You don’t need a separate subdomain for the VPN…just use an existing one.
I second this. I run cloudflared in a docker container (preparing to move it to Kubernetes solely for the learning experience) and it’s quite easy. The free tier does require a card on file which I find a little annoying, but I haven’t been charged a penny
Yes but you do realize that CF decrypts and then encrypts again so they do know everything that you do with that data although it is unlikely they will do or want to see anything. Tailscale woul dbe a better option if you do not want anyone to see your data.
I do this for my roadwarrior vpn client as well. So I vpn in which requires cert and user/pass, but I have a firewall rule as well that only allows my roadwarrior ip to connect which is updated every minute via a script on my roadwarrior laptop to my aws 53 dns. Make sure you have a cert revoke list if pc is stolen.
Twingate is fantastic and has a free consumer/home use plan. Love Twingate.
This is pretty cool, I actually saw a Youtube video from Christian Lempa about this…curious about how it works! Have you worked with this before and if so, can I pm you some questions I have about it?
Hey thanks! I’ve gone ahead and fixed that as you and others suggested. Question - I’m using Cloudflare DDNS, currently use my main domain example.com for my homelab bookstack I use for documenting stuff, and set up the subdomain vpn.example.com with an A record to be updated with OPNsense ddclient. I’ve got WireGuard set up and accessing my home network at vpn.example.com:port# it works great but my concern is, when I ping that subdomain, it shows my WAN IP address, but the ping times out. I’m assuming my WAN IP is exposed by that subdomain. Is there any way to hide my IP or is that normal? Am I just supposed to hope attackers/threats won’t find it?
Also OpenZiti - OpenZiti · GitHub. Most similar to Twingate from the list in that its intent is as a zero trust network overlay rather than a better VPN. Its open source and self-hostable though there are SaaS implementations of it too.
In my opinion, since you’re running OpnSense, you should host the VPN server on that.
OpenVPN is a server. Client devices connect to that and tunnel some or all of their traffic to it. It does not consume resources when no clients are connected. Your local network traffic does not route through it.
My VPN is configured for split tunneling. Look into that.
It’s a homelab. Experiment and see how the VPN and clients connected to it affect the performance of the host.
I actually forgot they requested a card on sign up, wonder if I can just go remove it…
You may pm me if further questions come up. Carefully following Twingate’s setup guide is all I did, and it got me going the first shot at it. This is with Linux and Android OS installs. No windows experience with it, yet, though it’s supported.
You just really need a server on all the time on home network- I started with my old laptop that’s my TV’s media server (running Ubuntu 22.04 lts) - to run the Twingate Connector service from, and install the Twingate client on my devices I may use when away - my daily Ubuntu 23.10 driver, and my Android phone.
The rest is setting up a Twingate account and generating/exchanging keys for the Connector and Clients to use, and configuring your new Twingate domain to allow access from/to your devices and the LAN.
Also go see the Networkchuck Youtube video about twingate, a good watch!
That’s expected. vpn.example.com should point to your WAN address, that’s how your Wireguard VPN client will find your Wireguard VPN server so if your WAN address changes, vpn.example.com will always point to your Opnsense box because of the DDNS client.
Now, vpn.example.com not answering pings is totally expected and completely fine. Opnsense by default allows no inbound communication on WAN, so unless you’ve explicitly enabled inbound communication for a specific port or service (e.g. wireguard) it won’t respond to an unexpected and unconfigured request. This is absolutely the right behavior, the less your router talks back to unsolicited and unexpected requests, the better.
Yean, OpnSense has native wireguard support, there’s no reason not to use it.
Other options include Cloudflare Zero Trust and tailscale, but wireguard is 100% local hosting and configuration, and there’s plenty of guides on setting it up.
Performance impact should be negligible, especially when it’s not in active use.
Ah okay, so I just need to make sure I have all ports closed. Thanks for answering my questions! WireGuard works great haha I’m in college and have been stuck inside my hosue as I love working on my homelab - remote access is a game changer. Gonna play around with Tailscale now and compare the two. Appreciate your help!