Check out Slack Nebula.I personally like it very much and used it to build a software-defined WAN to support my family’s needs. I use a point to point WireGuard tunnel between my VPS and my home network to support self-hosted instances of Mastodon and Lemmy.
People seem to like and recommend Tailscale. I have not gotten to setting it up. My setup involves reverse proxy with treafik and my services in docker. Any suggestions on how what I need to do would be welcome.
Where I struggle is the part where i need to expose my subnet within Tailscale. I don’t have any machineip:port delegated to the services anymore.
I got a domain name through CF, and have traefik generate unique url links as *service.mydomain.com that routes it to the specific service running in docker on my localmachine. It also takes care of certificates. Calling that service url only works within the local network.
In my docker compose set up, I removed all the ports as I dont access the services via ip:port. I hope this makes sense to you.
So it seems I need to configure Tailscale in such a way I can tunnel to my home network and then make the service.mydomain.com call. And that is where it got too complicated for me right now.
I also fail to understand if I need to run Tailscale native or in (the same) docker env.
Depends on the use case. Cloudflare tunnels are great for accessing services, but not your network. I have a dockerised vscode instance behind a cloudflare tunnel attached to a personal domain that uses white listed emails as authorisation. Fantastic set up, can access my coding environment from anywhere with an internet connection as long as I can click the verification link in my emails.
To access my network itself though, wireguard is better. I just use pivpn (coupled with pihole for on the go adblock) on a rpi.
Getting the configs to work with my personal devices was already a little finicky but doing that for not-so-technical family members was starting to be a bit too much work for me.
I’m hoping that Headscale will cut that down to pointing their app at the server and having them enter their username and password.
I came here to say exactly this - WireGuard is great and easy to set up, but it gets harder as you add more people, especially less technical ones, as getting them to make keys and move them around etc becomes a headache. Tailscale also minimizes the role of the central server, so if your box goes down the VPN can still function. Tailscale can also do some neat stuff with DNS that’s pretty nifty.
One thing that helped a ton with that for Wireguard (for either you or anyone else reading this) is: You can generate QR codes for a peer’s full Wireguard config! So you can create the images on your computer and then a non-technical user can just scan the code to get configured.
I installed OpenWrt on my home router and set up wireguard on it. If you have dinamic IP address assigned by your ISP, like me, you also have to setup a dynamic dns updater on the router. I use duckdns.org. Then you have to open the port for wireguard on the router. Here’s a video guide on how to do it: www.youtube.com/watch?v=Bo2AsW4BMOo
Add comment