One of the best things about Linux is that there are always multiple ways to do anything you want to do. However, some ways are easier than others. Take, for example, virtual networking. There are plenty of ways to make a bunch of Internet-connected computers appear to be on a single private network. That’s nothing new, of course. Linux and Unix have robust networking stacks. Since 2018, though, Wireguard has been the go-to solution; it has a modern architecture, secure cryptography, and good performance.
There’s only one problem: it is relatively difficult to set up. Not impossible, of course. But it is a bit difficult, depending on what you want to accomplish.
How Difficult?
You must set up a wireguard server and one or more clients. You’ll need to pick a range of IP addresses. You might need to turn on routing. You have to generate keys. You might need to configure DNS and other routing options. You’ll certainly need to modify firewall rules. You’ll also need to distribute keys.
None of these steps are terribly difficult, but it is a lot to keep straight. The wg program and wg-quick script do most of the work, but you have a lot of decisions and configuration management to keep straight.
Browse the official “quick start,” and you’ll see that it isn’t all that quick. The wg-quick script is better but only handles some use cases. If you want really limited use cases, there are third-party tools to do a lot of the rote work, but if you need to change anything, you’ll still need to figure it all out.
That being said, once you have it set up, it pretty much works without issue and works well. But that initial setup can be very frustrating.
An Alternative
Then there’s Tailscale. This is, actually, a commercial service, although it has a free tier that is adequate for most personal use, and it is — in fact — based on wireguard. To join a Tailscale network, you just log into their web interface.
Tailscale provides NAT traversal. If NAT traversal fails, Tailscale relays encrypted traffic, although this, of course, increases latency. The service also provides “magic DNS” and some basic access controls. Paid plans get more access controls.
Given that it uses wireguard underneath, the security is similar. Tailscale has a fair comparison of using their service over going direct on their site. Obviously, a properly-configured wireguard configuration will outperform Tailscale. But the ease of use might be worth a little hit on performance for some people. They also have a list of how to set up wireguard or Tailscale. Of course, the list is shorter for Tailscale, but that’s fair.
The only thing that might be a little unfair is that they compare themselves to setting up wireguard directly. However, if you have a common use case, the wg-quick or similar tools might be just as easy. It is up to you to decide if you need the features provided by full-blown wireguard, a wireguard helper, or something like Tailscale. There are also GUI or Web frontends for wireguard that might appeal to you if you like that sort of thing.
Personal
Of course, anything with a free tier has to worry you simply because it might not be free tomorrow. However, for now, the free plan is great for many personal users. You get three users and up to 100 devices. You get some access controls and “magic DNS.”
There is client software for Windows, Linux, Mac, Android, iPhone, and Synology. That means most of your devices are covered. There’s even a specific configuration for the Raspberry Pi.
In General
Whether you use OpenVPN, wireguard, Tailscale, or other options, it is handy to have your private network distributed anywhere you have an Internet connection. Sure, you can open ports to the network, but that’s complicated to manage, too. You can use random port numbers and hope all your software servers don’t have any security flaws. Or you can trust a single VPN port. While you could argue the difference between having your eggs in one basket versus many, the VPN route is easier to manage and offers well-tested security.
Once you are on the private network, you don’t need to worry about open firewalls or NAT translation for each service on your network. Print to printers, find your shared files, and use X11 or even telnet without exposing anything meaningful to the public network. It is worth setting up something.
Many people don’t like accessing the mobile Internet without a VPN. For simple cases, though, you can VPN through ssh.
ZeroTier was good but Tailscale had been great for me. Been dealing with network infrastructure since “The net” was running NCP being able to tell people that need vpn/nat traversal and connectivity between net islands to just install tailscale saves me loads of work. I would consider changing to headscale but the free tier on Tailscale covers my needs and their subnet router extensions and shared nodes are a great bonus.
What are your thoughts on Netbird, or Nebula?
