https://en.wikipedia.org/wiki/Astroturfing
> Astroturfing is the deceptive practice of hiding the sponsors of an orchestrated message or organization (e.g., political, advertising, religious, or public relations) to make it appear as though it originates from, and is supported by, unsolicited grassroots participants. It is a practice intended to give the statements or organizations credibility by withholding information about the source's financial backers.
> The implication behind the use of the term is that instead of a "true" or "natural" grassroots effort behind the activity in question, there is a "fake" or "artificial" appearance of support.
Except that pinggy appears to be an ngrok clone which is basically equivalent to port forwarding in terms of security
If you don't want to expose the port for security reasons you are better off using tailscale/zerotier/wireguard
The vuln is there, trust me.
If you use Wireguard or Tailscale, your network is private. Only other devices in this private network could explore this vuln.
The article for some reason didn't explain that at all or show examples using pinggy's authentication features. If the article had talked about that, the assertion about being more secure would have made a lot more sense.
It's a shame lists like - https://github.com/anderspitman/awesome-tunneling - do not call this out. fwiw, the one I work on, zrok.io (in truth, I work on its parent project, OpenZiti) has that hardening and auth because we believe its vital.
I don't know what the security's like, but I haven't seen any other solution beat ease of the setup process. (install tor, write service ports into config file, copy URL somewhere safe, done.)
I see somebody else also mentioned Raspberry Pi itself has a similar service.
Taking a quick look at the article, it seems like you route traffic through Pinggy, whereas Tailscale is mostly (minus the TURN stuff) peer to peer with some NAT-busting
Port forwarding over ssh is still... port forwarding.
This is neat and can be quite useful, but it's still port forwarding. There's nothing wrong with that - it's not like people will easily guess the hostname and port number and will start brute forcing ssh using this.
But neither VNC nor RDP should ever, for any reason, be connected directly to the Internet, even if using a random port number. Use ssh with -L to connect to VNC or RDP over ssh.
Pinggy does seem to support incoming IP whitelists, at least.
But fundamentally, I still don't understand why such issue exists.
Like, my (behind NAT, no public IP, whatever) device can visit any website or web services fine without any extra configuration. And obviously the servers of these services can reach me to send the content I need.
But then suddenly, if I want to reach my device from outside, I need all these extra stuff. What's the difference?
(I understand this is a very, very dumb question. Forgive my ignorance!)
The ssh process that does the port forwarding is not reliably running in the background. Opening ports like ssh or xrdp to the public internet is not good security practice. OP says it's not port forwarding, but it's still port forwarding.
This seems like a simple service to make a quick buck.
What you should really look into is setting up a VPN like wireguard.
(but using headscale on the tailnet coordination)
Also consider using the whitelist option.