I currently have a server running Unraid as the OS, which has some WireGuard integration built in. Which I’ve enabled and been using to remotely access services hosted on that server. But as I’ve expanded to include things like Octopi running on a Pi3 and NextcloudPi running on a Pi4 (along with AdGuardHome), I’m trying to determine the best way to VPN to my home network with the goal of reaching services I’m hosting, and do it safely of course.

I have a Netgear Nighthawk that has some VPN functionality built in that uses a OpenVPN account. Is that ok or would it be advisable to come in a different way?

@Decronym@lemmy.decronym.xyz
bot account
link
fedilink
English
1
edit-2
10M

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
NAT Network Address Translation
SSD Solid State Drive mass storage
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

6 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.

[Thread #434 for this sub, first seen 17th Jan 2024, 23:25] [FAQ] [Full list] [Contact] [Source code]

@Darkassassin07@lemmy.ca
link
fedilink
English
210M

I host an openVPN instance from a Debian machine with my phone permanently connected to it.

Keeps my phone within my lan while roaming so it has access to non-public services like pihole, the arr stacks management interfaces, ssh/ftp, etc. Also keeps my browsing private + secure on public/work wifi.

Only the things I share with others like Emby get exposed to WAN (through a reverse proxy), the rest is VPN/LAN access only.

@giacomo@lemm.ee
link
fedilink
English
410M

I think openvpn works completely fine for most use cases and didn’t have any trouble with it at all. I did however switch to wireguard on my gateway and I get a little better throughput compared to openvpn. That being said, I’m also using a pfsense box as my home gateway, so access to internal services has been easy as general routing gets.

Illecors
link
fedilink
English
910M

Plug your pies into wireguard. Problem solved.

I run a wireguard vpn into my home, and i can access my local services. It was a small matter of setting up routing properly.

I am using https://www.firezone.dev/ to set it up and manage it, but i believe it can be done manually if desired.

I set it up manually using this as a guide. It was a lot of work because I had to adapt it to my use case (not using a VPS), so I couldn’t just follow the guide, but I learned a lot in the process and it works well.

I had something manual setup originally as well, but it became a bit of a maintenance hassle. Moving configs to devices was a bit of a pain, and generating keys wasnt easy.

stown
link
fedilink
English
210M

I can recommend firezone as well. Served me well before I decided to host my wireguard server on OPNsense.

I still miss the super easy client setup from firezone! OPNsense really needs to make it easier.

@Father_Redbeard@lemmy.ml
creator
link
fedilink
English
310M

That’s looks handy. Thanks!

originalucifer
link
fedilink
110M

openvpn is a decent standard, no reason it wont or shouldnt work.

seems like a lot of pis…ever thought of consolidating them into containers in a single box?

@Father_Redbeard@lemmy.ml
creator
link
fedilink
English
210M

Most services are on the unraid box. But I had a pi running Pi-hole for a long time (switched to adguardhome) and wanted that separate from the main server in case it went down. Pis boot up a lot faster than my server hardware and then you still need to start the array and mount drives. Having AGH on a Pi as primary DNS means minimal internet outages caused by my tinkering. I was given the 4 and put it in a really cool case that can fit a M.2 or 2.5" SSD and boot from it. So that is NextcloudPi and AGH. The 3 is because my 3d printer is nowhere near a LAN connection and 3 has WiFi. The 4 is sitting next to my router. We won’t mention the 1B I’ve been messing with too…

originalucifer
link
fedilink
010M

ha, thats great! i got a couple of old dell R920s mirrored for ha, they take foreeever to boot.

but those containers, damn i love bein able to slap those containers around like theyre nothing… most restart in seconds

zelifcam
link
fedilink
English
710M

deleted by creator

RedFox
link
fedilink
English
210M

Doesn’t tailscale retain closed source for the coordination server?

I think nebula mesh is totally open and you can run your own coordination server, lighthouse?

Nebula would need static IP, TS can do that part for $

@Cyclo@lemmy.ml
link
fedilink
English
510M

Everything but the coordination server is open source. But you can selfhost this part yourself: https://headscale.net/

@fenndev@leminal.space
link
fedilink
English
310M

I’ve seen a lot of descriptions of Tailscale but still have no idea what exactly it does. I get that it uses Wireguard, but what differentiates it from a typical VPN setup? NAT traversal?

@BCsven@lemmy.ca
link
fedilink
English
010M

It does the wireguard config for you so you don’t have to reconfigure each machine when a new item is added to your network. Still peer to peer type network rather than single vpn to a lan router

stown
link
fedilink
English
110M

Tailscale is a service that relies on a third party to facilitate the VPN connection between your client and server. It is designed for people who don’t want to or cannot forward ports. Your server and your client both talk to the Tailscale servers and traffic is routed that way.

@BCsven@lemmy.ca
link
fedilink
English
2
edit-2
10M

Adding a wireguard system that has iptables adjuated to include forwarding and masquerading will allow your single wireguard connection to see the rest of your LAN https://www.stavros.io/posts/how-to-configure-wireguard/

@Father_Redbeard@lemmy.ml
creator
link
fedilink
English
210M

Yeah I know some of those words…

I’m still a newb but I’ll have a look at that link, thanks!

@BCsven@lemmy.ca
link
fedilink
English
210M

If you are totally new to wireguard setup, I found that reviewing all of these links gave me a better understanding of how the configuration setup worked. No one site seemed to cover it all, and each on had some good tips or explanation about a certain part of wireguard.

https://golb.hplar.ch/2019/07/wireguard-windows.html

https://emanuelduss.ch/2018/09/wireguard-vpn-road-warrior-setup/

https://docs.sweeting.me/s/wireguard#

This Stavros one has the post-up/down IP table modifications for forwarding traffic and your wg device masquerading as any device on the LAN

https://www.stavros.io/posts/how-to-configure-wireguard/

https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/

@Father_Redbeard@lemmy.ml
creator
link
fedilink
English
110M

That great, thanks for the info. I was able to get Wireguard setup in unraid but they make it pretty easy, so I didn’t have a problem. I just didn’t think about connecting to the entire network, not just the server.

Max-P
link
fedilink
English
510M

Any reason the VPN can’t stay as-is? Unless you don’t want it on the unraid box at all anymore. But going to unraid over VPN then out the rest of the network from there is a perfectly valid use case.

This is how I use it and it’s been rock solid for ages! Can even pass pihole through it so you get no ads when out and about.

@Father_Redbeard@lemmy.ml
creator
link
fedilink
English
210M

Well, I didn’t realize that was an option to be honest, lol. I am having some issues with that box at the moment though so having a pi or my router acting as the gateway appealed to me with it’s longer uptime

Pivpn

Presi300
link
fedilink
English
210M

+1

@qjkxbmwvz@lemmy.sdf.org
link
fedilink
English
210M

As others have said, I’d play with routing/IP forwarding such that being VPN’d to one machine gives you access to everything — basically I would set it up as a “road warrior” VPN (but possibly split tunnel on the client [yes I know, WireGuard doesn’t have servers or clients but you know what I mean]).

Alternately, I think you could do some reverse proxy magic such that everything goes through the WireGuard box — a.lan goes to service A, b.lan to service B, etc., but if you have non-http services this may be a little more cumbersome.

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 124 users / day
  • 419 users / week
  • 1.16K users / month
  • 3.85K users / 6 months
  • 1 subscriber
  • 3.68K Posts
  • 74.2K Comments
  • Modlog