Setting up your own VPN - eviltoast

What do you guys use / recommend to set up your own VPN to access your LAN services remotely?

  • goodhunter@lemm.ee
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 year ago

    People seem to like and recommend Tailscale. I have not gotten to setting it up. My setup involves reverse proxy with treafik and my services in docker. Any suggestions on how what I need to do would be welcome.

    • randombullet@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      This is the exact script I use to install tailscale on my VPN server

      Installing Tailscale

       curl -fsSL https://tailscale.com/install.sh | sh 
      

      Enable IP forwarding

       echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf 
       echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf 
       sudo sysctl -p /etc/sysctl.conf 
      

      Advertise subenets and exit node

       tailscale up --advertise-exit-node --advertise-routes=192.168.0.0/24,192.168.2.0/28,192.168.5.0/24,192.168.10.0/24
      
      • goodhunter@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Thank you for message, i appreciate the effort.

        Where I struggle is the part where i need to expose my subnet within Tailscale. I don’t have any machineip:port delegated to the services anymore.

        I got a domain name through CF, and have traefik generate unique url links as *service.mydomain.com that routes it to the specific service running in docker on my localmachine. It also takes care of certificates. Calling that service url only works within the local network.

        In my docker compose set up, I removed all the ports as I dont access the services via ip:port. I hope this makes sense to you.

        So it seems I need to configure Tailscale in such a way I can tunnel to my home network and then make the service.mydomain.com call. And that is where it got too complicated for me right now.

        I also fail to understand if I need to run Tailscale native or in (the same) docker env.

        • appel@whiskers.bim.boats
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          1 year ago

          You can run tailscale client on the host, not in a container. Then for the domain names, create a DNS record either in the public DNS (or I think you can do it in the internal tailscale DNS) that points a wildcard for your subdomains (*.domain.com) to the IP of the container host within the tailnet. Do “tailscale --status” on any device joined to the tailnet to see the IP addresses inside the tailnet. Then all of the devices will make their DNS request to either your upstream DNS or the internal one, they get the response back that they need to send their http request to the container host within the tailnet, it sends on the default 80 or 443 ports for http and https respectively, and then your reverse proxy handles the rest.

          • goodhunter@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            hi, i finally found some time to dig into this. Oddly, I think I got a functioning setup, although it did a bit differently in the end. If you may, please advise if I indeed reached completion, or I have it set suboptimal.

            1. I installed Tailscale gui natively on my mac mini, and ios devices.
            2. I tried following up on your advise of creating DNS records. First in Cloudflare, but since I already set a wildcard entry as type CNAME/*/mydomain.com/DNSonly/TTLauto I wasn’t allowed to add type A record with a similar wildcard entry. I need this existing CNAME line for Traefik to work my SSL certificates (as far i understood). Then I tried setting it up through the DNS>custom Namespaces within Tailscale admin console instead. An entry would look like service.mydomain.com and for ipv4 the local ip of the mac mini. But I wasn’t sure about the config as it wasn’t working. Then i tried the Tailscale ip 100.xx.xx.xx, to no avail.
            3. I thought I needed to advertise routes for my local network, so I did. As similar to --advertise-routes=192.168.68.0/24. And later instead the docker network 172.23.0.0/16. Still didn’t do it.
            4. As I am a NextDNS user I set the ID number in Tailscale>DNS>Nameservers as the Global nameserver and checked Override local DNS.
            5. In the NextDNS config I defined a Rewrite function as *.mydomain.com to the Tailscale IP of the local machine 100.xx.xx.xx . And boom, I can access the servers from my idevices over the Tailscale vpn tunnel.
            6. I then tried to tear down the setup again. It seems the advertise routes from (3) doesn’t do anything, so I removed it again.

            Open for any suggestions on this hacked attempt.

            Update: yes found an issue. I can only access the services with tailscale enabled. I suspect the rewrite is causing an inproper pass through without the tunnel, as that the tailscale ip cannot be reached.

            Update 2: I changed to rewrite to the local ip address instead, similar to 192.168.68.110. I think it works now when accessing within the local network without tunnel and externally with the tunnel.

            • appel@whiskers.bim.boats
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Seems like you got it to work, I’m not sure about traefik requiring that cname for ssl, our setup does not. But yes the way we’ve done it does require that tailscale is always enabled. Even when on lan. If you’ve managed to setup both LAN and tailscale connections for one thing that’s pretty cool.

    • ashok36@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’ve been using it for maybe a year now and it’s been rock solid. Highly recommended.