What setup do you guys recommend for setting up a VPN to access systems at home?
Is there anything FOSSthat is relatively easy to setup and troubleshoot?
It depends on how paranoid you are and what Internet you have. This is also on the assumption that you want a basic VPN without advanced SSO or anything like that.
If you are on the paranoid side, people tend to avoid closed source/hosted as much as possible. So here, I’d say you broadly have two options;
-
If you are allocated a whole public IP address, then you can port forward to an installation of Wireguard. I’ve got it installed directly on my server to avoid any Docker woes. If you are allocated a whole public IP address but it’s dynamic (changes regularly), then you’ll need to use a Dynamic DNS service. Alternatively, if you have your own domain, you could add a record for your VPN and configure a script to connect to your DNS provider and change the record whenever your IP changes.
-
If you have a CGNAT connection, then this changes matters. Unfortunately, you cannot port forward with these types of connections. In these cases, your best option is to configure a Wireguard tunnel from your home network to a VPS (cloud hosted server), then configure a second tunnel from the remote host to connect to it, then the VPS will just trunk that traffic over. Or, better yet, use that VPS to install Headscale. It’s an open source implementation of the Tailscale coordination server. It requires the ability to port forward, which will be possible with your VPS.
If you aren’t feeling so paranoid, then I’d elect for Tailscale. It’s a super easy, no-nonsense VPN that works really well. It also works over CGNAT connections without any issues.
Probably the most popular solution is simply using Tailscale. While not open source, you can self host Headscale. I’ve found it to be simple to set up and rock solid. Beyond that, others will have to answer.
Pivpn + wireguard. Easy to control n not rate limited.
Tailscale if u don’t want overhead n is rate limited in case u plan to stream from home network or upload photos.
I run OPNSense for my main firewall/router. It natively runs my WireGuard to get on my home network. Found easier to do this route vs an lxc/vm.
I use WireGuard as my solution. There are plenty of good tutorials out there. I have a WireGuard tunnel between my cloud VPS and my home server so I can do some self-hosting.
If you have a linux router, then wireguard is a one way street. You install in in the linux router (command line), use some dynamic dns service in case you don’t have a static ip and you are safe and ready. Wireguard is lightweight, actively developed, easy to setup and maintain.
What about NetMaker. It’s for sure more than just a VPN server, but it works perfectly fine. It gives you the capability of creating your mesh, which could be very handy if you are running multiple homelabs and VPSes. You can create a nice mesh with a fine-grained accessibility configuration, a nice dns solution, and great performance and speed. I’m still running cersion 17 though, not much I can tell about the newer versions.
My general policy is this:
-If you are providing YOU or a limited group exclusive access to your specific devices or the full infrastructure, use Tailscale.
-If you are providing unrestricted public access to a service like a website, use a Cloudflare Tunnel.
-If you are providing restricted access requiring authentication to a service for you or a limited group, use a Cloudflare Tunnel and Application to provide secure access.
I’m just running a wireguard docker container, very low effort and works great: GitHub - linuxserver/docker-wireguard
Give ztnet ( zerotier ) a try: https://github.com/sinamics/ztnet
Should be fairly easy to get started.
Don’t even bother. Just use Tailscale.
Tailscale is life changing
Lets connect vpn is getting mature. Apps for all devices. Backend uses openvpn and wireguard as possible vpn tech. All fully opensource
I run OpenVPN alongside Pi-hole, it would run on its own as well:
https://cloudtechtips.com/linux/ubuntu/installing-openvpn-with-pivpn-on-ubuntu-running-pi-hole/394/
Tailscale.
It’s black magic.
wg-easy is a wireguard vpn and frontend
I have a dynamic IP address and most Android clients can’t reresolve VPN server’s DNS name when the connection breaks down, so I’ve landed on OpenVPN which able to handle this. (Neither Wireguard, nor IPsec-Ike2 was able to handle this on Android)
Are there free VPS’s that I could install headscale on? That mught be my next magical adventure 