VPN server on router or within home network?
-
Expand on your use case. Why/what do want to access on your local network when you are not there?
wrote last edited by [email protected]Since I have no patience, I’ll lay out some items for consideration.
1st, I wouldn’t rely on an ISP router to serve as my end point for a VPN. They likely have access to manage that device and it likely isn’t getting any updates. You are better off implementing it with your own equipment that you keep updated.
If you have a capable security device serving as your router to the external internet and you want full access to your internal network, then you might consider using a VPN that terminates at your router.
I myself am a fan of setting up a jump host and initiating a VPN connection directly to that host when using an agent based solution. Then you can monitor the host for activities, more easily keep your edge device patched, and then use the capabilities of your jump host to interact with the rest of your network. This would require either an agent to periodically poll a platform for connection requests or another form of ingress into your network.
-
But this is self hosting.
Tailscale too if you use the fee implementation Headscale
And in both cases you need a vps fully reachable from anywhere
-
Hi,
looking for some advice to set up a VPN server to get into my home network when traveling.I have a NAS and an openWRT AP within the network. My router is provided by the ISP and with a built-in VPN.
Being a hobbyist in networking, I would like to tab your brains for suggestions and know how:Should I get my own router to run a wireguard VPN off the router directly, i.e. on the edge of the network, OR run a VPN service off the openWRT AP or the NAS, i.e. from within the home network?
Thanks a lot for your help!
I personally do not trust ISP provided routers to be secure and up to date, nor free of purposefully built in back doors for either tech support or surveillance purposes (or both). You can expect patches and updates on those somewhere on the timescale between late and never.
Therefore I always put those straight into bridge mode and serve my network with my own router, which I can trust and control. Bad actors (or David from the ISP help desk) may be able to have their way with my ISP router, but all that will let them do is talk to my own router, which will then summarily invite them to fuck off.
Likewise, I would not be keen on using an ISP provided router's inbuilt VPN capability, which is probably limited to plain old PTPP -- it has been on all of the examples I've touched so far -- and thus should not be treated as secure.
You can configure an OpenWRT based router to act as an L2TP/IPSec gateway to provide VPN access on your network without the need for any additional hardware. It's kind of a faff at the moment and requires manually installing packages and editing config files, but it can be done.
-
Tailscale too if you use the fee implementation Headscale
And in both cases you need a vps fully reachable from anywhere
I know gross Oracle, but they have a fantastic free tier that would be good for that.
-
Hi,
looking for some advice to set up a VPN server to get into my home network when traveling.I have a NAS and an openWRT AP within the network. My router is provided by the ISP and with a built-in VPN.
Being a hobbyist in networking, I would like to tab your brains for suggestions and know how:Should I get my own router to run a wireguard VPN off the router directly, i.e. on the edge of the network, OR run a VPN service off the openWRT AP or the NAS, i.e. from within the home network?
Thanks a lot for your help!
Got an old raspberry pi laying around? PiHole+PiVPN is something I run on an old 3B+ I think, so I have something dedicated running both. But otherwise, I'd probably just spin up a container on a server or cluster and I'd probably go with debian and just run the exact same PiVPN setup script I did for the pi because it was super easy.
-
Hi,
looking for some advice to set up a VPN server to get into my home network when traveling.I have a NAS and an openWRT AP within the network. My router is provided by the ISP and with a built-in VPN.
Being a hobbyist in networking, I would like to tab your brains for suggestions and know how:Should I get my own router to run a wireguard VPN off the router directly, i.e. on the edge of the network, OR run a VPN service off the openWRT AP or the NAS, i.e. from within the home network?
Thanks a lot for your help!
If you use the ISP one, you'll rapidly find you can't configure it to do what you want. Run your own, lock it down, and keep it up to date.
-
I have wireguard on my router. To me it makes sense. If my router is down, nothing inside my network is reachable anyway. If I'm going through my router, anything inside my network can be rebooted without effecting my connection. That said, I'm really considering using Pangolin https://github.com/fosrl/pangolin, and hosting it in Oracle Cloud. If you don't know, Oracle Cloud has an extremely generous free tier. As much as I generally hate Oracle, I still recommend their free tier.
Good point about network availability and endpoints.
-
I have wireguard on my router. To me it makes sense. If my router is down, nothing inside my network is reachable anyway. If I'm going through my router, anything inside my network can be rebooted without effecting my connection. That said, I'm really considering using Pangolin https://github.com/fosrl/pangolin, and hosting it in Oracle Cloud. If you don't know, Oracle Cloud has an extremely generous free tier. As much as I generally hate Oracle, I still recommend their free tier.
Sounds interesting to consider, thank you! Did not know about Pangolin and was considering a wireguard VPN on the router to access my NAS services (jellyfin, files, foto backup), avoiding exposed ports etc, and also to avoid hotel WiFi security risks.
What are the benefits of using the could-pangolin setup vs. wireguard on the router?
