| ▲ | leetrout 7 months ago |
| Are you using an internal or external service? Curious what you or others recommend... I've done a bit of both... I used CloudFlare which works fine and then I moved over to tailscale when playing with pxe / netboot and I've not decided on what to use beyond tailscale's magic dns. Unbound looks pretty nice. |
|
| ▲ | atmosx 7 months ago | parent | next [-] |
| Unbound is perfect. The CLI is very handy as it allows you invalidate specific domains from the local cache. I have had a good experience with dnsmasq and dnscrypt2 as well. |
|
| ▲ | ww520 7 months ago | parent | prev | next [-] |
| I’m using an internal machine for the VPN server and port forwarded to it from the router. I also have Tailscale set up but if I remember correctly Tailscale requires all devices participating in its VPN to install its software, which is too much. |
| |
| ▲ | windexh8er 7 months ago | parent | next [-] | | > I also have Tailscale set up but if I remember correctly Tailscale requires all devices participating in its VPN to install its software, which is too much. This isn't true. You can use Tailscale "Subnet Routers" to access devices within a network without the Tailscale software installed. You still need one device to act as SR, but that would be a requirement for leveraging any traditional VPN as well. [0] https://tailscale.com/kb/1019/subnets | |
| ▲ | criddell 7 months ago | parent | prev [-] | | Is that true? I’m not 100% sure, but I think I’ve printed while I was away from home and I only have Tailscale software installed on my AppleTV. | | |
| ▲ | AnonC 7 months ago | parent | next [-] | | I'm intrigued. Could you please elaborate on your setup, what Apple TV provides in this mix and how it is used? Is the Apple TV always powered on (24x7)? | | |
| ▲ | criddell 7 months ago | parent [-] | | There isn't much to say. The AppleTV is like any other computer. I installed Tailscale, set it as an exit node and turned on subnet routing. The AppleTV is always powered on, but it only uses 0.3 watts while idle. |
| |
| ▲ | atonse 7 months ago | parent | prev [-] | | Wha... since when does Tailscale have an AppleTV subnet node!??! Those guys are on fire and I missed this. | | |
|
|
|
| ▲ | diggan 7 months ago | parent | prev | next [-] |
| A pretty common setup is to have a public VPS/dedicated server with wireguard/openvpn hosted at some trusted company and use that as an entry/exit point. It's basically what Tailscale is (massively simplified, obviously). |
| |
| ▲ | vladvasiliu 7 months ago | parent | next [-] | | As far as I understand it, that's not how Tailscale works most of the time. The actual connection is established between the VPN nodes, and actual traffic doesn't travel through Tailscale's servers. The VPS solution is usually the hub of a star-shaped network, so everything has to go through it, which may be limiting, given that, at least where I live, gigabit fiber is fairly widespread and reasonably priced. Most VPSs I see have less bandwidth than that. There's headscale which allows setting up tailscale with a private server: https://github.com/juanfont/headscale/ | | |
| ▲ | smashed 7 months ago | parent [-] | | Tailscale will fallback to tuns servers which are dumb "cloud" relays if direct connection can't be established. |
| |
| ▲ | mbreese 7 months ago | parent | prev [-] | | I think what the original post was referring to was using their home (dynamic IP) network instead of a public VPS/dedicated server. That’s what I used to do — I’d use Cloudflare’s dynamic DNS to keep my home IP up to date and have a dedicated VM running at home that handles Wireguard connections. Now, I have found it easier to manage devices using Tailscale. Also, Tailscale makes it very easy to manage some very dynamic routing (managing connections to external VPNs that mandate different non-wireguard clients). Sadly, I’ve hit some issues with using tailscale’s DNS provider (my work configured Mac doesn’t like to have the DNS server changed), so I still have some work to do on that side. | | |
| ▲ | diggan 7 months ago | parent [-] | | > I think what the original post was referring to was using their home (dynamic IP) network instead of a public VPS/dedicated server. Personally, I wouldn't let incoming traffic hit my home IP/router by itself, that's why I suggested having something in-between public internet and your local network. But, any way that works obviously works, the rest is just details :) |
|
|
|
| ▲ | philjohn 7 months ago | parent | prev | next [-] |
| Wireguard running on my router (Unifi Dream Machine Pro) - but I have a static IPv4 address, as well as a routed /48 IPv6 block. Anything that needs to be exposed to the internet (which was essentially TeslaMate during setup) through a cloudflare tunnel, which terminates on a server behind my router. |
|
| ▲ | denkmoon 7 months ago | parent | prev [-] |
| I've been very pleased with powerdns for my self hosted internal DNS services. It implements basically everything you want for even the most esoteric DNS setups, and IMO, quite sanely. |
| |
| ▲ | speakspokespok 7 months ago | parent [-] | | I've tried many times to setup PowerDNS and never complete it because I get bogged down in the complexity. I saw they had an ansible / terraform script for deployments. Do you just use the team's docs or something else? | | |
| ▲ | epiecs 7 months ago | parent | next [-] | | You can also just setup a pihole adblocker on a vm. It has a local dns feature as well (that is nothing more that a textfile containing all your local records). Super easy to setup and maintain :) | |
| ▲ | denkmoon 7 months ago | parent | prev [-] | | Yeah just the PDNS docs. They're excellent. I'll admit my personal setup isn't particularly complex, but I'm not sure how much more complex it can get. I've just got an authoritative server for `lan.` and two secondaries, all 3 using sqlite as their database. I just added their debian repo and apt install'd the two packages (dnsdist and pdns-server). Set the respective config files appropriately (dnsdist is a little hard, but googling got me there) and bam. I've got dnsdist serving DoH, DoT, and plain port53 DNS with some ACLs, was really easy IMO. | | |
| ▲ | speakspokespok 7 months ago | parent [-] | | Cool! I'll have to try once more. That sounds a lot more reasonable than going straight to postgres. |
|
|
|
