is there any way to be able to access all my homelab stuff while also routing all my traffic through a privacy vpn like mullvad somehow? solutions that i have considered
tailscale w/ mullvad integration - technically the least hassle to carry out, but i dislike that i would have to pay with credit card for mullvad and that tailscale is not really a privacy service at all
netbird w/ device that has mullvad as exitnode - netbird is opensource and self hostable, which is the huge plus, however i’m not sure if this one is possible or would be needlessly complicated (since i’m a beginner to networking)
raw wireguard - tunneling into my home network through a spoke-hub system and routing it all out of the central hub w/ mullvad
has anyone done the second solution and could detail to me how / any other solutions that people have come up with? or is this just a scenario where i can’t have my cake and eat it?
Probably feasible and shouldn’t be that complex since it’s just a VPN on top of a VPN.
You can probably ask inside of their community if you need some help.
You’re not doing anything unusual or advanced here, just a common need with common known solutions to it.
You could also raw Wireguard but no specific benefits over Netbird.
I seriously doubt that many individuals here possess a threat model so stringent that it would necessitate using software inferior to Tailscale. While it’s true they aren’t what one might call a “privacy company,” this is fundamentally because they must be able to identify who is attempting to access the service. It’s not a matter of them using that information for malicious purposes. And quite frankly, it’s simply the best solution available.
Utilize a VPS setup to port forward your WireGuard traffic to your router. Then, you’ll need to setup some policy based routing (PBR) on your router to ensure that traffic in your VPN gets routed to LAN services, and otherwise gets routed to a new WireGuard client connecting to Mullvad. Benefit here is all WireGuard configurations are on your router, and not split between two servers. Downside is that your router setup gets more complicated to handle VPN + outbound routing.
Option 2.
Utilize the VPS for your PBR logic, determining if traffic should go to your router for LAN or Mullvad for outbound traffic. Benefit is the router handles just LAN VPN stuff, and the VPS can redirect outbound traffic instead of hopping to the router. Downside is your WG setup is split on two servers.
Key rotations strategies should not be forgotten either.
Regarding netbird, I’ll read more into it. The issue with raw WG routing is dealing with key rotation, which is manual. I’d say it should be done once a year. If netbird handles that aspect, great. Otherwise, netbird has more loving parts, and more chances of something being exploitable (could still be solid, but a non zero increase in risk).
If you only have a couple of clients, manual WG routing is a minimal setup, but requires getting the routing correct.
I personally installed IVPN on the router and Tailscale on the machine. However, it’s only now that I’m using Home Assistant, which has Tailscale installed on it. It feels almost foolish how simply I ultimately resolved this, especially after wrestling with insane solutions for two weeks straight. I’m being transparent about the project primarily so that others might spot my errors, allowing me to rectify them before final implementation.
edit. So, this project involves a House Assistant situated in a different city.
the issue isn’t really tailscale as a service, it’s more so that i would have to pay with my credit card to be able to use the mullvad exit nodes, which also just flat out have less of the features compared to native mullvad, which i guess is unavoidable if i want to use a homelab too.
although, now that i think about it, since tailscale is an american company i could probably get a prepaid visa with cash
yeah, i’m not too network savvy, i’m alright with tech and willing to research problems but at some point i’d probably just have to stop overthinking and just use a mediocre solution over a perfect one to save the many hours i’d have to commit to get a proper secure and safe wg setup or whatever other manual setup
