diff --git a/docs/bonjour.md b/docs/bonjour.md index 0c206a6b8..65f71dbf0 100644 --- a/docs/bonjour.md +++ b/docs/bonjour.md @@ -29,6 +29,11 @@ brew install coredns sudo mkdir -p /opt/homebrew/etc/coredns sudo tee /opt/homebrew/etc/coredns/Corefile >/dev/null <<'EOF' clawdis.internal:53 { + # Security: bind only to tailnet IPs so this DNS server is *not* reachable + # via LAN/Wi‑Fi/public interfaces. + # + # Replace `` / `` with this machine’s Tailscale IPs. + bind log errors file /opt/homebrew/etc/coredns/clawdis.internal.db @@ -77,6 +82,17 @@ In the Tailscale admin console: Once clients accept tailnet DNS, Iris can browse `_clawdis-bridge._tcp` in `clawdis.internal.` without multicast. +### Bridge listener security (recommended) + +The bridge port (default `18790`) is a plain TCP service. By default it binds to `0.0.0.0`, which makes it reachable from *any* interface on the gateway machine (LAN/Wi‑Fi/Tailscale). + +For a tailnet-only setup, bind it to the Tailscale IP instead: + +- Set `CLAWDIS_BRIDGE_HOST=` on the gateway host. +- Restart the Gateway (or restart the macOS menubar app via `./scripts/restart-mac.sh` on that machine). + +This keeps the bridge reachable only from devices on your tailnet (unless you intentionally expose it some other way). + ## What advertises Only the **Node Gateway** (`clawd` / `clawdis gateway`) advertises Bonjour beacons. diff --git a/docs/ios/connect.md b/docs/ios/connect.md index 142bd8224..042f57173 100644 --- a/docs/ios/connect.md +++ b/docs/ios/connect.md @@ -34,6 +34,11 @@ pnpm clawdis gateway --port 18789 --verbose Confirm in logs you see something like: - `bridge listening on tcp://0.0.0.0:18790 (Iris)` +For tailnet-only setups (recommended for Vienna ⇄ London), bind the bridge to the gateway machine’s Tailscale IP instead: + +- Set `CLAWDIS_BRIDGE_HOST=` on the gateway host. +- Restart the Gateway / macOS menubar app. + ## 2) Verify Bonjour discovery (optional but recommended) From the gateway machine: