This may be a simple question, but I could not find resources on that. Does creating a VPN into my home network using my router increase my attack surface? What are the security implications of that in general?

  • Atemu@lemmy.ml
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    2
    ·
    7 months ago

    If you’re worried about that, I can recommend a service like Tailscale which does not require permanently open ports to the outside world, offering quite a bit more security than an exposed traditional VPN server.

    • rmstyle@feddit.deOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Huh, never heard of it! from what I gathered from the website its a central VPN? Wouldn’t that be overkill for a homelab scenario? Thanks for your response!

      • Atemu@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        It’s a central server (that you could actually self-host publicly if you wanted to) whose purpose it is to facilitate P2P connections between your devices.

        If you were outside your home network and wanted to connect to your server from your laptop, both devices would be connected to the TS server independently. When attempting to send IP packets between the devices, the initiating device (i.e. your laptop) would establish a direct wireguard tunnel to the receiving device. This process is managed by the individual devices while the central TS service merely facilitates communication between the devices for the purpose of establishing this connection.

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        7 months ago

        It’s a virtual mesh network.

        I’ve used it to:

        Access a single machine (one client on a machine at home, one client on my laptop)

        Connect multiple machines on disparate networks to each other (each machine has a client and is joined to my TS network)

        Enable complete access to my home network using Subnet Routing (one machine at home has the TS client, with subnet routing enabled)

        Provide access to a single service for anyone using Funnel (one machine at home running TS client, with Funnel configured for a specific service)

        It all depends on how you configure it. I find running Tailscale on a Raspberry Pi with Subnet Routing configured provides most of what I need:the ability to access any device on my home network (including printers, digital photo display, TV, router, etc), from anywhere I install the TS client.

    • brownmustardminion@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      I would suggest trying wireguard first as it’s much less complex to set up. Once you have a handle on that, you might consider moving to a mesh network. I personally would love to use a mesh network, but have not been able to get it configured correctly the few times I’ve tried.

      • Atemu@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        TS is a lot easier to set up than WG and does not require a publicly accessible IP address nor any public whatsoever. It’s not really comparable to setting WG up yourself; especially w.r.t. security.