Recently I’ve been learning how to access my home network from the Internet and a lot of posts recommended Wireguard or Tailscale/Cloudflare tunnels for that.
Indeed, I went with the wireguard option because it seemed easier and I configured my router with DDNS + port forwarding to an easy-wg docker and it’s working just fine.
However, I really like the end-to-end tunnels approach as they narrow the attack surface and don’t need port forwarding nor DDNS. But, I’m afraid to lose a key functionality that I obtained with the Wireguard set up which is that my non-static devices (laptop/phone/tablet) can route all the traffic through the home network when I’m outside leveraging the wireguard vpn. From my understanding, which may be wrong, by using the tunnels I will specifically only gain access to those devices at the end. Is that correct? Am I losing a key functionality that allows for this “route all traffic”?
As a side question, I’ve seen that Tailscale can also be self-hosted but I would love to know your opinions/alternatives if any.
Anything you do with Wireguard you can do with those overlay VPNs. If you want all the traffic from your phone to go to a device in your home and from there to the internet, in your phone app you will select that device in your home as the Exit Node!
tailscale can be as permissive or not permissive as you please. You can have a tailscale enabled device route to your entire network, same as any other VPN.
Also note that you can host headscale yourself, but tailscale by its design cannot see traffic you send when using the cloud service.
The attack surface is nearly the same with WireGuard or any other solution. WireGuard works on UDP that means no port scanner can see the port is available unless the software replies and WireGuard only replies to valid WireGuard packages that use the right key.
And DDNS is basically irrelevant because most attackers attack all IPv4 addresses on the internet and try to find holes in firewalls. So you are under constant attack anyways.
If you mean cloudflare tunnels you can have full functionality.
I actually did this since I am in a situation where I’m going to be suddenly away from the lab a lot My main server also does my dirty work so is already on a VPN. And not a situation where I can easily split or run multiple tunnels. I have a Pi to help direct traffic.
So I set up a CF Tunnel on the pi. Set up authentication. Settled on GitHub org with just my partner and I and requiring 2fa. Moved a lot of the reverse proxies over since might as well. I also enabled Warp as auto authentication.
I also configured a private network for the tunnel with my LANs IP range.
I set up warp on my phone, logged into my CF team, and can access anything on my LAN the same I would from home. If I set up warp on my laptop I have the same access there.
The price is CF has access to my data. What they do with it is a mystery. Publicly they claim they do nothing and point to standards they adhere to. I highly doubt the answer is nothing though. It’s definitely a trade off.
When I have resources to maintain similar security and access without them, I will be doing so.
Given your comment, I guess you recommend using tailscale cloud and not to bother with headscale, right? Can you share a link for me to read about the privacy by design?
Tailscale is peer to peer, unless it has to use a relay. Peer to peer means no server to intercept the data. If it uses a relay, it tunnels wireguard over HTTPS, so the relay can’t view the traffic.
Tailscale will also collect netflow logs if enabled (think traffic metadata), but that’s considered a premium feature and not enabled by default.
My main server also does my dirty work so is already on a VPN. And not a situation where I can easily split or run multiple tunnels. I have a Pi to help direct traffic.