This may be a simple question, but I could not find resources on that. Does creating a VPN into my home network using my router increase my attack surface? What are the security implications of that in general?
This may be a simple question, but I could not find resources on that. Does creating a VPN into my home network using my router increase my attack surface? What are the security implications of that in general?
If you’re worried about that, I can recommend a service like Tailscale which does not require permanently open ports to the outside world, offering quite a bit more security than an exposed traditional VPN server.
Huh, never heard of it! from what I gathered from the website its a central VPN? Wouldn’t that be overkill for a homelab scenario? Thanks for your response!
It’s a central server (that you could actually self-host publicly if you wanted to) whose purpose it is to facilitate P2P connections between your devices.
If you were outside your home network and wanted to connect to your server from your laptop, both devices would be connected to the TS server independently. When attempting to send IP packets between the devices, the initiating device (i.e. your laptop) would establish a direct wireguard tunnel to the receiving device. This process is managed by the individual devices while the central TS service merely facilitates communication between the devices for the purpose of establishing this connection.
I would suggest trying wireguard first as it’s much less complex to set up. Once you have a handle on that, you might consider moving to a mesh network. I personally would love to use a mesh network, but have not been able to get it configured correctly the few times I’ve tried.
TS is a lot easier to set up than WG and does not require a publicly accessible IP address nor any public whatsoever. It’s not really comparable to setting WG up yourself; especially w.r.t. security.
I’ve have made a lot of progress with Tailscale once I learned how to set up an “Exit Node” which is done in the Tailscale admin page. You set up Tailscale on your network and sign in, then set it as an exit node. Then (on android at least) you open the app and hit the 3 dots and pick “use exit node” then type the IP of your service into your browser and it’s magically usable.
There’s also Tailscale on YouTube which has walk through a for attaching Tailscale to Docker containers, allowing access to those containers without an exit node. I’ve successfully done this with Audiobookshelf so I just turn on Tailscale out of the house and open the Audiobookshelf app and it connects to my private instance at home.