| ▲ | ww520 19 hours ago |
| Setting up a dynamic DNS record to map a hostname to my home network’s dynamic IP actually makes private VPN usable. It’s really a game changer to be able to access all the local services and resources on the road without exposing them to the public internet. |
|
| ▲ | leetrout 19 hours ago | parent | next [-] |
| Are you using an internal or external service? Curious what you or others recommend... I've done a bit of both... I used CloudFlare which works fine and then I moved over to tailscale when playing with pxe / netboot and I've not decided on what to use beyond tailscale's magic dns. Unbound looks pretty nice. |
| |
| ▲ | atmosx 18 hours ago | parent | next [-] | | Unbound is perfect. The CLI is very handy as it allows you invalidate specific domains from the local cache. I have had a good experience with dnsmasq and dnscrypt2 as well. | |
| ▲ | ww520 18 hours ago | parent | prev | next [-] | | I’m using an internal machine for the VPN server and port forwarded to it from the router. I also have Tailscale set up but if I remember correctly Tailscale requires all devices participating in its VPN to install its software, which is too much. | | |
| ▲ | windexh8er 17 hours ago | parent | next [-] | | > I also have Tailscale set up but if I remember correctly Tailscale requires all devices participating in its VPN to install its software, which is too much. This isn't true. You can use Tailscale "Subnet Routers" to access devices within a network without the Tailscale software installed. You still need one device to act as SR, but that would be a requirement for leveraging any traditional VPN as well. [0] https://tailscale.com/kb/1019/subnets | |
| ▲ | criddell 18 hours ago | parent | prev [-] | | Is that true? I’m not 100% sure, but I think I’ve printed while I was away from home and I only have Tailscale software installed on my AppleTV. | | |
| ▲ | AnonC 2 hours ago | parent | next [-] | | I'm intrigued. Could you please elaborate on your setup, what Apple TV provides in this mix and how it is used? Is the Apple TV always powered on (24x7)? | | |
| ▲ | criddell 2 hours ago | parent [-] | | There isn't much to say. The AppleTV is like any other computer. I installed Tailscale, set it as an exit node and turned on subnet routing. The AppleTV is always powered on, but it only uses 0.3 watts while idle. |
| |
| ▲ | atonse 16 hours ago | parent | prev [-] | | Wha... since when does Tailscale have an AppleTV subnet node!??! Those guys are on fire and I missed this. | | |
|
| |
| ▲ | diggan 19 hours ago | parent | prev | next [-] | | A pretty common setup is to have a public VPS/dedicated server with wireguard/openvpn hosted at some trusted company and use that as an entry/exit point. It's basically what Tailscale is (massively simplified, obviously). | | |
| ▲ | vladvasiliu 18 hours ago | parent | next [-] | | As far as I understand it, that's not how Tailscale works most of the time. The actual connection is established between the VPN nodes, and actual traffic doesn't travel through Tailscale's servers. The VPS solution is usually the hub of a star-shaped network, so everything has to go through it, which may be limiting, given that, at least where I live, gigabit fiber is fairly widespread and reasonably priced. Most VPSs I see have less bandwidth than that. There's headscale which allows setting up tailscale with a private server: https://github.com/juanfont/headscale/ | | |
| ▲ | smashed 7 hours ago | parent [-] | | Tailscale will fallback to tuns servers which are dumb "cloud" relays if direct connection can't be established. |
| |
| ▲ | mbreese 19 hours ago | parent | prev [-] | | I think what the original post was referring to was using their home (dynamic IP) network instead of a public VPS/dedicated server. That’s what I used to do — I’d use Cloudflare’s dynamic DNS to keep my home IP up to date and have a dedicated VM running at home that handles Wireguard connections. Now, I have found it easier to manage devices using Tailscale. Also, Tailscale makes it very easy to manage some very dynamic routing (managing connections to external VPNs that mandate different non-wireguard clients). Sadly, I’ve hit some issues with using tailscale’s DNS provider (my work configured Mac doesn’t like to have the DNS server changed), so I still have some work to do on that side. | | |
| ▲ | diggan 17 hours ago | parent [-] | | > I think what the original post was referring to was using their home (dynamic IP) network instead of a public VPS/dedicated server. Personally, I wouldn't let incoming traffic hit my home IP/router by itself, that's why I suggested having something in-between public internet and your local network. But, any way that works obviously works, the rest is just details :) |
|
| |
| ▲ | philjohn 17 hours ago | parent | prev | next [-] | | Wireguard running on my router (Unifi Dream Machine Pro) - but I have a static IPv4 address, as well as a routed /48 IPv6 block. Anything that needs to be exposed to the internet (which was essentially TeslaMate during setup) through a cloudflare tunnel, which terminates on a server behind my router. | |