There is a lot of similarities but a couple of use cases keep me on tailscale up to now. SSO and no self hosting required make for simpler deployment for for unsophisticated users. PFsense integration, which i end up deploying for people to be able to better visualize and control traffic. Simple installation and key control for persistent nodes also help.
For sure i would like to have tailscale use os native wg implementation, but even on nodes with multi gig interference the tailnet traffic is small enough to keep it a non issue so far.
At my work we’re currently implementing WireGuard in production enviroments because it’s lightweight and easy to install. The only con is that we can’t generate client certificates easy
WireGuard doesn’t use certificates; it just has public keys and private keys. Use “wg genkey” to generate a private key and “wg pubkey” to generate the public key for a given private key.
See the “Key Generation” section of the WireGuard Quick Start for an example of each command:
https://www.wireguard.com/quickstart/#key-generation
Wireguard works great from my android phone but my chromebook refuses to send data and this seems to be a common problem.
I’m using Wireguard and DuckDNS in containers from linuxserver.io . They’ve configured environment variables in the WG container that make it a simple process to describe the required nodes. These are just passed to wg-quick IIRC, but all your listed nodes are created at once when the container is started. For my very simple setup, this was even easier than running wg-quick.
Here are some interesting networking projects that I have been looking at lately. It’s a mixed bag of stuff, but fun to browse through:
1. [matrix]
https://en.wikipedia.org/wiki/Matrix_(protocol)
Matrix is an open source project that publishes the Matrix open standard for secure, decentralised, real-time communication, and its Apache licensed reference implementations.
1.1. [matrix] Home
https://matrix.org/
2. Reticulum
https://reticulum.network/index.html
Reticulum is the cryptography-based networking stack for building local and wide-area networks with readily available hardware. Reticulum can continue to operate even in adverse conditions with very high latency and extremely low bandwidth. The vision of Reticulum is to allow anyone to operate their own sovereign communication networks, and to make it cheap and easy to cover vast areas with a myriad of independent, interconnectable and autonomous networks. Reticulum is Unstoppable Networks for The People.
2.1. Reticulum Get Started
https://reticulum.network/start.html
2.2. Reticulum Getting Started Fast
https://reticulum.network/start.html
3. ZeroTier
https://en.wikipedia.org/wiki/ZeroTier
ZeroTier Inc. is a software company with a freemium business model based in Irvine, California. ZeroTier provides proprietary software, SDKs[1] and commercial products and services to create and manage virtual software-defined networks. The company’s flagship end-user product ZeroTier One[2] is a client application that enables devices such as PCs, phones, servers and embedded devices to securely connect to peer-to-peer virtual networks.
3.1. ZeroTier Home
https://www.zerotier.com/
4. Meshtastic
https://meshtastic.org/
Radio (e.g. LoRa) Mesh Text Messaging: Off-grid messaging using inexpensive hardware to create your personal mesh. Radios forward messages to the next to flood the network. Communicate kilometers/miles between nodes. Internet-connected relay nodes enable the conversation to move online too.
Encryption: Messages are AES256 encrypted. Only radios supplied with your channel settings (which includes the key) should be able to read your messages. Using multichannel settings you can send encrypted messages on one channel and still participate in a default Meshtastic mesh.
Conserve Battery: Go for days on end and on a single battery or extend it infinitely with a solar cell. Power management ensures the device will last the duration of your use.
Extensible: Create a highly scalable mesh with hardware on a multitude of platforms to fit your unique requirements: Create an environment monitoring mesh and produce real-time heatmaps, or maybe decentralized, encrypted messaging network, your imagination is the limit.
Platform Agnostic: Meshtastic clients are built or being built for all major desktop and mobile platforms. Linux, Windows, Mac, Android, and iOS are all supported or well on their way to being supported.
Open Source: All Meshtastic software is open source. If you want an improvement, submit a pull request or file an issue on Github. Happy coding!
