I want a solution to access my local jellyfin,sonarr,… remotely when I’m not at home.
Nordvpn mesh sounded like a good candidate since I pay for nordvpn already. But when I enabled meshnet it ended up exposing every used port on my device to the internet through one of their ip’s.
Ex: host service “192.168.0.x:8080” is directly accessible from “user-device.nord:8080” or x.x.x.x:8080 (some ip owned by nordvpn)
I don’t want all the ports on my host to be exposed like that so this is clearly not the right choice for me. This feature is supposed to only route traffic from device a through device be with additional filtering to allow access to the local subnet etc.
I want only one thing: access to my LAN when not on my LAN.
Currently I was thinking to self-host wireguard server using a docker container and then forward a port on my router to this service. (still have to do some more research on how to secure this properly)
Any pointers,tutorials, other info will be greatly appreciated!
I have wireguard on my modem/router and it works great. I have automations on my phone set up so that whenever I’m not on my home WiFi, wireguard is on, tunneling only lan traffic to my home network and the rest through normal means. I have a few apps excluded (an android-only feature), which helps with compatibility for certain apps (e.g. Android auto).
I never have to think about it except when I get a new device
Currently I was thinking to self-host wireguard server using a docker container and then forward a port on my router to this service. (still have to do some more research on how to secure this properly)
As someone else said wg-easy (or even just wg itself if you don’t mind the extra setup steps) is a pretty common and simple setup. If you’re only forwarding the port for wg to the wg server / container / port then there really isn’t anything else to do for security.
NordVPN Meshnet does not expose ports to the internet. Meshnet is based on the same technology as other applications that create Virtual Networks, which, in our case, means WireGuard tunnels. This technology creates a safe and encrypted tunnel between two or more devices.
Another limitation are the Nord names Meshnet uses as domain names. The DNS records are only used within Meshnet, which means that Nord names do not exist outside of it.
In order to create virtual networks, which are guaranteed to be inaccessible over the wider internet, NordVPN meshnet implementation uses a non-routable IP address range (100.64.0.0/10, see RFC6598 for more details) for its in-tunnel address assignment needs. The WireGuard tunnels themselves are encrypted and authenticated, and such tunnels are automatically established amongst the devices that have enabled meshnet and authenticated to the same Nord Account. In order to establish a tunnel between devices belonging to different Nord Accounts, an invitation must be sent by the sender and accepted by the recipient. Only then can WireGuard tunnels be established.
What most probably happened, judging by the fact that you already had your NordVPN subscription and used the traffic routing, is you used a device that was already connected to Meshent to check if “anyone” can access the Nord name or Nord IP. Given my assumption, that device could access services hosted under those addresses as part of the Meshnet network.
Please, for peace of mind, check it one more time, but make sure you:
Turn off Meshnet on the device you’re testing the connection with
Disconnect from the network the services are hosted on (mobile data would be best here)
Use Private browsing mode (or delete browsing cache)
Try Twingate. It’s free and allows you to access only the ports that you specify. You connect to your home network through a Twingate Connector running in a docker container. Very easy to set up
Definitely have a VPN back to your house for so many reasons. Use of LAN services securely and remote management are my main uses. You can always set a VPN to forward your LAN traffic back to nord if you really wanted to. Ex: iPhone > Home network VPN > Nord VPN. I can’t vouch for speeds.
Tailscale is a common overlay network and worth looking into.
I use an old Fortigate 30E i got from work. Works like a charm and is pretty easy to set up. With a dedicated firewall you can open any port you like to any device you like and control network flow.
Depending on your modem/router it could have an OpenVPN “integration”/option. Set that up on your router and then download the config/file and import it to an Open VPN client. Then just connect as needed. All free and works pretty seamlessly. Could also setup a OpenVPN server on docker or something and do that.
I use the same setup. Except for the automation on the Android side.
I have a dedicated router with an LTE connection for my laptop. Plugging the router to the USB-C port provides power to the router and an Ethernet connection with the internet and access to my home LANs. No setup, just plug one cable
