How do you remotely access your homelab without spilling the IP/port, while VPNing out elsewhere?

I'm hoping some of you Low-End Smarties can help me out here.

When you're away from home on a Windows machine that has one wifi chip or ethernet port connected to public internet, but want to simultaneously:
1. SSH/SFTP in to your homelab to access files
2. Not directly connect to (leak) your home IP/port
3. Have your other external traffic route through a commercial VPN service (Proton, PIA, or any of the others) because you're on public wifi

How do you do this? Can you even do this?

For #1, I have read about people achieving this through a reverse proxy, Zerotier, Tailscale, or having a regular old VPN server of some flavor set up on a home server. I have the impression that Zerotier and Tailscale might be more secure (or easier to use?) options than a home OpenVPN/WG server.

For #2, if I understand correctly, a reverse proxy would obscure your home IP/port, though a home OpenVPN or WG server would not. I don't know whether Zerotier or Tailscale would leak or obscure that information.

For #3, I know split tunneling exists and that some third-party Windows VPN apps support it, but I was under the impression that if you only have one wifi chip or ethernet port, you can only connect to one VPN at a time. But, I think I would need two concurrent, non-overlapping VPN (or similar) connections: one for securely accessing my homelab and a second for accessing the rest of the internet, checking emails, and all the other stuff.

TIA <3

«1

Comments

  • I use netbird.io to create a wireguard tunnel mesh across all my system behind NAT at home, and work.

    Thanked by (1)user123
  • edited December 15

    Tailscale is what you are looking for
    it also includes mullvad integration out of the box https://tailscale.com/mullvad

    here are docs on how it handles connectivity https://tailscale.com/blog/how-nat-traversal-works
    you can also self-host it https://github.com/juanfont/headscale

    Thanked by (1)user123
  • I guess after connecting a VPN, you can use SSH Reverse Tunnel to connect to the specified server.

    Thanked by (1)yoursunny

    Have the honor of being the crybaby who pays $20 for a 128MB VPS at VirMach in 2023.

  • So far, Tailscale seems like it might make the most sense and it might be possible to use VPNs other than Mullvad, though it would be tricky. https://tailscale.com/kb/1105/other-vpns

    Sort of related, but is there any easy way to set up a reverse proxy for SSH/SFTP without understanding Docker? Currently, I'm running an OpenVPN server on a Synology NAS with (gasp) an open port for it. Definitely not ideal, but maybe I could go a reverse proxy route as a baby step? I'm pretty scared of locking myself out of my NAS and don't understand Docker.

  • Btw, thanks for the suggestions so far :)

  • What's the deal with all those tailscale recommendations? Are we living in the age where no one is able to setup simple Wireguard? FFS there is NYR script for that.

  • rent vps and do ssh jumphost from it ?
    add protection to the homelab to only accept ssh connection from the vps

  • @kassle said:
    rent vps and do ssh jumphost from it ?
    add protection to the homelab to only accept ssh connection from the vps

    TBH, I don't know anything about securing a jumphost, and I'd be SOL if it went offline or the IP changed xD. I also won't always need to use the proxy and would not want to restrict myself to using it, since there is another network I could connect to it from directly.

  • Is it possible to access tailscale control panel without having any account with apple, ms, github, google? Tailscale doesn't have its own idp and I would prefer not to use any of these.

    Can it be achieved with headscale maybe? So to host it on a local network behind CGNAT and access from the outside?

    Thanked by (1)user123
  • You can use Tor to expose SSH but latency and throughput are not great, and you need Tor on your remote device.

  • JabJab Senpai

    @hyperton said: Is it possible to access tailscale control panel without having any account with apple, ms, github, google? Tailscale doesn't have its own idp and I would prefer not to use any of these.

    Thanked by (1)yoursunny

    Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
    https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png

  • @Jab yeah I saw that, but if I'm not wrong it requires a domain which I currently don't have. I'm not sure do I need to sign up anyway or it's possible to access tailscale servers from headscale directly somehow?

    Thanked by (1)user123
  • havochavoc OGContent Writer
    edited December 15

    If you're just connecting to it via a secure method - wireguard/ssh etc - then there is no real need to worry about "leaking" your IP. Pretty just anything and everything you do on the internet "leaks" your IP.

    ...it's only a consideration if you're trying to host something from home like a website or so. In which case cloudflare tunnel or tailscale is what most do.

    Assuming you've got a fixed IP I'd just do straight wireguard.

    Thanked by (2)yoursunny user123
  • @havoc said:
    If you're just connecting to it via a secure method - wireguard/ssh etc - then there is no real need to worry about "leaking" your IP. Pretty just anything and everything you do on the internet "leaks" your IP.

    ...it's only a consideration if you're trying to host something from home like a website or so. In which case cloudflare tunnel or tailscale is what most do.

    Assuming you've got a fixed IP I'd just do straight wireguard.

