I have never done something simmilar, looking for VPN to access local home assistant and frigate nvr.
I saw people recommending:
OpenVPN
Wireguard
PiVPN
But what are pros/cons of each and which is the best overall?
I run everything on Linux machine within docker containers, have sim-router for wan internet and second router for wifi.
Wireguard. Definitely.
I use OpenVPN and quite like it. But I started using it many years ago, before Wireguard existed. If I were starting anew, I’d probably use Wireguard.
However, either one should suit you fine. I’d pick the one you find easiest to configure. I believe there’s good support for both of them on all the OSes you’re likely to care about (Linux/Windows/Mac/Android/iOS)
WireGuard
Pro: fast, easy to setup, mostly just works.
Con: Requires operation over UDP. This can be an issue on some public WiFi hotspots that block all/most UDP traffic. A quick workaround can be to set it up on a UDP port that they aren’t likely to block (like DNS 53 or NTP) but your mileage may vary.
Another common problem with the WireGuard app is that it’s not good at telling you that it is not successfully connected. It says that it’s active, which is half-true, but if the connection is blocked, it doesn’t warn you about it in anyway.
Tailscale
Pro:
Operates over SSL TCP 443, so you won’t have the above issue. And it most other ways it behaves about as well as WireGuard since that’s what it operates on top of.
Cons:
Unless you’re using your own Headscale coordination server, you’re technically passing your traffic through a company’s servers.
OpenVPN
Pro:
Super mature product, has a lot of knowledge base. Can operate on any port and protocol you want.
Con:
Performance isn’t really anywhere near the capability of WireGuard. Also, the other options above offer an on-demand feature where you can specify which networks you want them to automatically connect on and not. OpenVPNs version of that isn’t as complete.
RRAS
Pro:
If you like to host things on Windows, this is a good middle ground to the other options. It’s about as performant as WireGuard, but with the maturity of OpenVPN. It also operates over SSL TCP 443, so pretty safe bet when connecting on public WiFi hotspots. Furthermore, it can seamlessly allow multiple protocols (SSTP, L2TP, and IKEv2).
Con:
Has to run on Windows, which is a bit resource intensive.
OpenConnect
Pro:
Another SSL TCP 443 option. Not technically as mature as the other products, but technically operates as an open source version of Ciscos AnyConnect. The added benefit of this is that you can use Ciscos apps to connect to your own OpenConnect servers.
Con:
Missing a decent amount of features compared to the other options, and pretty middle of the road when it comes to performance. Also, if you rely on using Cisco’s apps, prepare for the day that Cisco breaks that.
My opinion: Go with WireGuard, and have it run on UDP 443 (but make sure it works on the public WiFi hotspots you typically use).
OpenVPN running on my pfsense router. Just works. Works well with my pixel9, my ipad, my Yoga Windows 10 laptop.
I did try wireguard some time ago, but getting the client running on my pixel5 at the time was inscrutable, so I chose openvpn and haven’t regretted it. Sometime in the future I might once again give wireguard a try.
I don’t care for tailscale as they hold your keys. Same for cloudflare. I prefer end to end encryption that only I have the keys for. openvpn and wireguard will do this.
Tailscale
Super easy to set up and they have apps for just about anything
Wireguard via wg-easy and would suggest a reverse proxy for easier port management
I’m personally a fan of nebula vpn, super underrated imo
I use PiVPN, totally easy to set up. It’s based on OpenVPN. It also works with any OpenVPN client.
Wireguard, simple, secure, heavily audited and, best of all, highest performing by a wide margin. If you don’t need something like FIPS, don’t look any further.
go with wireguard if the people who using it is technically knowledgeable how to use it.
else
go with tailscale for ease of use, specially if you want other people to use who dont want to deal with technical jargon of exchanging certs to each other.
I’ll probably get lynched but have you looked at Firewalla? Their VPN is super simple and easy.
I am running the WireGuard VPN in my virtual machine for opnsense. It’s not the most simple interface, but I rest assured knowing that if my Internet is working, my VPN is working, I don’t need to rely on any other program running on machines internal to the network.
Wont be free, but you could get a Ubiquiti gateway router as your edge machine. Its got vpn functionality built in
If you have a public IP, OpenVPN server is easy and simple to run. If you don’t, I have been highly satisfied with running a Tailscale exit node on a DietPi vm and routing the private subnet with it (i.e. 192.168.1.1) so that remote traffic goes through my LAN when I’m away. Like others have said, Wireguard is great but a little more complex. Tailscale uses it at its core
Tailscale for ease of use.
Definitely tailscale
I’m using my routers vpn so I never get locked out of my server. (Unifi cloud gateway ultra)
Tailscale, i only configured it once and forgot it, it just works