected by the LAN port on pfSense. This is the most used way to prevent ddos or hacking attacks in your house. Is expensivr but if you are warned about your home network, this is the correct way to do it.

Personnaly i configured moonlight with my android connected to my pc and whenever i want to access my pc through internet i just click on WOL and it’s wake up.

No risks. Port forwarding is a feature. You need to forward ports to renote stream.

Is there a guide somewhere to use tailscale? And is it used with moonlight? Or separately

Tailscale is a good option if your internet provider doesn’t allow you to expose any port, but for use moonlight, it no works as well. The lattency is about 70ms with a good internet connection and it is not ok.

Its concerning how many people do this, the chance of sunshine at some point having a security issue is more likely then not.
Use a 0 tier vpn or setup your own vpn with something like wireguard.

He specifically mentioned Wake on WAN (from the internet).

I personally have another device on Linux (for pi hole) which I can SSH into when connected to VPN, to initiate a wakeonlan command of the PC. (Since those Wake on LAN apps won’t work outside of the network, even with full / split VPN tunnel)

Does that work when you’re out of the house

Quick google search and it has already happened: CVE-2024-31220

He specifically mentioned Wake on WAN (from the internet).

It’s really not a security issue (you can’t wake on lan “from” the internet, it’s a layer 2 op and your computer doesn’t have an IP address when it’s off - can’t port forward this in the first place)

You need to add your PC’s mac address to the ARP table on your router, and port Forward the port 9 and then send a WoW signal, then it works.

And this let’s me turn on and off my pc outside of my house?

In the same google search, it shows patched, and the details describe that it was a vulnerability related to having the web portal accessible outside of LAN.

So, never port-foward the web UI protocol/port, and also consider using the Apollo branch, which has device-based client/admin permissions, for an extra layer of protection.

Computer doesn’t have to be off obviously. Mine is 24/7 asleep or periodically awake, so it can be woken up every time when needed, wether my son wakes it up with moonlight, or I wake it up with a phone app or via a CLI.

When it’s off, it actually can have an IP address in some cases, differs per motherboard, some can wake up from ‘off’, mine cannot (network port doesn’t stay up when shutdown).