Just recently I went digging through a solution that could both: 1) let me connect to my home server from the internet and 2) have that server permanently route it's traffic through a VPN. I...
Just recently I went digging through a solution that could both: 1) let me connect to my home server from the internet and 2) have that server permanently route it's traffic through a VPN. I discarded tailscale immediately as they openly claimed on their website it wasn't possible (would source but I'm on my phone, should be easily googable).
Now, had I heard of this before, I'd have definitely closed with Mullvad instead of ivpn. Unfortunately I already got year subscriptions and it's not a possibility to change.
What did you end up doing? I'm all-in on Zerotier. I have it configured on my phone, laptop, server, and OpenWRT router. These devices can talk to each other directly regardless of network they're...
What did you end up doing?
I'm all-in on Zerotier. I have it configured on my phone, laptop, server, and OpenWRT router. These devices can talk to each other directly regardless of network they're on now. If I turn on the routing option, my cellphone routes traffic through Zerotier and out my home router.
If I wanted to do VPN, instead of routing out the WAN, I'd add another VPN network interface and route out that.
My personal preference is to use VPN on a container-by container basis depending on need.
I don't trust my skills to expose a reverse proxy to the public, honestly I don't even know if my ISP permits the opening of required ports, so I ended up using Twingate. While it works fine, I am...
I don't trust my skills to expose a reverse proxy to the public, honestly I don't even know if my ISP permits the opening of required ports, so I ended up using Twingate. While it works fine, I am most unhappy with having a closed box running inside my private network.
Your Zerotier setup sounds promising, and it seems akin to what Twingate offers. If I've grasped it correctly, Zerotier acts as a gateway into your private network. You have Zerotier functioning within your network and connect to it using what I presume to be a VPN client on your external devices. Subsequently, you can channel your traffic through Zerotier and out of your home router.
Currently, my server maintains a consistent connection to a VPN via Wireguard. Would Zerotier allow me to route all outbound traffic from my server through the eth0 interface (which is on the VPN) while still allowing remote access to the server?
Zerotier functions as a virtual network device. So you can treat it like any other ethernet or wireless card. You install on your devices, connect them together. At this most basic configuration,...
Zerotier functions as a virtual network device. So you can treat it like any other ethernet or wireless card.
You install on your devices, connect them together. At this most basic configuration, you can talk to them directly via their private Zerotier IPs. This is great for just "I need X device to talk to Y device no matter where I am". Super simple to setup overall.
The routing via Zerotier, letting Zerotier be a VPN is a bit more involved. My home router's internal Zerotier IP is 10.147.19.1. There's a setting in Zerotier to route through that. Then I had to do a bunch of configuration on my router that started here. So that enabled me to let any device I have connected to my Zerotier network route through my home router.
So, in theory, you should be able to do that same thing having Zerotier route out through a Wiregaurd connection instead of what I do, which is routing out the regular WAN/WAN6.
Some of the really fun stuff because Zerotier is on my router: I just add custom DNS entries on my router, and my router can also route regular traffic from my network into my Zerotier network. So my wife's laptop doesn't have Zerotier installed, but she can access the Zerotier-only services while connected to our LAN. My ingress routes traffic via zerotier, so the actual network my services run on is irrelevant, which is super convenient for stuff I want highly available, like my password manager.
(Tailscalar here) I normally don't jump into discussions like this, but since this post is a Tailscale-themed post, I will point out that Tailscale does all of the above things too. :-)
(Tailscalar here)
I normally don't jump into discussions like this, but since this post is a Tailscale-themed post, I will point out that Tailscale does all of the above things too. :-)
FWIW there's no shade against Tailscale . I think the comparison blog is a fair one. I'd love to see a more advanced and newer head to head (as a lot of features like SSO are now possible). I've...
FWIW there's no shade against Tailscale . I think the comparison blog is a fair one. I'd love to see a more advanced and newer head to head (as a lot of features like SSO are now possible).
I've just been using Zerotier since before Tailscale existed :), so I'm not gonna change on a whim. I also like that I have the option of self-hosting the centralized bit as well, but I've not tried taking that plunge yet.
Thank you for the insightful explanation! If Twingate doesn't meet my expectations, I'm considering giving Zerotier a shot. Both Zerotier and Twingate seem viable for my needs, and possibly even...
Thank you for the insightful explanation! If Twingate doesn't meet my expectations, I'm considering giving Zerotier a shot. Both Zerotier and Twingate seem viable for my needs, and possibly even Tail/Headscale based on the subsequent comment. Now, it seems the decision boils down to which provider I'm more comfortable entrusting my data to.
From the blog post: This lets you use both at once. Mulvad's blog post explains what you'd use it for more simply and the Tailscale blog is more detailed. I don't use either one yet. This is...
From the blog post:
When you use Tailscale with a Mullvad exit node [...] [y]our node registers its existing Tailscale-generated WireGuard key pair with Mullvad’s infrastructure. Any traffic coming over the internet is terminated at Mullvad’s network edge, and end-to-end encrypted all the way to your device. Basically, you get to bring Mullvad’s entire fleet of servers into your tailnet.
This lets you use both at once. Mulvad's blog post explains what you'd use it for more simply and the Tailscale blog is more detailed.
