74

What do you guys use / recommend to set up your own VPN to access your LAN services remotely?

all 46 comments
sorted by: hot top controversial new old
[-] Decronym@lemmy.decronym.xyz 46 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
DNS Domain Name Service/System
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

4 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #6 for this sub, first seen 19th Jul 2023, 10:30] [FAQ] [Full list] [Contact] [Source code]

[-] gabriele97@lemmy.g97.top 45 points 1 year ago

Wireguard (if you can open udp ports)

[-] IamPic@lemmy.world 10 points 1 year ago

That's what I'm using, though I've used wg-easy, which made the setup, well, easy.

[-] PlexSheep@feddit.de 3 points 1 year ago

Yup, WG easy works pretty well

[-] goodhunter@lemm.ee 14 points 1 year ago

People seem to like and recommend Tailscale. I have not gotten to setting it up. My setup involves reverse proxy with treafik and my services in docker. Any suggestions on how what I need to do would be welcome.

[-] randombullet@lemmy.world 12 points 1 year ago

This is the exact script I use to install tailscale on my VPN server

Installing Tailscale

 curl -fsSL https://tailscale.com/install.sh | sh 

Enable IP forwarding

 echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf 
 echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf 
 sudo sysctl -p /etc/sysctl.conf 

Advertise subenets and exit node

 tailscale up --advertise-exit-node --advertise-routes=192.168.0.0/24,192.168.2.0/28,192.168.5.0/24,192.168.10.0/24
[-] goodhunter@lemm.ee 2 points 1 year ago* (last edited 1 year ago)

Thank you for message, i appreciate the effort.

Where I struggle is the part where i need to expose my subnet within Tailscale. I don’t have any machineip:port delegated to the services anymore.

I got a domain name through CF, and have traefik generate unique url links as *service.mydomain.com that routes it to the specific service running in docker on my localmachine. It also takes care of certificates. Calling that service url only works within the local network.

In my docker compose set up, I removed all the ports as I dont access the services via ip:port. I hope this makes sense to you.

So it seems I need to configure Tailscale in such a way I can tunnel to my home network and then make the service.mydomain.com call. And that is where it got too complicated for me right now.

I also fail to understand if I need to run Tailscale native or in (the same) docker env.

[-] appel@whiskers.bim.boats 5 points 1 year ago* (last edited 1 year ago)

You can run tailscale client on the host, not in a container. Then for the domain names, create a DNS record either in the public DNS (or I think you can do it in the internal tailscale DNS) that points a wildcard for your subdomains (*.domain.com) to the IP of the container host within the tailnet. Do "tailscale --status" on any device joined to the tailnet to see the IP addresses inside the tailnet. Then all of the devices will make their DNS request to either your upstream DNS or the internal one, they get the response back that they need to send their http request to the container host within the tailnet, it sends on the default 80 or 443 ports for http and https respectively, and then your reverse proxy handles the rest.

[-] goodhunter@lemm.ee 1 points 1 year ago* (last edited 1 year ago)

hi, i finally found some time to dig into this. Oddly, I think I got a functioning setup, although it did a bit differently in the end. If you may, please advise if I indeed reached completion, or I have it set suboptimal.

  1. I installed Tailscale gui natively on my mac mini, and ios devices.
  2. I tried following up on your advise of creating DNS records. First in Cloudflare, but since I already set a wildcard entry as type CNAME/*/mydomain.com/DNSonly/TTLauto I wasn't allowed to add type A record with a similar wildcard entry. I need this existing CNAME line for Traefik to work my SSL certificates (as far i understood). Then I tried setting it up through the DNS>custom Namespaces within Tailscale admin console instead. An entry would look like service.mydomain.com and for ipv4 the local ip of the mac mini. But I wasn't sure about the config as it wasn't working. Then i tried the Tailscale ip 100.xx.xx.xx, to no avail.
  3. I thought I needed to advertise routes for my local network, so I did. As similar to --advertise-routes=192.168.68.0/24. And later instead the docker network 172.23.0.0/16. Still didn't do it.
  4. As I am a NextDNS user I set the ID number in Tailscale>DNS>Nameservers as the Global nameserver and checked Override local DNS.
  5. In the NextDNS config I defined a Rewrite function as *.mydomain.com to the Tailscale IP of the local machine 100.xx.xx.xx . And boom, I can access the servers from my idevices over the Tailscale vpn tunnel.
  6. I then tried to tear down the setup again. It seems the advertise routes from (3) doesn't do anything, so I removed it again.

Open for any suggestions on this hacked attempt.

Update: yes found an issue. I can only access the services with tailscale enabled. I suspect the rewrite is causing an inproper pass through without the tunnel, as that the tailscale ip cannot be reached.

