OpenVPN and Wireguard, two among the most popular VPN tools both needs to port forwarding to work.
Are there services that allow to establish a VPN without having to port forward a port on the firewall? Preferably available as docker containers.
Zerotier has been a fast and easy to deploy solution, not selfhosted but definitely doable, meanwhile I also discovered Tinc VPN which on first glance uses the same strategy of Zerotier and it is selfhostable. Kudos to the fellow community members which are always on point with suggestions!
There’s no such thing if you want to host your own VPN,
port needs to be forwarded, because you need to allow connections from outside LAN.
Strictly speaking, you can get a cheap VPS and create a VPN to your home network without forwarding any port.
Checkout Nebula (by slack). Setup a VPS on GCP-free tier and make it your nebula lighthouse(equivalent of moon in ZeroTier) and then install nebula on clients.
Tailscale is based on WireGuard and is another alternative to look into besides Zerotier. It works great for privately and securely connecting my servers and devices without opening ports
I have had great success with zerotier, they initiate the connection through their servers, but then any data is sent directly.
You could host a VPN on a VPS or something, and then have a VPN client/agent running at home.
Run the Vpn server on your router. That way the router exposes the vpn, and nothing inside the LAN is forwarded. Much more secure.
Host your own cloud server. $5 a month for nextcloud, whatever else you want to run. And complete access to your entire LAN without jumping through hoops.
Tinc VPN, which uses the same strategy as Zerotier, allows exactly this instead =) Have a look at it!
The designated machine just needs access to the internet (of course).
Thanks for the suggestion! I like it more than Zerotier after all =)
This here. Zerotier can achieve this but it is not a self-hosted VPN.
This will definitively do!
Meanwhile, I also discovered Tinc VPN which at first glance is the same strategy used by zerotier and it self hostable too.
This can’t be done for a number of reasons 
That’s why I asked a very specific question on the subject.
But you’re not then hosting the VPN yourself
Something useful if you’re using *nix hosts / clients:
- add Nebula as a service to resume on reboot
- add
*.nebula hostnames in /etc/hosts
Sample systemd Service Unit:
[Unit]
Description=Nebula Service
[Service]
ExecStart=/etc/nebula/nebula -config /etc/nebula/config.yml
[Install]
WantedBy=multi-user.target
Sure. But you didn’t mention that you couldn’t do it… so I thought I’d try and be helpful. If it doesn’t work for you, no worries. 
It is fully self hosted, only downside is that it requires a discoverable central node.
I eventually used Nebula (suggested in another comment) which still uses the same strategy.
I have my own HomeLab at home where I set up the central node, let’s call it server A.
A has not limits at all, there I configured the needed port forwarding, firewall etc
Then there is server B which is in a shitty remote location with no margin of modifications at all.
Then there is me! Client C which want to access the B and it’s network.
Nebula, zerotier and Tinc VPN all works the same:
- B which has no configurability at all it is however able to connect to the internet, there B connects to A joining an ad-hoc virtual network
- C connects to A too and joins the same virtual network, now C and B are in the same virtual subnet and are able to communicate with each other, C is also able to reach any network device B is able to reach in its original network. The end result from a topological point of view is the same as a VPN albeit being completely different in the infrastructure.
Voilà
This question was more for the sysadmin sub I suppose rather than the selfhosted sub as everyone (rightfully) tried to pitch in with out of the scope replies.
Indeed I haven’t been clear on the subject, thanks anyway =)