I don't use either one yet. This is technically pretty cool and it's improving. I'm a fan. But I guess it's still an edge case for me. I can imagine wanting to connect computers in different locations, and maybe someday I'll want to hide my IP address from websites, or which websites I connect to from ISP's. But for now, I just use one device at a time, sync through cloud services, and https encryption seems good enough? I'm logging in anyway.
For someone worried about law enforcement access with warrants, this is probably not good enough and Mullvad alone would be better, since they're known for having numbered accounts paid for with cash and Tailscale doesn't do that.
But it's probably good enough for many people, since finding you would require getting account information from both Mullvad and Tailscale.
(Tailscalar here) Agree with you 100%. We built this because we were receiving a lot of requests for such an integration, but we're also fully aware that this isn't for everybody.
(Tailscalar here)
Agree with you 100%. We built this because we were receiving a lot of requests for such an integration, but we're also fully aware that this isn't for everybody.
Just recently I went digging through a solution that could both: 1) let me connect to my home server from the internet and 2) have that server permanently route it's traffic through a VPN. I discarded tailscale immediately as they openly claimed on their website it wasn't possible (would source but I'm on my phone, should be easily googable).
Now, had I heard of this before, I'd have definitely closed with Mullvad instead of ivpn. Unfortunately I already got year subscriptions and it's not a possibility to change.
What did you end up doing?
I'm all-in on Zerotier. I have it configured on my phone, laptop, server, and OpenWRT router. These devices can talk to each other directly regardless of network they're on now. If I turn on the routing option, my cellphone routes traffic through Zerotier and out my home router.
If I wanted to do VPN, instead of routing out the WAN, I'd add another VPN network interface and route out that.
My personal preference is to use VPN on a container-by container basis depending on need.
I don't trust my skills to expose a reverse proxy to the public, honestly I don't even know if my ISP permits the opening of required ports, so I ended up using Twingate. While it works fine, I am most unhappy with having a closed box running inside my private network.
Your Zerotier setup sounds promising, and it seems akin to what Twingate offers. If I've grasped it correctly, Zerotier acts as a gateway into your private network. You have Zerotier functioning within your network and connect to it using what I presume to be a VPN client on your external devices. Subsequently, you can channel your traffic through Zerotier and out of your home router.
Currently, my server maintains a consistent connection to a VPN via Wireguard. Would Zerotier allow me to route all outbound traffic from my server through the eth0 interface (which is on the VPN) while still allowing remote access to the server?
Zerotier functions as a virtual network device. So you can treat it like any other ethernet or wireless card.
You install on your devices, connect them together. At this most basic configuration, you can talk to them directly via their private Zerotier IPs. This is great for just "I need X device to talk to Y device no matter where I am". Super simple to setup overall.
The routing via Zerotier, letting Zerotier be a VPN is a bit more involved. My home router's internal Zerotier IP is 10.147.19.1. There's a setting in Zerotier to route through that. Then I had to do a bunch of configuration on my router that started here. So that enabled me to let any device I have connected to my Zerotier network route through my home router.
So, in theory, you should be able to do that same thing having Zerotier route out through a Wiregaurd connection instead of what I do, which is routing out the regular WAN/WAN6.
Some of the really fun stuff because Zerotier is on my router: I just add custom DNS entries on my router, and my router can also route regular traffic from my network into my Zerotier network. So my wife's laptop doesn't have Zerotier installed, but she can access the Zerotier-only services while connected to our LAN. My ingress routes traffic via zerotier, so the actual network my services run on is irrelevant, which is super convenient for stuff I want highly available, like my password manager.
(Tailscalar here)
I normally don't jump into discussions like this, but since this post is a Tailscale-themed post, I will point out that Tailscale does all of the above things too. :-)
FWIW there's no shade against Tailscale . I think the comparison blog is a fair one. I'd love to see a more advanced and newer head to head (as a lot of features like SSO are now possible).
I've just been using Zerotier since before Tailscale existed :), so I'm not gonna change on a whim. I also like that I have the option of self-hosting the centralized bit as well, but I've not tried taking that plunge yet.
Thank you for the insightful explanation! If Twingate doesn't meet my expectations, I'm considering giving Zerotier a shot. Both Zerotier and Twingate seem viable for my needs, and possibly even Tail/Headscale based on the subsequent comment. Now, it seems the decision boils down to which provider I'm more comfortable entrusting my data to.
From the blog post:
This lets you use both at once. Mulvad's blog post explains what you'd use it for more simply and the Tailscale blog is more detailed.
I don't use either one yet. This is technically pretty cool and it's improving. I'm a fan. But I guess it's still an edge case for me. I can imagine wanting to connect computers in different locations, and maybe someday I'll want to hide my IP address from websites, or which websites I connect to from ISP's. But for now, I just use one device at a time, sync through cloud services, and https encryption seems good enough? I'm logging in anyway.
For someone worried about law enforcement access with warrants, this is probably not good enough and Mullvad alone would be better, since they're known for having numbered accounts paid for with cash and Tailscale doesn't do that.
But it's probably good enough for many people, since finding you would require getting account information from both Mullvad and Tailscale.
(Tailscalar here)
Agree with you 100%. We built this because we were receiving a lot of requests for such an integration, but we're also fully aware that this isn't for everybody.