Private and secure way to access LAN from behind cgnat

It’s a few years old but here’s one. The recommendation in 2023 was headscale first and netbird if you are into open-sourced software.

Here are my impressions as someone who pivoted from tailscale less than a month ago:

Headscale - Ideal if you are a power user and grasp Tailscale’s existing features. For general tailscale users, it seems like the most familiar option as well. However, IIRC there is no import functionality, so you will have to be familiar enough w/ tailscale’s innerworkings to rebuild your setup as it was before.

Netmaker - Did not look into this one in retrospect. It is the least popular of the three.

Netbird - Coming from tailscale, headscale seemed like the obvious choice, but this is what I ended up going with. In my (uneducated) opinion, the functionality gap has narrowed/disappeared relative to tailscale. What sealed the deal for me was the YT coverage. The glowing reviews weren’t coming from trendy channels with a conspicuous promo code, but from those dense, technical, (slightly boring) channels w/ a self-hosting/networking focus such as Christian Lempa, Lawrence Systems and Jim’s Garage. They are all knowledgeable enough to create networking companies and they all reached the same conclusion that netbird was both the easiest self-hosting solution to install and, in spite of being GUI-driven, has very useful/powerful functionality worth the additional learning curve.

I’ve been using netbird for less than a month, but so far I think I made the right choice as I am able to access my LAN w/o any local ports being exposed, similar to tailscale. Some things to note going in is that it isn’t as passive of a learning experience as tailscale. I’ve learned more about networking in the past two weeks than I knew in over a year re: tailscale. This probably will need to take place if you try headscale as well potentially tho I suppose.

Netbird have very solid documentation for an outline of what is happening, tho IMO, similar to tailscale, they still caters towards networking professionals and assume basic networking understanding and goals. Also, because netbird are budding in popularity, there aren’t as many user tutorials that tackle more niche setups/configurations.

With that said, the more your learn, the more intuitive it becomes. For example, from the GUI, I selected my country (USA), my mobile OS (Android) and my desktop OS (Linux) and saved the policy. Any IPs outside of the US, or devices that are using a Windows/Apple are a non-starter re: trying to log in to my network now. It is a small but obvious (and impactful) reduction in my attack-surface as a result.

I do want to call out is that they release often and breakages has been known to occur so keep that in mind as well. Today, I wanted to log into my dashboard and show some things, but I am having trouble accessing it due to recent updates for example. Moving forward, I will probably keep an eye on the release notes and update when there is a security issue or a new must-have feature for a bit more stability.

Good video review/overview

https://youtube.com/watch?v=skbWnMSwZcE

2 Likes

Yeah I have that setup, just not a high quality connection.

They would. Since the VPS is the hub and as the ability to decrypt the traffic that is passing through, yes it is possible. This would require passing AllowedIPs with your home subnet (this is not to hard though).