Hi, looking for some advice to set up a VPN server to get into my home network when traveling.
I have a NAS and an openWRT AP within the network. My router is provided by the ISP and with a built-in VPN. Being a hobbyist in networking, I would like to tab your brains for suggestions and know how:
Should I get my own router to run a wireguard VPN off the router directly, i.e. on the edge of the network, OR run a VPN service off the openWRT AP or the NAS, i.e. from within the home network?
Thanks a lot for your help!
You must log in or # to comment.
I use ZeroTier on a MikroTik router.
Then just advertise routes on the router.
I personally do not trust ISP provided routers to be secure and up to date, nor free of purposefully built in back doors for either tech support or surveillance purposes (or both). You can expect patches and updates on those somewhere on the timescale between late and never.
Therefore I always put those straight into bridge mode and serve my network with my own router, which I can trust and control. Bad actors (or David from the ISP help desk) may be able to have their way with my ISP router, but all that will let them do is talk to my own router, which will then summarily invite them to fuck off.
Likewise, I would not be keen on using an ISP provided router’s inbuilt VPN capability, which is probably limited to plain old PTPP – it has been on all of the examples I’ve touched so far – and thus should not be treated as secure.
You can configure an OpenWRT based router to act as an L2TP/IPSec gateway to provide VPN access on your network without the need for any additional hardware. It’s kind of a faff at the moment and requires manually installing packages and editing config files, but it can be done.
I have wireguard on my router. To me it makes sense. If my router is down, nothing inside my network is reachable anyway. If I’m going through my router, anything inside my network can be rebooted without effecting my connection. That said, I’m really considering using Pangolin https://github.com/fosrl/pangolin, and hosting it in Oracle Cloud. If you don’t know, Oracle Cloud has an extremely generous free tier. As much as I generally hate Oracle, I still recommend their free tier.
Sounds interesting to consider, thank you! Did not know about Pangolin and was considering a wireguard VPN on the router to access my NAS services (jellyfin, files, foto backup), avoiding exposed ports etc, and also to avoid hotel WiFi security risks.
What are the benefits of using the could-pangolin setup vs. wireguard on the router?
I believe Pangolin is also using Wireguard. Pangolin is basically a self hosted Tailscale. I think the biggest advantage is the ease of management, but I’ve never used Pangolin or Tailscale so I couldn’t really tell you.
Pangolin Is a reverse proxy for TLS/https. Headscale is the self hosted Tailscale.
Tailscale. It does some UDP fuckery to bypass NAT and firewalls (most of the time) so you don’t even need to open any ports. You can run it on individual hosts to access them directly, and/or you can set it up on one device to advertise an entire subnet and have the client work like a split tunnel VPN. I don’t know about OpenWRT, but both pfSense and OpnSense have built-in Tailscale plugins.
People are freaking out about their plan to go public, but for the moment, it’s a reliable, high quality service even on the free tier.
I’ve also used Ngrok and Twingate to access my LAN from outside, but they simply use relay servers instead of Tailscale’s black magic fuckery.
It does some UDP fuckery to bypass NAT and firewalls
I wouldn’t be surprised if they use hole punching. It’s an old but effective technique which Skype famously used back in its heyday.