-
Since I have no patience, I’ll lay out some items for consideration.
1st, I wouldn’t rely on an ISP router to serve as my end point for a VPN. They likely have access to manage that device and it likely isn’t getting any updates. You are better off implementing it with your own equipment that you keep updated.
If you have a capable security device serving as your router to the external internet and you want full access to your internal network, then you might consider using a VPN that terminates at your router.
I myself am a fan of setting up a jump host and initiating a VPN connection directly to that host when using an agent based solution. Then you can monitor the host for activities, more easily keep your edge device patched, and then use the capabilities of your jump host to interact with the rest of your network. This would require either an agent to periodically poll a platform for connection requests or another form of ingress into your network.
Thanks, I can follow and understand the first two paragraphs. That feels like my preferred option for now.
Don't understand your third paragraph. Any good resources you can point me to for learning?
Thanks!
-
If you use the ISP one, you'll rapidly find you can't configure it to do what you want. Run your own, lock it down, and keep it up to date.
Seems like rule #1
-
Got an old raspberry pi laying around? PiHole+PiVPN is something I run on an old 3B+ I think, so I have something dedicated running both. But otherwise, I'd probably just spin up a container on a server or cluster and I'd probably go with debian and just run the exact same PiVPN setup script I did for the pi because it was super easy.
Running piHole on a NAS, so would avoid adding another device. Adding a trusted router works already increase the device count.
(My rPi1 is connected to my PS2 and hosts all my ISO files from USB via Ethernet so no discs are required and loading is faster )
-
I personally do not trust ISP provided routers to be secure and up to date, nor free of purposefully built in back doors for either tech support or surveillance purposes (or both). You can expect patches and updates on those somewhere on the timescale between late and never.
Therefore I always put those straight into bridge mode and serve my network with my own router, which I can trust and control. Bad actors (or David from the ISP help desk) may be able to have their way with my ISP router, but all that will let them do is talk to my own router, which will then summarily invite them to fuck off.
Likewise, I would not be keen on using an ISP provided router's inbuilt VPN capability, which is probably limited to plain old PTPP -- it has been on all of the examples I've touched so far -- and thus should not be treated as secure.
You can configure an OpenWRT based router to act as an L2TP/IPSec gateway to provide VPN access on your network without the need for any additional hardware. It's kind of a faff at the moment and requires manually installing packages and editing config files, but it can be done.
Thank you for the David link
The distrust is adding up, I see your point.
Will be adding an openWRT router to host a VPN and also manage VLANs. Ultimately might move AdGuard there instead of piHole on my NAS.Still not sure what to think about the cloud-pangolin setup, so might work stepwise.
Thanks!
-
Expand on your use case. Why/what do want to access on your local network when you are not there?
I want to access my NAS, incl the containers it is running.
-
If you use the ISP one, you'll rapidly find you can't configure it to do what you want. Run your own, lock it down, and keep it up to date.
Depends on the ISP, my old one just handed out Fritz box routers with nothing locked down. Still using it now with the new ISP!
-
Sounds interesting to consider, thank you! Did not know about Pangolin and was considering a wireguard VPN on the router to access my NAS services (jellyfin, files, foto backup), avoiding exposed ports etc, and also to avoid hotel WiFi security risks.
What are the benefits of using the could-pangolin setup vs. wireguard on the router?
I believe Pangolin is also using Wireguard. Pangolin is basically a self hosted Tailscale. I think the biggest advantage is the ease of management, but I've never used Pangolin or Tailscale so I couldn't really tell you.
-
I believe Pangolin is also using Wireguard. Pangolin is basically a self hosted Tailscale. I think the biggest advantage is the ease of management, but I've never used Pangolin or Tailscale so I couldn't really tell you.
Pangolin Is a reverse proxy for TLS/https. Headscale is the self hosted Tailscale.
-
Hi,
looking for some advice to set up a VPN server to get into my home network when traveling.I have a NAS and an openWRT AP within the network. My router is provided by the ISP and with a built-in VPN.
Being a hobbyist in networking, I would like to tab your brains for suggestions and know how:Should I get my own router to run a wireguard VPN off the router directly, i.e. on the edge of the network, OR run a VPN service off the openWRT AP or the NAS, i.e. from within the home network?
Thanks a lot for your help!
I use ZeroTier on a MikroTik router.
Then just advertise routes on the router.
-
I know gross Oracle, but they have a fantastic free tier that would be good for that.
Actually you can get 2 IPs for free. Then use high availability
-
Actually you can get 2 IPs for free. Then use high availability
I don't understand, each compute unit gets their own IP right?
-
Pangolin Is a reverse proxy for TLS/https. Headscale is the self hosted Tailscale.
wrote last edited by [email protected]Oh, I must have completely misunderstood what Pangolin is for. Is Pangolin like a replacement for Cloudflare tunnels in that case?