Update 2: I changed to rewrite to the local ip address instead, similar to 192.168.68.110. I think it works now when accessing within the local network without tunnel and externally with the tunnel.

[-] appel@whiskers.bim.boats 1 points 1 year ago

Seems like you got it to work, I'm not sure about traefik requiring that cname for ssl, our setup does not. But yes the way we've done it does require that tailscale is always enabled. Even when on lan. If you've managed to setup both LAN and tailscale connections for one thing that's pretty cool.

[-] ashok36@lemmy.world 1 points 1 year ago

I've been using it for maybe a year now and it's been rock solid. Highly recommended.

[-] ruckblack@sh.itjust.works 8 points 1 year ago

I've never had issues with my plain old OpenVPN setup

[-] xinaked@lemmy.world 8 points 1 year ago

tailscale 100 times over

[-] giddy@aussie.zone 5 points 1 year ago

i have pivpn (wireguard+pihole) running on a pi zero and it is rock solid

[-] Starfighter@discuss.tchncs.de 5 points 1 year ago* (last edited 1 year ago)

Was running Wireguard and am now in the process of changing over to Tailscale (Headscale).

It uses Wireguard for the actual connections but manages all the wireguard configs for you.

[-] IamPic@lemmy.world 4 points 1 year ago

Why have you decided to switch?

[-] Starfighter@discuss.tchncs.de 6 points 1 year ago* (last edited 1 year ago)

Getting the configs to work with my personal devices was already a little finicky but doing that for not-so-technical family members was starting to be a bit too much work for me.

I'm hoping that Headscale will cut that down to pointing their app at the server and having them enter their username and password.

[-] spencer@lemmy.ca 5 points 1 year ago

I came here to say exactly this - WireGuard is great and easy to set up, but it gets harder as you add more people, especially less technical ones, as getting them to make keys and move them around etc becomes a headache. Tailscale also minimizes the role of the central server, so if your box goes down the VPN can still function. Tailscale can also do some neat stuff with DNS that’s pretty nifty.

[-] witten@lemmy.world 2 points 1 year ago

One thing that helped a ton with that for Wireguard (for either you or anyone else reading this) is: You can generate QR codes for a peer's full Wireguard config! So you can create the images on your computer and then a non-technical user can just scan the code to get configured.

[-] CriticalMiss@lemmy.world 4 points 1 year ago

My MikroTik has built in WireGuard functionality so it was an easy pick 😁

[-] Gutless2615@ttrpg.network 4 points 1 year ago

PiVPN. single line install script. Couldn’t be easier. Now if you have a shitty ISP like yours truly that can prevent you from being able to.

[-] varaki@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

I installed OpenWrt on my home router and set up wireguard on it. If you have dinamic IP address assigned by your ISP, like me, you also have to setup a dynamic dns updater on the router. I use duckdns.org. Then you have to open the port for wireguard on the router. Here's a video guide on how to do it: https://www.youtube.com/watch?v=Bo2AsW4BMOo

[-] PipedLinkBot@feddit.rocks 7 points 1 year ago

Here is an alternative Piped link(s): https://piped.video/watch?v=Bo2AsW4BMOo

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source, check me out at GitHub.

@Coldus12 I got wireguard hosted on my openwrt router. Straightforward and no fuss.

[-] ggnoredo@lemm.ee 3 points 1 year ago
[-] FrostyCaveman@lemm.ee 2 points 1 year ago

I use this too. It is excellent

Check out Slack Nebula.I personally like it very much and used it to build a software-defined WAN to support my family's needs. I use a point to point WireGuard tunnel between my VPS and my home network to support self-hosted instances of Mastodon and Lemmy.

[-] rambos@lemmy.world 2 points 1 year ago

Not many people here use openmediavault it seems, but Its wireguard plugin is super nice.

[-] kalipike@lemmy.one 2 points 1 year ago

Tailscale all the way.

[-] green_dot@le.fduck.net 1 points 1 year ago

Check netmaker for wireguard vpn if you want a ui, but its straightforward to set it up manually.

[-] MedicareForSome@lemmy.ml 0 points 1 year ago

While I’ve never used it personally I’ve heard good things about cloudflare tunnel.

[-] rog@lemmy.one 2 points 1 year ago

Depends on the use case. Cloudflare tunnels are great for accessing services, but not your network. I have a dockerised vscode instance behind a cloudflare tunnel attached to a personal domain that uses white listed emails as authorisation. Fantastic set up, can access my coding environment from anywhere with an internet connection as long as I can click the verification link in my emails.

To access my network itself though, wireguard is better. I just use pivpn (coupled with pihole for on the go adblock) on a rpi.

this post was submitted on 19 Jul 2023
74 points (98.7% liked)

Selfhosted

40403 readers
469 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS