An excerpt from the Wireguard Whitepaper:

One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated, WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided by not allowing unauthenticated packets to influence any state.

After opening an SSH port and watching the number of attacks I understand the concern about opening any port on a router, but it seems the worry about opening a port for WG is way overblown.

As of now I can find zero reports of a properly configured open WG port ever being successfully used by attackers to access a network.

Anyone have better/more recent info?

A cheap device like an Onn (~$20) would solve that, probably without requiring the device have Internet access once set up.

I’ve had so many instances of free to use, lifetime licenses, and purchased software that have turned into subscription services that I refuse to install anything that requires an account unless it can’t be avoided. The fact that Plex required an account be created to view my own local content years before they started charging for use made it obvious subscription fees were coming.

Jellyfin works great. Combined with Wireguard it works great anywhere.

I’m like you and did not want any kind of corporate entity involved in my network if it could be avoided. I settled on Wireguard and rather than deal with management constantly I set up 3 times as many peer configurations as initially needed. When a new device is added I just copy a spare configuration to the device and change the name of the config on the server. Tasker is used to connect the WG tunnel on our phones whenever home wifi is not connected. The open port on the router looks closed to the outside and only responds when the correct key is received so there’s no known way to breach the network.

Everything from my phone is run through WG and it only uses a tiny amount of additional mobile data. Syncthing adds nothing of consequence except when syncing big files. Battery life is fine even with both WG and Syncthing running.

Once set up it’s required zero attention or maintenance.

Technology websites should just add a top level menu - “Google Abandoned”

What are the tunnel subnets? Are you using a reverse proxy to access local devices, or DNS rewrites?

I’d start by looking for subnet overlap somewhere.

I’m not clear about your setups at all sites. In the details for case 4 there’s a Firestick (customized Android) connected to WG (WG running on the Firestick?) but in your summary there’s a laptop in case 4 and the Firestick isn’t mentioned.

I suspect at least part of the problem is that Android does not tunnel hotspot client traffic. It provides Internet but not WG connectivity. Only the phone’s apps will be able to connect through the WG tunnel.

Running Mint for apps like Jellyfin and Icecast that aren’t critical, and Debian for apps like Frigate that are. Mint is easier to manage and more convenient, but Debian is amazingly reliable. Docker is used for everything.

Consider adding Wireguard or similar for anywhere access. I have Tasker automatically connect whenever I’m not on home wifi so everything is always available without having detectable open router ports.

I’ve had a doctor literally come out into the waiting room and sit down and talk golf and stocks with someone for 30 minutes during my appointment time. Other times I’ve been the first appointment in the morning and the doctor has come in 30-40 minutes late anyway. A couple of times I could hear them in the hallway having a friendly chat with someone about something that has nothing to do with patients or the practice. None of my doctors are part of private equity companies and all have 20 minute appointment times.

There’s no question that many doctors are decent, but a full 50% of them are below average.

Roku tries to monitor HDMI activity on Roku TVs so they know exactly what’s being watched at all times. They also insert ads into the menu on a regular basis and sometimes force install apps. Adguard Home has blocked the vast majority of the ads on screen, but from what I’ve found the menu ads can’t be blocked.

If I had Fire TV and it’s as bad as you say it would have been binned long ago.

You didn’t mention it can also recognize and identify wildlife, trash cans, lawnmowers, license plates, delivery truck companies, and even faces.

Avoid Roku devices. Roku had an OK remote and decent UI, but the company has thoroughly enshittified it and turned it into an “advertising everywhere all the time” platform. There is a Jellyfin app that works well though.

I’ve been using Frigate for years. The built in object detection (without subscription) is excellent and very near 100% accurate. Initial setup was somewhat of challenge though. It’s free (donations encouraged) or a low cost subscription for more advanced detection.

As interesting as this is, users are still subject to the whims of a corporation that can completely change their policies each time a new executive is hired.

There’s a graveyard somewhere for apps and services that were free or low cost (and without ads) until the company decided to change their model to restrict or eliminate free usage. Teamviewer, Dropbox, RealVNC, Google Drive, Amazon Prime (ad free) Videos, Duolingo, Youtube, Zoom and Evernote are examples that lots of individuals use.

I’ve personally been bitten by this often enough to avoid any corporation’s “free” service whenever possible.

If you’re not dealing with CGNAT, Dynamic DNS (DDNS) is relatively easy to set up, doesn’t require a VPS and is designed specifically for dealing with changing IP address endpoints.

Instead of connecting using your (sometimes changing) IP address, you use a URL that dynamically updates when your IP changes. For instance, with DDNS you would access your home network using mynetwork.ddnsservice.com. The DDNS service returns your current IP and your connection can complete. Most routers have built DDNS clients that update the DDNS service when your home IP changes.

There are various DDNS services out there, but I like DuckDNS. It’s free (or you can choose to donate), easy to set up and has worked flawlessly for me for years.

Battery charge limit will allow you to set it to stop charging at partial charge. Doing so greatly increases the battery lifespan and can reduce possible fire risk even further while still leaving far more backup time than a UPS would provide.

See if that laptop model allows you to limit the battery charge. If the battery’s still holding a charge, isn’t swollen, and is kept at room temperature you have about a 1 in a million chance of a battery fire.

Parking your car in your garage has hundreds of times more fire risk.

Try testing TLP in battery mode even if you’re not using a laptop. You can configure all kinds of things to your liking with it.

I tried it out a few years ago and none of my server apps showed any noticeable decrease in performance with it running, but my power monitoring plug did show a reduction in power consumption. I ended up leaving it enabled all the time.

I set up KeepassKC with Syncthing temporarily years ago while looking for other options. To my surprise it’s worked so well there’s been no reason to change to anything else.

The database file is always backed up to multiple devices. With Syncthing file versioning turned on older backups are available if that file gets corrupted, but in 8+ years I’ve never had to use one of those older backups.

Initially I was using Syncthing discovery servers which allowed syncing from anywhere, but I’ve since moved away from that. Now everything is run locally and I use Wireguard to connect to my home network when I’m away.

I’d get that old Pi running with a cheap SSD, set up Wireguard (or just use the Syncthing discovery servers), put it on a shelf and forget about it. It’ll probably run for years with minimal attention.

Many of the prominent https VPN protocols are for evading the great firewall of China. OP had that as a requirement

OP said exactly the opposite. Where the fuck do you get this stuff?