Recently I've been reading a lot about the topic of mesh VPNs (tinc, Nebula, Tailscale, ZeroTier, Netmaker, Netbird, etc) and find them pretty interesting. Is anyone here using these in some capacity at home or maybe at work?

My problem so far is that many of the options seem to be aimed at corporate use, understandably, so the developers can earn enough to keep doing it. This means the focus is on a centralized control plane, one server which knows everything about the entire network and manages firewall rules for all of it.

This is why I'm leaning towards Nebula, since I think the decentralized design just makes more sense. There is some centralization for issuing certs though. How do I go about setting up PKI? Is there some open source solution for managing certificates and automatically renewing them?

There's also the option of using vanilla WireGuard. This is my current setup, but I really like the idea of meshing, since it means I don't need to care if my devices are physically on the same network or not, the best connection will be used. Basically the layer of abstraction is a nice convenience that lets me think about hosts or services independently of the physical network topology.

I'm interested to hear your thoughts on this topic! What's your setup like and what do you use it for?

  • ZWQbpkzl [none/use name]
    ·
    edit-2
    7 months ago

    Update: I found a guide to use traefik to tunnel into the VPN. Idea is:

    1. Setup headscale behind traefik on a VPS.
    2. Connect all my local devices to the tailnet.
    3. Connect to the VPS to the tailnet. So its running both headscale and tailscale.
    4. Traefik can now proxy to any device on the tailnet.

    Step 1 however is a gigantic pain in the ass. Traefik is overkill for anything non-enterprise. It was just three lines of Caddyfile to make it work with Caddy.

    http://hs.example.com {
      reverse_proxy * http://localhost:8282
    }
    

    Step 4 is almost exactly the same

    http://app.example.com {
      reverse_proxy * http://node:8080
    }
    

    You can also use tailscale funnel instead any reverse proxy but then your exposing ports not sub domains. And whatever service you're funneling to is responsible for SSL.