What would be a recommended way to access my home network from behind cgnat?
Is Tailscale’s free tier a good solution?
Yes, it is.
If you are tech-savvy enough, getting a cheap VPS, and putting Wireguard on it with a hub and spoke model is also an option.
5 Likes
This is my next setup I’m aiming for. But I’m currently lazy and just WireGuard directly to my home LAN.
I have never used Tailscale.
Another option is a Tor HiddenService which also does not require port forwarding. I have not tried it with CGNAT, but I have wondered if it would be a nice workaround.
1 Like
Using a VPN with port forwarding is also an option. Not particularly private or secure on its own, but you can just expose your own VPN server or whatever to double-tunnel instead to your LAN, it’s more a bypass / workaround of CGNAT than anything.
Some degree of opening a port on a router will need to be done if not using tail scale. I’m happy that I don’t need to forward to an internal server, rather OpenWRT handles this part for me.
That isn’t true. If you’re using a (hosted) VPN then your “router” is the VPN service’s endpoint. You “open the port” on the VPN service, and become accessible on <vpn exit ip>:<your assigned port>. I used to do this for WebDAV access over Mullvad when they allowed port forwards.
1 Like
Note that depending on what type of NAT you’re under for both ends of the connection if Tailscale determines that you need a “relayed connection”, they have some bandwidth limitations.
Thanks for the clarification.
Thats the thing. Its one thing to know how to do it. Doing it correctly and securely is a separate thing altogether. Tailscale may be the better option for most intermediate tech savvy persons.
May I ask what led you invested in this? Are you using a home internet provider with cgnat that limits port forwarding for your network with services like Jellyfin or Emby?
Yeah. My ISP at home limits port forwarding, and I want to stream games from my desktop at home to my laptop (with Sunshine/Moonlight)
1 Like
I think it is important to know, there is no E2EE (end-to-end encryption) between peers like home router and public device anymore, when using WG hub and spoke. External VPS provider will be able to read all traffic in plain text, if no underlying encrypted protocol as HTTPS oder SSH is used. You need to put trust into the VPS.
I am an advocate of zero trust architecture, hence currently biased towards a more sophisticated FOSS solution like Headscale or Netmaker, which uses NAT traversal techniques like UDP hole punching, STUN etc. or can resort to relay servers otherwise, which to my understanding still leverage E2EE (might be mistaken here).
Not sure, whats currently the optimal solution for home labs… (see also Self-hosting advice )
I didn’t think this was true, how is this the case? And is there a configuration to prevent that?
Yeah. The VPS itself could read your traffic. Note that the VPS operator can not just easily read your traffic on their network, it’s encrypted there, but since they ultimately own your VPS they definitely could either install monitoring software on the VPS, or (more likely) extract your private WireGuard keys from the VPS disk to decrypt the network traffic.
The easiest solution is to only connect to computers in your home network using end to end encrypted protocols like HTTPS, SSH, RDP, etc. through the VPN. If you can do that then it doesn’t really matter.
The harder solution is to turn the VPS into just a dumb relay that is never given anything like WG encryption keys, which is normally simple, but it’s difficult if you cannot open any ports on your router at all.
That’s correct.
1 Like
I can open ports and do this, and would be greatly interesting into this kind of relay. Interested to see how to do this safely.
1 Like
Yeah either that, or they also should be able to directly monitor the WireGuard interface of the VPS.
Explanation
With hub an spoke each peer has its own WireGuard (WG) channel to the hub. When a peer (e.g. mobile phone) sends packets, they get encrypted for WG channel 1 till hub. Hub a) decrypts b) re-routes c) re-encrypts packets for different WG channel 2 leading to target peer (e.g. home router). This routing step b) in-between does not involve any WG encryption, no need to use a private key.
Thanks @jonah . If public IP (no CGNAT) is available, I also think, simple port forwarding is an elegant solution:
Port forwarding of WG port on home router
This probably is “safe enough”, as packets are simply dropped by WG, if they don’t fit an authorized public key. Attackers won’t be able to do any port scans of open WG ports. There is E2EE between all peers, hence I would even prefer this solution over Hub and spoke.
VPS might be used as simple bounce server to forward encrypted WG packets to Home-lab as more privacy-friendly alternative, to only give away VPS public endpoint IP and not the one from home-lab.
I’d be curious to read, if there are more security risks.
Mesh VPN
If I read correctly, Mesh VPN solutions should be optimal in theory. But it certainly depends on other things like technical skills, provided features, ease of use, their FOSS business model, etc. If anyone already compared Netbird, Netmaker and Headscale in depth, linking here would be awesome.
1 Like
Perhaps this is a personal issue, but I currently have an open port on my router, but I cannot consistently get a stable connection. I was thinking using a VPS or some relay system where I’m hoping the connection between VPS and the router is more consistent.
Assumung your device is behind NAT:
Did you try to set PersistentKeepalive = 25in the WG config file to allow bi-directional communication?
For the VPS method, if your VPS is compromised or you are targeted by the government, would they then not have direct access to your home network?