| ▲ | leetrout 19 hours ago |
| Are you using an internal or external service? Curious what you or others recommend... I've done a bit of both... I used CloudFlare which works fine and then I moved over to tailscale when playing with pxe / netboot and I've not decided on what to use beyond tailscale's magic dns. Unbound looks pretty nice. |
|
| ▲ | atmosx 18 hours ago | parent | next [-] |
| Unbound is perfect. The CLI is very handy as it allows you invalidate specific domains from the local cache. I have had a good experience with dnsmasq and dnscrypt2 as well. |
|
| ▲ | ww520 18 hours ago | parent | prev | next [-] |
| I’m using an internal machine for the VPN server and port forwarded to it from the router. I also have Tailscale set up but if I remember correctly Tailscale requires all devices participating in its VPN to install its software, which is too much. |
| |
| ▲ | windexh8er 17 hours ago | parent | next [-] | | > I also have Tailscale set up but if I remember correctly Tailscale requires all devices participating in its VPN to install its software, which is too much. This isn't true. You can use Tailscale "Subnet Routers" to access devices within a network without the Tailscale software installed. You still need one device to act as SR, but that would be a requirement for leveraging any traditional VPN as well. [0] https://tailscale.com/kb/1019/subnets | |
| ▲ | criddell 17 hours ago | parent | prev [-] | | Is that true? I’m not 100% sure, but I think I’ve printed while I was away from home and I only have Tailscale software installed on my AppleTV. | | |
| ▲ | AnonC 2 hours ago | parent | next [-] | | I'm intrigued. Could you please elaborate on your setup, what Apple TV provides in this mix and how it is used? Is the Apple TV always powered on (24x7)? | | |
| ▲ | criddell an hour ago | parent [-] | | There isn't much to say. The AppleTV is like any other computer. I installed Tailscale, set it as an exit node and turned on subnet routing. The AppleTV is always powered on, but it only uses 0.3 watts while idle. |
| |
| ▲ | atonse 16 hours ago | parent | prev [-] | | Wha... since when does Tailscale have an AppleTV subnet node!??! Those guys are on fire and I missed this. | | |
|
|
|
| ▲ | diggan 19 hours ago | parent | prev | next [-] |
| A pretty common setup is to have a public VPS/dedicated server with wireguard/openvpn hosted at some trusted company and use that as an entry/exit point. It's basically what Tailscale is (massively simplified, obviously). |
| |
| ▲ | vladvasiliu 17 hours ago | parent | next [-] | | As far as I understand it, that's not how Tailscale works most of the time. The actual connection is established between the VPN nodes, and actual traffic doesn't travel through Tailscale's servers. The VPS solution is usually the hub of a star-shaped network, so everything has to go through it, which may be limiting, given that, at least where I live, gigabit fiber is fairly widespread and reasonably priced. Most VPSs I see have less bandwidth than that. There's headscale which allows setting up tailscale with a private server: https://github.com/juanfont/headscale/ | | |
| ▲ | smashed 7 hours ago | parent [-] | | Tailscale will fallback to tuns servers which are dumb "cloud" relays if direct connection can't be established. |
| |
| ▲ | mbreese 18 hours ago | parent | prev [-] | | I think what the original post was referring to was using their home (dynamic IP) network instead of a public VPS/dedicated server. That’s what I used to do — I’d use Cloudflare’s dynamic DNS to keep my home IP up to date and have a dedicated VM running at home that handles Wireguard connections. Now, I have found it easier to manage devices using Tailscale. Also, Tailscale makes it very easy to manage some very dynamic routing (managing connections to external VPNs that mandate different non-wireguard clients). Sadly, I’ve hit some issues with using tailscale’s DNS provider (my work configured Mac doesn’t like to have the DNS server changed), so I still have some work to do on that side. | | |
| ▲ | diggan 17 hours ago | parent [-] | | > I think what the original post was referring to was using their home (dynamic IP) network instead of a public VPS/dedicated server. Personally, I wouldn't let incoming traffic hit my home IP/router by itself, that's why I suggested having something in-between public internet and your local network. But, any way that works obviously works, the rest is just details :) |
|
|
|
| ▲ | philjohn 16 hours ago | parent | prev | next [-] |
| Wireguard running on my router (Unifi Dream Machine Pro) - but I have a static IPv4 address, as well as a routed /48 IPv6 block. Anything that needs to be exposed to the internet (which was essentially TeslaMate during setup) through a cloudflare tunnel, which terminates on a server behind my router. |
|
| ▲ | denkmoon 15 hours ago | parent | prev [-] |
| I've been very pleased with powerdns for my self hosted internal DNS services. It implements basically everything you want for even the most esoteric DNS setups, and IMO, quite sanely. |
| |
| ▲ | speakspokespok 13 hours ago | parent [-] | | I've tried many times to setup PowerDNS and never complete it because I get bogged down in the complexity. I saw they had an ansible / terraform script for deployments. Do you just use the team's docs or something else? | | |
| ▲ | denkmoon 11 hours ago | parent [-] | | Yeah just the PDNS docs. They're excellent. I'll admit my personal setup isn't particularly complex, but I'm not sure how much more complex it can get. I've just got an authoritative server for `lan.` and two secondaries, all 3 using sqlite as their database. I just added their debian repo and apt install'd the two packages (dnsdist and pdns-server). Set the respective config files appropriately (dnsdist is a little hard, but googling got me there) and bam. I've got dnsdist serving DoH, DoT, and plain port53 DNS with some ACLs, was really easy IMO. | | |
| ▲ | speakspokespok 9 hours ago | parent [-] | | Cool! I'll have to try once more. That sounds a lot more reasonable than going straight to postgres. |
|
|
|
