Sounds interesting to consider, thank you! Did not know about Pangolin and was considering a wireguard VPN on the router to access my NAS services (jellyfin, files, foto backup), avoiding exposed ports etc, and also to avoid hotel WiFi security risks.

What are the benefits of using the could-pangolin setup vs. wireguard on the router?

I believe Pangolin is also using Wireguard. Pangolin is basically a self hosted Tailscale. I think the biggest advantage is the ease of management, but I've never used Pangolin or Tailscale so I couldn't really tell you.

Hi,
looking for some advice to set up a VPN server to get into my home network when traveling.

I have a NAS and an openWRT AP within the network. My router is provided by the ISP and with a built-in VPN.
Being a hobbyist in networking, I would like to tab your brains for suggestions and know how:

Should I get my own router to run a wireguard VPN off the router directly, i.e. on the edge of the network, OR run a VPN service off the openWRT AP or the NAS, i.e. from within the home network?

Thanks a lot for your help!

I know gross Oracle, but they have a fantastic free tier that would be good for that.

Actually you can get 2 IPs for free. Then use high availability

Pangolin Is a reverse proxy for TLS/https. Headscale is the self hosted Tailscale.

Thanks, I can follow and understand the first two paragraphs. That feels like my preferred option for now.

Don't understand your third paragraph. Any good resources you can point me to for learning?

Thanks!

Tailscale. It does some UDP fuckery to bypass NAT and firewalls (most of the time) so you don't even need to open any ports. You can run it on individual hosts to access them directly, and/or you can set it up on one device to advertise an entire subnet and have the client work like a split tunnel VPN. I don't know about OpenWRT, but both pfSense and OpnSense have built-in Tailscale plugins.

People are freaking out about their plan to go public, but for the moment, it's a reliable, high quality service even on the free tier.

I've also used Ngrok and Twingate to access my LAN from outside, but they simply use relay servers instead of Tailscale's black magic fuckery.

It does some UDP fuckery to bypass NAT and firewalls

I wouldn't be surprised if they use hole punching. It's an old but effective technique which Skype famously used back in its heyday.

I have wireguard on my router. To me it makes sense. If my router is down, nothing inside my network is reachable anyway. If I'm going through my router, anything inside my network can be rebooted without effecting my connection. That said, I'm really considering using Pangolin https://github.com/fosrl/pangolin, and hosting it in Oracle Cloud. If you don't know, Oracle Cloud has an extremely generous free tier. As much as I generally hate Oracle, I still recommend their free tier.

A jump host is just a system that serves as an exit point into the restricted network. You can do this with Ubuntu desktop but you need to figure out how you are going to jump into your host. Others have mentioned tail scale and head scale as options for doing this. Tailscale would be an example of an agent based adhoc vpn solution; this would place a dependency on an external provider to host a connection broker service and use an agent that periodically checks into the broker service for connection requests. Headscale would be the self hosted option and you would need to forward a port into your network and you should guard it with a reverse proxy.

Oracle??!!

It does some UDP fuckery to bypass NAT and firewalls

I wouldn't be surprised if they use hole punching. It's an old but effective technique which Skype famously used back in its heyday.

Running piHole on a NAS, so would avoid adding another device. Adding a trusted router works already increase the device count.

(My rPi1 is connected to my PS2 and hosts all my ISO files from USB via Ethernet so no discs are required and loading is faster )

Oh, I must have completely misunderstood what Pangolin is for. Is Pangolin like a replacement for Cloudflare tunnels in that case?

Yeah, basically. It does bundle wireguard so that it can reverse proxy services over that. That’s probably what you were thinking of.

Running piHole on a NAS, so would avoid adding another device. Adding a trusted router works already increase the device count.

(My rPi1 is connected to my PS2 and hosts all my ISO files from USB via Ethernet so no discs are required and loading is faster )

Hi,
looking for some advice to set up a VPN server to get into my home network when traveling.

I have a NAS and an openWRT AP within the network. My router is provided by the ISP and with a built-in VPN.
Being a hobbyist in networking, I would like to tab your brains for suggestions and know how:

Should I get my own router to run a wireguard VPN off the router directly, i.e. on the edge of the network, OR run a VPN service off the openWRT AP or the NAS, i.e. from within the home network?

Thanks a lot for your help!

This is a little off topic but would you mind sharing how you use your pi to serve ISO’s to your ps2?

I just don't want my NAS doing anything other than being a NAS, so I intentionally don't run extra services there, but its a matter of finding what works for you. As long as you get to the destination you're looking for, its mission accomplished