Current Best Remote Access Method? (self.selfhosted)

submitted 5 months ago by NuXCOM_90Percent to c/[email protected]

22 comments fedilink hide all child comments

So for the past few years (?) I have been using wireguard to vpn into (effectively) my firewall and a dynamic dns setup to access that remotely. But with the shitshow that is google domains and the like, this seems like a good opportunity to look into a few of the alternatives. I am not entirely opposed to just going in and changing the dns server once I figure out what I am going to do on that front, but wireguard has always been a bit of a mess to set up for less "tech savvy" people who need access to the home network.

Every so often I see some cloud based solutions get suggested. Which is sketchy but I already have a few alerts set up to be able to remotely shut my network down if wireguard is acting up when it shouldn't be and shutting down a VM is a lot less of a "do I really need to do this?" than shutting off the entire network. But most of those solutions seem built around selling seats which means they want you to add individual devices rather than just setting up a tunnel.

So is wireguard still the gold standard? Or is there a more user friendly solution that will let me compromise a bit but also have a setup that doesn't require me to be physically on site to fix the inevitable hiccups because it takes hours of reading articles to understand the setup?

Thanks

all 23 comments

sorted by: hot top controversial new old

[-] [email protected] 20 points 5 months ago* (last edited 5 months ago)

If you're just accessing one device, why not use SSH?

SSH with pubkey authentication and sane firewall rules is very secure. Bonus points for fail2ban

[-] [email protected] 3 points 5 months ago

Fail2ban might not be a good thing. You can flood the blacklist.

You just have to run a continous attack with spoofed source addresses. use IPv6 addresses and just wait until the whole ipv6 space is in the blacklist. by then that file will be huge. might even crash some servers

[-] [email protected] 2 points 5 months ago* (last edited 5 months ago)

you're right and sane firewall rules could prevent this type of attack

[-] [email protected] 14 points 5 months ago* (last edited 5 months ago)

with the shitshow that is google domains and the like, this seems like a good opportunity to look into a few of the alternatives.

I don't see how google domains play into this? If you're using their DNS and it sucks, just use a different DNS host instead. I can recommend https://desec.io/.

most of those solutions seem built around selling seats which means they want you to add individual devices rather than just setting up a tunnel.

Are you talking about Tailscale?

The idea behind every client and server running a tailscaled isn't to sell you more seats but rather to enable P2P connections. Their whole product is set up around this; ACLs and individual device sharing wouldn't work without this architecture.

If you don't care about all of that, you can simply set up a subnet router on one device and use it like a classical VPN server. Though I've never run into device limits on the free plan, even before they were increased.

Tailscale is as close to a hassle-free user-friendly solution as you can reasonably get.

[-] [email protected] 1 points 5 months ago

Cloudflare, namecheap, GoDaddy, domain.com, they all offer dns I think. Some of them are supported by Dyndns; you can find a list of supported providers.

[-] [email protected] 11 points 5 months ago

There’s Headscale if you want to avoid the Tailscale cloud service.

[-] [email protected] 2 points 5 months ago

And it's really easy to set up

[-] [email protected] 8 points 5 months ago

Tailscale?

[-] NuXCOM_90Percent 2 points 5 months ago

I think that is the seat based one I see recommended all the time.

I understand that hub and spoke models are inherently questionable security wise and switching to a mesh based approach is probably the answer. But it tends to make for a mess of needing to make sure my various "homelab" servers are aware and so forth.

[-] [email protected] 4 points 5 months ago

There's a "hub" mode where your endpoint inside the network grants access to the whole network like a standard VPN server.

[-] [email protected] 1 points 5 months ago* (last edited 5 months ago)

You won't realise the full value of Tailscale's features this way though - for example, you'll miss out on the ability to share an individual device with someone else, the ability to configure ACLs between particular devices (e.g. allow someone access to just a particular port on a server, while allowing yourself full access), and Tailscale SSH.

[-] NuXCOM_90Percent 1 points 5 months ago

Oooooooh.

Thanks. Will take a look to try and figure out their terminology for this.

[-] [email protected] 2 points 5 months ago* (last edited 5 months ago)

Edit: I was wrong

[-] [email protected] 2 points 5 months ago

Subnets

https://tailscale.com/kb/1019/subnets

[-] [email protected] 4 points 5 months ago* (last edited 5 months ago)

Might want to check ZeroTier too. They don't have as much features as Tailscale, but have more relaxed limit. If you can't decide, you can use both Tailscale and ZeroTier at the same time without issue.

[-] [email protected] 2 points 5 months ago* (last edited 5 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
NAT	Network Address Translation
SSH	Secure Shell for remote terminal access
UDP	User Datagram Protocol, for real-time communications
VPN	Virtual Private Network

5 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

[Thread #489 for this sub, first seen 5th Feb 2024, 18:25] [FAQ] [Full list] [Contact] [Source code]

[+] [email protected] -8 points 5 months ago

So is wireguard still the gold standard?

Yes, unlike you want to rely on 3rd parties and proprietary garbage like Cloudflare, Tailscale and whatnot.

[-] [email protected] 12 points 5 months ago

Tailscale's official clients are FOSS on free platforms and there is an officially endorsed FOSS back-end (headscale) if you wanted to self-host a fully FOSS environment.

Of course, hosting headscale requires a public server which you may not want or have the ability to host and in those cases, using their proprietary back-end as a service is absolutely fine in my books.

As a company, Tailscale has generally struck me as quite the opposite of "garbage".

[-] [email protected] -1 points 5 months ago* (last edited 5 months ago)

Their proprietary server doesn't really do a lot, and most of the logic is in the clients. The server mostly handles configuration (both setting things up and distributing the configs to the clients), public key exchange, and various auxiliary features.

Your VPN nodes will almost always communicate directly with each other, either by establishing a direct connection, or by UDP hole punching. Tailscale has relay servers that help nodes connect when both are behind restrictive firewalls or NAT, and this is open-source.

The fact that the data itself is sent peer-to-peer without going through Tailscale's servers means that it's an acceptable tradeoff for many use cases.

[-] [email protected] 2 points 5 months ago

Hmm, their BE still does a bit as it facilitates the connection of two devices with another. The clients are independently connected to it and if two want to talk with another, they first talk to the BE to coordinate the firewall piercing on both ends.

Still, given that an OSS re-implementation exists and is in no danger of being canned (TS went ahead and hired the person who made it lol), it being proprietary isn't a big deal.

[-] [email protected] 1 points 5 months ago

they first talk to the BE to coordinate the firewall piercing on both ends.

This is the NAT hole punching I mentioned in my post, which as far as I know uses the relay servers (which are open-source) and not their proprietary server. Sometimes systems can reach each other directly (for example, if you forward port 41641) in which case they can directly connect and you don't need a relay at all.

this post was submitted on 05 Feb 2024

31 points (97.0% liked)

Selfhosted

37923 readers

463 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]