| ▲ | denkmoon 15 hours ago | parent | prev [-] | | I've been very pleased with powerdns for my self hosted internal DNS services. It implements basically everything you want for even the most esoteric DNS setups, and IMO, quite sanely. | | |
| ▲ | speakspokespok 14 hours ago | parent [-] | | I've tried many times to setup PowerDNS and never complete it because I get bogged down in the complexity. I saw they had an ansible / terraform script for deployments. Do you just use the team's docs or something else? | | |
| ▲ | denkmoon 12 hours ago | parent [-] | | Yeah just the PDNS docs. They're excellent. I'll admit my personal setup isn't particularly complex, but I'm not sure how much more complex it can get. I've just got an authoritative server for `lan.` and two secondaries, all 3 using sqlite as their database. I just added their debian repo and apt install'd the two packages (dnsdist and pdns-server). Set the respective config files appropriately (dnsdist is a little hard, but googling got me there) and bam. I've got dnsdist serving DoH, DoT, and plain port53 DNS with some ACLs, was really easy IMO. | | |
| ▲ | speakspokespok 10 hours ago | parent [-] | | Cool! I'll have to try once more. That sounds a lot more reasonable than going straight to postgres. |
|
|
|
|
|
| ▲ | kccqzy 16 hours ago | parent | prev | next [-] |
| Why would you need a dynamic DNS record though? Within the VPN you should feel free to hard code any address you want. You control the network after all. In my own VPN I've never had a need to have IP addresses changed. |
| |
| ▲ | denkmoon 16 hours ago | parent [-] | | Dynamic IP. Hard coding an address is exactly what we want to avoid. | | |
| ▲ | kccqzy 15 hours ago | parent [-] | | Let's go one level deeper. Why do you need dynamic IP in your own private network? | | |
| ▲ | jwiz 15 hours ago | parent | next [-] | | There is a dynamic IP on the external address, from their ISP. | | |
| ▲ | NhanH 15 hours ago | parent [-] | | Yeah but you don't use the external IP for the purpose of accessing your VPN (not via a DNS record anyway). I am also unclear on the purpose of the dynamic DNS. | | |
| ▲ | yjftsjthsd-h 15 hours ago | parent | next [-] | | Your external IP is dynamic because the ISP can rotate it. You want to reach your home's external IP to VPN in. One common way is to create a public DNS record that's dynamically updated (by a cronjob or whatever) to always contain whatever IP your ISP last handed you. | | |
| ▲ | Salgat 11 hours ago | parent [-] | | That's what I do. Just a cronjob on my TrueNAS server to query my IP and update my subdomain's A record if my IP has changed. That way when a power outage happens and my IP gets rotated, it makes no difference. |
| |
| ▲ | ww520 15 hours ago | parent | prev | next [-] | | How do you connect your VPN with your phone when you travel on the road? | | | |
| ▲ | denkmoon 12 hours ago | parent | prev [-] | | Really? Imagine, if you will, the following scenario: I have a wireguard endpoint on my home router. The home router uses a residential ISP connection and I don't want to pay $10/mo for a static IP because my ISP is cheeky and expensive. I want to have my phone connect to said wireguard endpoint to establish a secure link. I don't want to have to change my wireguard configuration on my phone every time my home IP changes. So, I set my phone to peer with the wireguard endpoint on `home.denk.moon:1234`. Every time my home router's external IP changes, it sends a dynamic DNS update to my DNS server such that `home.denk.moon` reflects the new IP for my router. Now, whenever my phone attempts to connect to wireguard, it will resolve that domain name, get the latest IP for my router, and connect. |
|
| |
| ▲ | rkagerer 15 hours ago | parent | prev [-] | | To find your private network when you're away and plugged into a public one and the former's IP may have changed. I gather the OP is talking about discovering their public-facing address, not doling out IP's on their internal VPN. Don't ask next "Why do you need to know your home IP address?" |
|
|
|
|
| ▲ | paravz 17 hours ago | parent | prev | next [-] |
| for example https://freedns.afraid.org/dynamic/ + cron job on router to periodically update dns record |
|
| ▲ | smw 17 hours ago | parent | prev [-] |
| Just give in and use tailscale, life is so much better on the dark side! |
| |
| ▲ | zakki 17 hours ago | parent | next [-] | | I prefer Zerotier approach in relation between account and devices.
In Zerotier for each device added, no need to login to Zerotier account. Just add the network ID and approve it from the account.
In Tailscale I have to login from each device to add it to the network. | |
| ▲ | irunmyownemail 10 hours ago | parent | prev [-] | | Staying with Wireguard. The article, by the way, is about Wireguard, not an opinion piece comparing alternative technologies. | | |
| ▲ | tapirl 8 hours ago | parent [-] | | @smw just says that tailscale is more convenient than dynamic DNS. |
|
|
