One of the best things about Linux is that there are always multiple ways to do anything you want to do. However, some ways are easier than others. Take, for example, virtual networking. There are plenty of ways to make a bunch of Internet-connected computers appear to be on a single private network. That’s nothing new, of course. Linux and Unix have robust networking stacks. Since 2018, though, Wireguard has been the go-to solution; it has a modern architecture, secure cryptography, and good performance.
There’s only one problem: it is relatively difficult to set up. Not impossible, of course. But it is a bit difficult, depending on what you want to accomplish.
You must set up a wireguard server and one or more clients. You’ll need to pick a range of IP addresses. You might need to turn on routing. You have to generate keys. You might need to configure DNS and other routing options. You’ll certainly need to modify firewall rules. You’ll also need to distribute keys.
None of these steps are terribly difficult, but it is a lot to keep straight. The
wg program and
wg-quick script do most of the work, but you have a lot of decisions and configuration management to keep straight.
Browse the official “quick start,” and you’ll see that it isn’t all that quick. The wg-quick script is better but only handles some use cases. If you want really limited use cases, there are third-party tools to do a lot of the rote work, but if you need to change anything, you’ll still need to figure it all out.
That being said, once you have it set up, it pretty much works without issue and works well. But that initial setup can be very frustrating.
Then there’s Tailscale. This is, actually, a commercial service, although it has a free tier that is adequate for most personal use, and it is — in fact — based on wireguard. To join a Tailscale network, you just log into their web interface.
Tailscale provides NAT traversal. If NAT traversal fails, Tailscale relays encrypted traffic, although this, of course, increases latency. The service also provides “magic DNS” and some basic access controls. Paid plans get more access controls.
Given that it uses wireguard underneath, the security is similar. Tailscale has a fair comparison of using their service over going direct on their site. Obviously, a properly-configured wireguard configuration will outperform Tailscale. But the ease of use might be worth a little hit on performance for some people. They also have a list of how to set up wireguard or Tailscale. Of course, the list is shorter for Tailscale, but that’s fair.
The only thing that might be a little unfair is that they compare themselves to setting up wireguard directly. However, if you have a common use case, the
wg-quick or similar tools might be just as easy. It is up to you to decide if you need the features provided by full-blown wireguard, a wireguard helper, or something like Tailscale. There are also GUI or Web frontends for wireguard that might appeal to you if you like that sort of thing.
Of course, anything with a free tier has to worry you simply because it might not be free tomorrow. However, for now, the free plan is great for many personal users. You get three users and up to 100 devices. You get some access controls and “magic DNS.”
There is client software for Windows, Linux, Mac, Android, iPhone, and Synology. That means most of your devices are covered. There’s even a specific configuration for the Raspberry Pi.
Whether you use OpenVPN, wireguard, Tailscale, or other options, it is handy to have your private network distributed anywhere you have an Internet connection. Sure, you can open ports to the network, but that’s complicated to manage, too. You can use random port numbers and hope all your software servers don’t have any security flaws. Or you can trust a single VPN port. While you could argue the difference between having your eggs in one basket versus many, the VPN route is easier to manage and offers well-tested security.
Once you are on the private network, you don’t need to worry about open firewalls or NAT translation for each service on your network. Print to printers, find your shared files, and use X11 or even telnet without exposing anything meaningful to the public network. It is worth setting up something.