4.1. LILYGO® TTGO Meshtastic T-Beam V1.1 ESP32 433/915/923Mhz WiFi Bluetooth ESP32 GPS NEO-6M SMA 18650 Battery Holder With OLED – 433Mhz CH9102F OLED Soldered
https://usa.banggood.com/LILYGO-TTGO-Meshtastic-T-Beam-V1_1-ESP32-433-or-915-or-923Mhz-WiFi-Bluetooth-ESP32-GPS-NEO-6M-SMA-18650-Battery-Holder-With-OLED-p-1727472.html?cur_warehouse=CN&ID=6320816
One thing I always find problematic to deal with with VPN’s is IP ranges. You almost always get an internal IP from some dhcp, and now you have to hope the VPN doesn’t try to use the she range. I haven’t played with wirehuard yet.
Would be nice that during the outgoing client connection, it would tell the server about what’s available/used. Not that that would solve everything of course …
Tailscale assigns all your hosts in your tail net an IP out of the RFC6898 100.x.x.x block used for Carrier grade NAT. So every tail node has a unique IP and should not conflict with its normal address. It also supports intercepting DNS resolutions on your host and substituting the CGNAT address when looking up hosts that are connected to your tail net. Routinely connect from machine to machine across the tailnet that live on the same RFC1918 address block at their location.
Is there a way to use any Friggin’ phone that has Wifi, Bluetooth, to make anything resembling a phone call to another another phone? I get that you may need a VPN on either end, Asterix, Openwrt, whatever…I’m searching and searching and am really put-off and out by the endless snake-oil techno babble crap….oh there’s a catch, eh?! It only works in the States, your carrier needs to support Wifi Calling (which is more crap, as the speaker works on the phone for any kind of sound, and you can use the pickin’ microphone for to record your farts). Oh, but you have to pay to get the app?! I don’t use a phone but I’ve got a bucket of them, routers coming out the yin-yang, yada-yada, and my Mom wants to be able to call me using her cell phone. Just point me in the right direction, please. Thanks
There’s a ton of ways to make VOIP calls for free using whatever internet connectivity an Android device has available to it — wifi, cellular, ethernet, whatever.
Everything from Facebook to Discord to Google Meet has voice calling capabilities. Even Amazon’s Alexa app has free voice calling. You can hardly swing a cat without finding a dozen different ways to talk to someone else using a couple of Android devices.
If you want to roll your own using an IP phone system like Asterisk, you can certainly do that — but your mom probably won’t find the VOIP client as easy to use as something like Meet, and it probably won’t deal with random latency jitter that various networks have as well as the more consumer-oriented cloud-based services will, and you’ll spend more time setting it up and maintaining it than you’ll ever spend talking to your mom on the phone.
One thing that I don’t like about self-hosting is that when your ISP blocks your ports with their own systems, you can’t get ports open even if you do port forwarding. Some people suggest that you get a server in the cloud and proxy through that but there’s no fun in doing it that way! I’ve tried using CloudFlare Tunnels and while that works great for web servers (HTTP/HTTPS) and SSH, I still can’t use VPN servers with it.
“There’s only one problem: it is relatively difficult to set up.”
I could not agree less. I’ve been configuring/administering/using vpns for far too long, and it’s, by far, the easiest to set up.
I agree that it is easy to set up *after* you have you’re first time with VPN, but don’t it the first time is almost a nightmare, especially when you realize that port forwarding won’t work with greedy ISPs using carrier-grade NAT preventing anything but a regular internet connection to work without issue (more on performance later). Then, after realizing that you need an external service whether that be a tunneling software hosted on a paid service or a Virtual Private Server, I would say that’s where most people stop and think “Hmmm, maybe I don’t need to access my LAN while roaming that much?”; I am currently using a cloud-tunnel and VPN setup so I can access my services from anywhere and it’s awesome, though it’s certainly not for everyone. Some say that ISPs need to migrate to IPv6 to not use CG-NAT, which some say decrease performance, but as long as it’s making money and their life easier, they’re not going to. Good thing there’s a few good solutions for these modern problems.