How do you remotely access your homelab without spilling the IP/port, while VPNing out elsewhere?

2»

Comments

  • NeoonNeoon OGSenpai

    @user123 said:

    @Neoon said:

    @user123 said:

    @Neoon said:
    You can just put wireguard on a VPS, connect your router or your raspberry pi/ windows machine as a client.
    Any IP changes regarding your ISP are not longer a problem too.

    Neither is your windows machine directly exposed or your IP, since the traffic flows through your own vps.
    You can even make it redundant, I use wg-mesh for that.

    My PI has a bunch of direct links, even if a single VPS dies, I still have connectivity.
    If IPv6 dies or IPv4 dies, I still have connectivity too.

    This sounds very interesting and I like the option for redundancy. It sounds like the wg-mesh setup would let me mount the homelab files via SFTP or SMB the same as I have been doing, except that the data would be tunneled through a VPS instead of an OpenVPN server on my homelab.

    But I keep coming back to the question of how to have two VPN-type connections active simultaneously on Windows. How would I then maintain that connection while having my computer use a third party VPN service to handle other outgoing connections (Tailscale calls these exit nodes)?

    Right now, its optimized for game traffic, aka it changes routes as low as 10s, which OSPF does well, but long lived TCP connections take the short straw.
    However, its an easy fix to let a user disable the optimization, so it sets the cost for OSPF only on startup.

    Well the routing daemon does that for you, you got like x links and it chooses the best one, based on latency.
    You could adopt the code, so it would choose the one with the biggest pipe and run iperf tests, in theory.

    Sub System for Linux maybe... otherwise a RaspberryPi as router and connect your windows machine via a single wg tunnel.

    I might be misunderstanding. I can see how it can help with routing everything through the homelab, but I'm not seeing how I could adapt this to achieve requirement #3.

    You have a private network that doesn't conflict with that.

    Thanked by (1)user123
  • @Neoon said:

    @user123 said:

    @Neoon said:

    @user123 said:

    @Neoon said:
    You can just put wireguard on a VPS, connect your router or your raspberry pi/ windows machine as a client.
    Any IP changes regarding your ISP are not longer a problem too.

    Neither is your windows machine directly exposed or your IP, since the traffic flows through your own vps.
    You can even make it redundant, I use wg-mesh for that.

    My PI has a bunch of direct links, even if a single VPS dies, I still have connectivity.
    If IPv6 dies or IPv4 dies, I still have connectivity too.

    This sounds very interesting and I like the option for redundancy. It sounds like the wg-mesh setup would let me mount the homelab files via SFTP or SMB the same as I have been doing, except that the data would be tunneled through a VPS instead of an OpenVPN server on my homelab.

    But I keep coming back to the question of how to have two VPN-type connections active simultaneously on Windows. How would I then maintain that connection while having my computer use a third party VPN service to handle other outgoing connections (Tailscale calls these exit nodes)?

    Right now, its optimized for game traffic, aka it changes routes as low as 10s, which OSPF does well, but long lived TCP connections take the short straw.
    However, its an easy fix to let a user disable the optimization, so it sets the cost for OSPF only on startup.

    Well the routing daemon does that for you, you got like x links and it chooses the best one, based on latency.
    You could adopt the code, so it would choose the one with the biggest pipe and run iperf tests, in theory.

    Sub System for Linux maybe... otherwise a RaspberryPi as router and connect your windows machine via a single wg tunnel.

    I might be misunderstanding. I can see how it can help with routing everything through the homelab, but I'm not seeing how I could adapt this to achieve requirement #3.

    You have a private network that doesn't conflict with that.

    Do you have any suggestion about how a non-network noob can figure out how to do that on Windows? It's been many, many, many years since I last did any actual network management stuff.

  • NeoonNeoon OGSenpai

    @user123 said:

    @Neoon said:

    @user123 said:

    @Neoon said:

    @user123 said:

    @Neoon said:
    You can just put wireguard on a VPS, connect your router or your raspberry pi/ windows machine as a client.
    Any IP changes regarding your ISP are not longer a problem too.

    Neither is your windows machine directly exposed or your IP, since the traffic flows through your own vps.
    You can even make it redundant, I use wg-mesh for that.

    My PI has a bunch of direct links, even if a single VPS dies, I still have connectivity.
    If IPv6 dies or IPv4 dies, I still have connectivity too.

    This sounds very interesting and I like the option for redundancy. It sounds like the wg-mesh setup would let me mount the homelab files via SFTP or SMB the same as I have been doing, except that the data would be tunneled through a VPS instead of an OpenVPN server on my homelab.

