It’s a 10 minute read when it should probably be a 2 minute read, likely due to LLMs fluffing it up (I got that vibe from skimming it). But what do you all think, is there anything in here that would compel you to switch from your current VPN solution to this?
There’s nothing I’d like to do more than let the US internet-monopolizing company handle all my vpn traffic /s But without being snarky, for homelabbing purposes just use wireguard directly, it’s fun and not that hard to handle. Automate peer configurations using Ansible or some other automation tool if it gets hard to manage manually.
Yeah, you can’t just use wireguard directly on a home network depending on provider (CGNAT) and you can’t just switch providers as most providers are in a non-compete with other providers. So, Cloudflare Mesh or Tailscale is the best option for those.
See my comment here, https://infosec.pub/comment/21363677
I tried, but I don’t understand how to bypass a cgnat. With Tailscale it just works. Also, I tried Netbird, it’s very similar, and it works well too. I’d love to simplify this, but I have no knowledge at the moment. Would love someone pointing into the right direction.
CGNAT and changing IPs make this harder. What I’d consider in this scenario is renting a small vps at a local provider (a tiny/cheap machine is enough). Then use this one as a hop to your network, basically homelab->vps<-client. Here is a post that talks about something like that: https://taggart-tech.com/wireguard/
I haven’t used this method personally, but I’ve done something similar for incoming web traffic before, when you want to host things behind a CGNAT. You can actually keep all the traffic confidential by having just an L4 proxy on the vps, then the http traffic is still end-to-end encrypted between the client and the service, so you don’t even have to trust the vps provider when it comes to them snooping. They still get some metadata, but not significntly more than the ISPs.
I’m trying to set up the same at some point. How do you solve the changing IP address problem?
The simplest would be renting a VPS I think.
I grabbed an Oracle free-tier many moons ago. The x86 one with 4 gig of memory I think? The arm have a much more core and memory but unless you go with Pay As You Go (PAYG) account ( need a one time refundable $100 credit) it’s virtually impossible to grab it.
My free tier account is sufficient as pure VPN for accessing stuff, you get 10 TB/month egress traffic. The downside is it’s Oracle, and you are at their mercy ( they can purge it without notice )
I never tried it because CGNAT but maybe Dynamic DNS could also solve this.
Other than that, Tailscale / CF tunnel are a fine solution ( for now )
Finally a reasonable person around here.