    I'm not hosting any public-facing website, but I worry about revealing my IP & port because I rely on security through obscurity. The external IP is not guaranteed static, but seems largely fixed. I worry that if I connect from a compromised network, I may open myself up to attempts to exploited or bruteforced access.

    Currently, there are no failed logins showing up in my logs. My setup is that I have the (non-standard) port to my OpenVPN forwarded though the router, and the SSH server port only accepts connections from internal IPs from my LAN and OpenVPN ranges.

    How would I actually use Wireguard to access my home network and concurrently use a third-party VPN for other connections? I remember reading that it is more efficient than OpenVPN and can handle more bandwidth when the CPU isn't powerful.

    I have a symmetrical gigabit line, so I would like to simply mount my local Synology shared folder as a drive over SFTP or SMB (or rclone mount?). If one of these would be better for this kind of remote use and with less latency, please tell me. I would expect the remote network I'm on to be robust, as well, and support comparable speeds, though I will not always be geographically close to my home network.

    On one computer, I have it set up on SMB as a Windows network share and it automatically mounts when I am connected to my home OpenVPN server. But, I can't connect to a third-party VPN while that is active, nor can I connect to a third-party VPN and then connect to my home OpenVPN server while it is active. Alternately, I could mount the SFTP server using third-party software (maybe rclone mount would be better, though I don't know what settings to use), but I can still only connect to one VPN at a time.

  • @hyperton said:
    @Jab yeah I saw that, but if I'm not wrong it requires a domain which I currently don't have. I'm not sure do I need to sign up anyway or it's possible to access tailscale servers from headscale directly somehow?

    I'm wondering about the same thing. I'd also rather not sign up for yet another account (Tailscale), but it could be an option if I need to.

    Thanked by (1)hyperton
  • Create a VPN that connects everything. Then ssh/rdp/vnc through VPN

    Thanked by (1)yoursunny
  • AuroraZeroAuroraZero ModeratorHosting Provider

    I am old school and use Openvpn to route all traffic

    Thanked by (1)user123

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • Nebula + wireguard

    Thanked by (1)skorous
  • skorousskorous OGSenpai

    @user123 said: I'm not hosting any public-facing website, but I worry about revealing my IP & port because I rely on security through obscurity.

    Don't do that.

    @remy said:
    Nebula + wireguard

    You use both?

  • PC(Wireguard Client) - Wireguard(Server) - Home Lab (Wireguard Client)

    I can connect to Home Lab using private IP through VPN.

  • @skorous said:

    @user123 said: I'm not hosting any public-facing website, but I worry about revealing my IP & port because I rely on security through obscurity.

    Don't do that.

    I'm trying. That's why I made this thread. xD

    @arirang said:
    PC(Wireguard Client) - Wireguard(Server) - Home Lab (Wireguard Client)

    I can connect to Home Lab using private IP through VPN.

    With that setup, how do you use a second VPN for the non-homelab connections you want tunneled elsewhere?

  • edited December 16

    @user123 said:
    With that setup, how do you use a second VPN for the non-homelab connections you want tunneled elsewhere?

    I don't exaxtly get a second VPN.

    1. You make a connection to a vpn server.
    2. The VPN server routes a home-lab private ip to Home Lab and the other (0.0.0.0/0) except the private ip to Public internet.

    If I need a tunnel from VPN to a non-homelab thing, I usually install a wireguard client on the non-homelab like the homelab. If it is temporary, using ssh tunneling.

    Example)

    PC (10.10.0.2)
    |
    Wireguard(10.10.0.1)
    l- HomeLab (10.10.0.3)
    l- DB server (10.10.0.4)
    l-(ssh tunneling) Something
    l- Public Internet (0.0.0.0)

    Thanked by (1)user123
  • I don't run anything important at home.

    My pronouns are like/subscribe.

  • edited December 16

    Redacted. Sorry for confusing

  • @arirang said:

    @user123 said:
    With that setup, how do you use a second VPN for the non-homelab connections you want tunneled elsewhere?

    I don't exaxtly get a second VPN.

    1. You make a connection to a vpn server.
    2. The VPN server routes a home-lab private ip to Home Lab and the other (0.0.0.0/0) except the private ip to Public internet.

    If I need a tunnel from VPN to a non-homelab thing, I usually install a wireguard client on the non-homelab like the homelab. If it is temporary, using ssh tunneling.

    Example)

    PC (10.10.0.2)
    |
    Wireguard(10.10.0.1)
    l- HomeLab (10.10.0.3)
    l- DB server (10.10.0.4)
    l-(ssh tunneling) Something
    l- Public Internet (0.0.0.0)

    Thanks for explaining. It looks like this wouldn't work for my use case.

  • ikev2+ipsec VPN on VPS + knockd on homeserver to open ssh port on firewall + script to close ssh port on firewall on ssh login + some kind of notification (e,g self-hosted ntfy) on ssh login.

