Hi folks, I’m just getting into this hobby thanks to the posts in this community. So far, I’ve installed Ubuntu server 22.04 on an old laptop and got paperless working, and I’m pretty pumped. Now I would like to access it outside of my home network on my phone.

I have a Netgear R7000 with Advanced Tomato installed. Here’s my plan, but I don’t know if it would work… So I’m hoping for a peer review of sorts.

  • Get openVPN working on the router as a server.
  • make a certificate for my phone and use it as a client.
  • use my fedora laptop as the CA (?).

I think I need to use easy-RDA to make the keys and certificates…

Does that sound about right? It’s this a good approach or is there something better/easier/more effective?

If there’s a great tutorial around for accessing the home network externally, I’d super appreciate it. Would obviously prefer to do it myself and not pay for a service… I’ve been enjoying the learning experience!

  • CeeBee@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    Tailscale

    That’s the only word you need. Ultimately, traditional VPN is outdated and almost obsolete. Wireguard is the “next iteration” of network tunneling tech. And Tailscale just makes it super simple.

    • Meow.tar.gz@lemmy.goblackcat.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      +1 for Tailscale because it uses the WireGuard protocol. Tailscale just adds additional features on top of the WireGuard base. That much said, I am more interested in Slack’s Nebula project because it is completely open source. I like the approach Nebula is taking towards mesh networking. I’m just still struggling to get it working.

      • MigratingtoLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Tailscale using headscale is basically hosting your personal Tailscale network, which is nice and makes it open source too, just FYI

        • Drudge@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I just came across headscale…looks kinda neat. The docs have me a bit scared though - from the Installation section: “Configure Headscale by editing the configuration file”…uhm ya I’ll just go configure all of the things to do all of the stuff, hehe.

            • Difficult_Bit_1339@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Chatgpt is a camp for just YOLOing off into some new software. Unless it is after the knowledge cutoff it’s pretty accurate about configurations and such. It makes mistakes but it’ll get you started a lost faster.

              • randomguy2323@lemmy.fmhy.ml
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                What I notice also is that if you keep feeding it with info about your problem and have discussion it will eventually figure it out.

                • Difficult_Bit_1339@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Most of the time I just copy/paste the terminal output and say ‘it didn’t work’ and it’ll come back with ‘I’m sorry, I meant [new command]’.

                  It isn’t something that I’d trust to run unattended terminal commands (yet) but it is very good when you’re just like ‘Hey, I want to try to install pihole today, how do I install and configure it’, or ‘Here’s my IP Tables entry, why can’t I connect to this service’ … ‘Ok give me the commands to update the entry to do whatever it was you just said’.

            • Drudge@lemmy.worldOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Good idea…I just it a bunch for other stuff but hadn’t thought to use it for this. Thanks!

          • MigratingtoLemmy@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Haha, FOSS is often getting right into it, at a deep level. I wouldn’t be too worried about it as long as one conceptually understands what is happening (if not, ask here on Lemmy!)

      • zampson@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        It’s what I use to remote access to my Starlink network. Have it running on a little Linux box, and publishes my internal subnet so I can access any device on my network with Tailscale running on just one PC.

        • RelativeArea0@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Neat, I’ll admit that im a bit late with vpn bandwagon, I’ve been fiddling around with dynamic dns and prays to the network gods that my LAN wont encounter some replicating malware or nasty stuff (although im monitoring it and has logs). And yea, wow, this thing is fast and easy.

    • Drudge@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Really, wow ok. Someone recommended that in another post, and I thought there must still be some value to doing it myself.

      So does all the traffic go through tailscale? I gotta watch a YouTube video…

      • CeeBee@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        The traffic goes through a wireguard connection. Tailscale is just a facilitator to initiate the connections. There’s more to it than that, but that’s the basic gist of it.

        The core technology is wireguard, and you could set everything up yourself, but plain wireguard can be a chore and pain to get all setup. Tailscale is honestly 5 minutes to get a basic connection going.

    • Dark Arc@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I’ll pitch ZeroTier instead, it’s the same concept, but it’s more FOSS friendly, older, doesn’t have the non-networking “feature bloat” of Tailscale, and can handle some really niche cases like Ethernet bridging (should you ever care).

      Just:

      1. Go to their website, create an account, and create a network
      2. Add ZeroTier to the devices you need to connect
      3. Enter your network ID on those devices
      4. Approve the devices in the web control panel

      If you want to go full self hosting, you can do that too but you will need something with a static IP to control everything (https://docs.zerotier.com/self-hosting/network-controllers/?utm_source=ztp) this would replace the web panel parts.

      You can also do a LAN routing based solution pretty easily using something like a Raspberry Pi (or really any Linux computer).

        • Dark Arc@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I think it’s pretty secure and it will be getting better soon. In reality, I think it’s much more secure than what most people will end up with otherwise.