    But I keep coming back to the question of how to have two VPN-type connections active simultaneously on Windows. How would I then maintain that connection while having my computer use a third party VPN service to handle other outgoing connections (Tailscale calls these exit nodes)?

    Right now, its optimized for game traffic, aka it changes routes as low as 10s, which OSPF does well, but long lived TCP connections take the short straw.
    However, its an easy fix to let a user disable the optimization, so it sets the cost for OSPF only on startup.

    Well the routing daemon does that for you, you got like x links and it chooses the best one, based on latency.
    You could adopt the code, so it would choose the one with the biggest pipe and run iperf tests, in theory.

    Sub System for Linux maybe... otherwise a RaspberryPi as router and connect your windows machine via a single wg tunnel.

    I might be misunderstanding. I can see how it can help with routing everything through the homelab, but I'm not seeing how I could adapt this to achieve requirement #3.

    You have a private network that doesn't conflict with that.

    Do you have any suggestion about how a non-network noob can figure out how to do that on Windows? It's been many, many, many years since I last did any actual network management stuff.

    You can have multiple wireguard links in windows active.
    So you get the wireguard config file from whatever VPN provider you wanna use and modify it.

    E.g you set what IP's get routed through which link.
    For example for your private network just use 10.0.0.0/16.
    So you tell Wireguard to route only that traffic through your private link right.

    For the rest, there was a tool, to exclude the 10.0.0.0/16 range.
    https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/

    Thanked by (2)user123 mandala
  • ZizzyDizzyMCZizzyDizzyMC Hosting Provider

    Is it cheating if my home lab has a /24?

  • @user123 said:
    I'm hoping some of you Low-End Smarties can help me out here.

    When you're away from home on a Windows machine that has one wifi chip or ethernet port connected to public internet, but want to simultaneously:

    what are you trying to hide here? also draw your network schematic to make people have easier time to help your setup

    1. SSH/SFTP in to your homelab to access files

    right..

    1. Not directly connect to (leak) your home IP/port

    use IP over Avian Carriers, no home/port leaked

    1. Have your other external traffic route through a commercial VPN service (Proton, PIA, or any of the others) because you're on public wifi
    Home ---> VPS ----> commercial VPN
    

    this is just using ip route add to redirect your private wireguard IP to exit through commercial VPN. of course you have to establish commercial vpn connection in that particular VPS, you're going need it to route to them after all.

    The key is, you need at least one place with static IP and available port, even if it's just NAT-type VPS with 20 port open, if you're that broke.

    How do you do this? Can you even do this?

    It's possible, but you won't be able to do it if you can't describe your issue properly. what are you trying to do if you don't even understand your own problem?

    For #1, I have read about people achieving this through a reverse proxy, Zerotier, Tailscale, or having a regular old VPN server of some flavor set up on a home server. I have the impression that Zerotier and Tailscale might be more secure (or easier to use?) options than a home OpenVPN/WG server.

    Nonsense. using Tailscale or Zerotier just make you move where your trust is. do you trust them as network provider? do YOU trust your vps provider to provide network for you? that's same thing. you think Tailscale / Zerotier won't know your home IP if you're connected to them?

    For #2, if I understand correctly, a reverse proxy would obscure your home IP/port, though a home OpenVPN or WG server would not. I don't know whether Zerotier or Tailscale would leak or obscure that information.

    please read a book about networking, a simple Network+ (get them in libgen, annas-archive or something) should enough to make you understand whether it's possible or not.

    For #3, I know split tunneling exists and that some third-party Windows VPN apps support it, but I was under the impression that if you only have one wifi chip or ethernet port, you can only connect to one VPN at a time. But, I think I would need two concurrent, non-overlapping VPN (or similar) connections: one for securely accessing my homelab and a second for accessing the rest of the internet, checking emails, and all the other stuff.

    simply wrong.

    VPN = Virtual Private Network
    your adapter here are Virtual. it doesn't matter you have one or ten network interface. for wireguard you can define which IP can uses that particular interface. there's even a calculator for it.
    these kind of routing are decided by the client (in openvpn there's a config to call no-gateway), so you can decide later how the routing should work.

    have the vpn interface online first, then decide about the route / gateway later. does it looks tedious for you? then write a powershell script. run it into daemon-like if you need conditional routing to switch from one to another.
    You have your made up problem so don't complaint if you have to do a little manual labor. i bet chatgpt can make a setup for you if you can define your problem clearly.

    Thanked by (1)mandala

    Fuck this 24/7 internet spew of trivia and celebrity bullshit.

Sign In or Register to comment.