    This way even if attacker gets on your vpn all he will "see" is a machine with every single port closed.
    Also you can put a button on ntfy notification to kill off vpn (port knock on vps) in case of weird ssh login.

    Thanked by (1)user123
  • NeoonNeoon OGSenpai
    edited December 16

    You can just put wireguard on a VPS, connect your router or your raspberry pi/ windows machine as a client.
    Any IP changes regarding your ISP are not longer a problem too.

    Neither is your windows machine directly exposed or your IP, since the traffic flows through your own vps.
    You can even make it redundant, I use wg-mesh for that.

    My PI has a bunch of direct links, even if a single VPS dies, I still have connectivity.
    If IPv6 dies or IPv4 dies, I still have connectivity too.

    Thanked by (2)user123 Wonder_Woman
  • @Neoon said:
    You can just put wireguard on a VPS, connect your router or your raspberry pi/ windows machine as a client.
    Any IP changes regarding your ISP are not longer a problem too.

    Neither is your windows machine directly exposed or your IP, since the traffic flows through your own vps.
    You can even make it redundant, I use wg-mesh for that.

    My PI has a bunch of direct links, even if a single VPS dies, I still have connectivity.
    If IPv6 dies or IPv4 dies, I still have connectivity too.

    This sounds very interesting and I like the option for redundancy. It sounds like the wg-mesh setup would let me mount the homelab files via SFTP or SMB the same as I have been doing, except that the data would be tunneled through a VPS instead of an OpenVPN server on my homelab.

    But I keep coming back to the question of how to have two VPN-type connections active simultaneously on Windows. How would I then maintain that connection while having my computer use a third party VPN service to handle other outgoing connections (Tailscale calls these exit nodes)?

  • NeoonNeoon OGSenpai

    @user123 said:

    @Neoon said:
    You can just put wireguard on a VPS, connect your router or your raspberry pi/ windows machine as a client.
    Any IP changes regarding your ISP are not longer a problem too.

    Neither is your windows machine directly exposed or your IP, since the traffic flows through your own vps.
    You can even make it redundant, I use wg-mesh for that.

    My PI has a bunch of direct links, even if a single VPS dies, I still have connectivity.
    If IPv6 dies or IPv4 dies, I still have connectivity too.

    This sounds very interesting and I like the option for redundancy. It sounds like the wg-mesh setup would let me mount the homelab files via SFTP or SMB the same as I have been doing, except that the data would be tunneled through a VPS instead of an OpenVPN server on my homelab.

    But I keep coming back to the question of how to have two VPN-type connections active simultaneously on Windows. How would I then maintain that connection while having my computer use a third party VPN service to handle other outgoing connections (Tailscale calls these exit nodes)?

    Right now, its optimized for game traffic, aka it changes routes as low as 10s, which OSPF does well, but long lived TCP connections take the short straw.
    However, its an easy fix to let a user disable the optimization, so it sets the cost for OSPF only on startup.

    Well the routing daemon does that for you, you got like x links and it chooses the best one, based on latency.
    You could adopt the code, so it would choose the one with the biggest pipe and run iperf tests, in theory.

    Sub System for Linux maybe... otherwise a RaspberryPi as router and connect your windows machine via a single wg tunnel.

    Thanked by (1)user123
  • @Neoon said:

    @user123 said:

    @Neoon said:
    You can just put wireguard on a VPS, connect your router or your raspberry pi/ windows machine as a client.
    Any IP changes regarding your ISP are not longer a problem too.

    Neither is your windows machine directly exposed or your IP, since the traffic flows through your own vps.
    You can even make it redundant, I use wg-mesh for that.

    My PI has a bunch of direct links, even if a single VPS dies, I still have connectivity.
    If IPv6 dies or IPv4 dies, I still have connectivity too.

    This sounds very interesting and I like the option for redundancy. It sounds like the wg-mesh setup would let me mount the homelab files via SFTP or SMB the same as I have been doing, except that the data would be tunneled through a VPS instead of an OpenVPN server on my homelab.

    But I keep coming back to the question of how to have two VPN-type connections active simultaneously on Windows. How would I then maintain that connection while having my computer use a third party VPN service to handle other outgoing connections (Tailscale calls these exit nodes)?

    Right now, its optimized for game traffic, aka it changes routes as low as 10s, which OSPF does well, but long lived TCP connections take the short straw.
    However, its an easy fix to let a user disable the optimization, so it sets the cost for OSPF only on startup.

    Well the routing daemon does that for you, you got like x links and it chooses the best one, based on latency.
    You could adopt the code, so it would choose the one with the biggest pipe and run iperf tests, in theory.

    Sub System for Linux maybe... otherwise a RaspberryPi as router and connect your windows machine via a single wg tunnel.

    I might be misunderstanding. I can see how it can help with routing everything through the homelab, but I'm not seeing how I could adapt this to achieve requirement #3.

Sign In or Register to comment.