          ZeroTier is open source, long running without incident, and the traffic is encrypted between peers.

          The threat model is basically two fold though, in theory someone who has control of the ZeroTier roots (if you’re not using your own controller, if you’re using your own, then s/their roots/your roots/) could add routes to your devices, and add/remove devices that are part of your confirmation.

          The encryption also doesn’t currently have perfect forward security, so if there’s a compromise in one of your connections, in theory some past state of that connection could be decrypted. In practice, I’m not sure this matters as traffic at a higher level for most sensitive things uses its own encryption and perfect forward security (but hey maybe you have some software that doesn’t).

          The other thing I will note about that last point is that they’re working on a rust rewrite that will have updated crypto, including perfect forward security.

          • RustedSwitch@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Thank you for the write up! Very helpful.

            The use case I was wondering about is batch printing from a cloud solution. The print batch files could be encrypted, but I work with multiple solutions and I’m not confident that all of them encrypt those files. If it’s possible to crack old batches, that could expose sensitive information.

      • MigratingtoLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        How is it FOSS if they are asking you for a login? If traffic from your devices even touches their servers, you don’t know what is happening with it, and the entire process turns into a black box

        • Dark Arc@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          FOSS just means the software is open source. As I said, you can self host ZeroTier and not involve their servers (if you’re not doing things commercially, you pay for the license but still run your own controllers, or you use an older version which has been automatically relicensed by the change date to Apache 2.0).

          That said, the traffic is peer-to-peer, in the majority of use cases there servers are acting as a bit more than syncthing’s servers (acting to facilitate the connection between two devices that want to talk together). See the other comment for some more thoughts here.

  • Drudge@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    Big thanks to everyone that replied. Message received: ditch openVPN in favour of wireguard :-)

    • Drudge@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      1 year ago

      Uhm, status update: I just signed up for tailscale, and I’m able to access my home server after about 2 mins from first logging into the tailscale website. Wow…you guys weren’t kidding 🙃

      So what should I do next?

      • Bread@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Nas, Media server, device auto backups to nas, game server, chatgpt instance, Lemmy instance, a website, wiki, nextcloud, pihole, or home assistant.

        If you intend to collect/store data or make more servers, a nas would probably be a good idea to have.

        • Drudge@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Ok, I have an incoming Lenovo M93P SFF to upgrade my really old laptop as a server, so your list will be super helpful. Thanks!

  • thejoker8814@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    I know it’s been mentioned before - but plain Wireguard is my way to go. KISS - keep it simple, stupid! setup might be a little bit of a learning curve, but once you got it for one device, others aren’t a big issue.

    I had a CA, with OpenVPN, but that’s to much for a small setup like remote access to your home network.

    Use it on iOS, Ubuntu and Windows to access my home services and DNS (Split-Tunnel).

    It’s a pretty easy setup on OpenWrt. A quick look into the fresh tomato wiki tells me, that it shouldn’t be to complicated to achieve on your router (firmware). If you need help with setting Wireguard up, let me know, I’m happy to help out.

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    You’re mostly correct, but you don’t need the laptop to act as a CA or anything. A CA is just a cryptographic key, you can generate them on the laptop, on the router, or wherever you want. All that matters is that the router and the clients agree on what the CA is.

    Alternatively, you can port forward from the router to the laptop and run the VPN on the laptop itself. That will open you up to more VPN protocols such as WireGuard which is newer, works so much better, and a whole lot easier to get set up. That stuff just works. Or you can forward the SSH port, and use SSH forwarding using an app like JuiceSSH as the way to enter your network.

          • Still@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            there are 3 main steps depending on what OS is being run, but it basically goes like this

            port forward some port to a maching on your home network,

            create a wireguard config through network manager if you’re using that or the wg-quick command, make sure it auto connects

            3 mess with the firewall so that your devices on the wireguard network can see your home network

            there are tons of easy to follow guides out there, this is the one I followed

          • rambos@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Personally I use openmediavault (nas software) that has nice wireguard plugin and everything in UI. But you can use native wireguard app or pivpn for example.

            1. Port forward 51820 udp to your server

            2. Setup tunel and client on server

            3. Scan QR code with your client (android or whatever)

            4. and 3. has to be done for every new device

  • Meow.tar.gz@lemmy.goblackcat.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I personally am a fan of DIY when it comes to VPN. Check out Nebula. I’m working on building a Nebula-based network. Right now I’m using WireGuard tunnels. Pure WireGuard is diificult to scale but it does operate well scaled up.

  • @Drudge
    That’s a pretty solid plan, although I’d use WireGuard instead of OpenVPN. Otherwise, step 1 may take a lot of time, whereas WG makes all that dumb simple. There are even tools (eg dsnet) that generate client configs that work with the WG Android client.

    One fantastic thing about WG is not having to dick with CAs or CA authorities.