Living abroad I want to find a way to establish private vpn between two houses (mine and parent’s) in different countries, to be able to:
to help them with devices at their home
to access geo limited service in that country, by accessing it through my parents network / their internet provider
make overnight offsite backup to the NAS at their home
access my home network from other locations (e.g. when i visit family or go for a holiday abroad) from multiple devices (mobile, laptop, tablet)
What’s the best software (tailscale, wireguard…?), hardware (minimal with solely purpose of described vpn, if possible no huge server or hundreds of $¥£€ costs), and in general best plan, configuration, execution to achieve above listed requirements?
Currently both of us have simple internet connections with non static IP. They have dummy router/ap from internet provider, on my side Unifi USG+AP, behind dummy provider router.
Available HW sitting around:
mini gl-inet router (GL-MT300N-V2) and I could get second if it makes sense
small form factor RaspPi like mini PC
Lenovo m720q or similar 1L PC (if really necessary for more power)
My brother lives overseas. We setup a VPN from his home to mine for day to day use. He has two routers in his home, one of which is the client for the VPN. He connects his gear to either one depending on what he wants to do. On my end I have a WireGuard VPN server that he is connecting to, and then accessing the internet from there.
Our hardware:
2 x Mikrotik hAP AC3 (These also provide a built in DDNS service)
1 x HP Elitedesk (Old version bought for ~$200)
WireGuard doesn’t need a lot of resources to run and is mostly breeze to setup. I use Ubuntu, headless server, and Portainer. I also run a Valheim server on this same box.
Performance wise: my brother runs their streaming, gaming, and whatever else over our VPN. I have 200/200 service, we’ve never had any performance issues between the two houses regardless of what anyone was watching or doing online. And this is all the standard 4k streaming, Tidal, MMO/FPS gaming, etc.
I’ve been doing this for better part of a decade and it’s actually dead simple by using vpn capable enterprise routers. You simply set up an IPsec tunnel between the two (or more sites). Then each device on the network (or selected ones depending on how you restrict access) has access to everything on the other network as if they were local (but on a different subnet).
I’ve used this to connect to printers, scanners, dvr, nas units and more that were never intended to have anything more than lan access. I would also use this to rdp into my parents’ systems and fix them remotely.
With the hardware you have, you might be able to use pfsense and openvpn to accomplish the same thing, but when I looked at it nearly 10 years ago, it seemed harder to keep reliable than the dedicated IPsec hardware units. The firewalla, et al products that basically put pfsense into a box is one way to go if you want pfsense, but I find that price point far greater than something like a used fortigate 50/60 series that can do IPsec without breaking a sweat right out of the box (even used).
The good thing about a network to network implementation like this is that there is no software involved at all since everything is implemented at the router level. And with dedicated IPsec hardware, power consumption tends to be low and performance high so you can get use of all the bandwidth you have available.
Hope this helps and feel free to ask any questions.
Depending on your router you may have a free DDNS service built into the router. This service handles updating your dynamic IP address with whatever link you are using. In Mikrotik’s case, you just set it up in the router, and then use the provided URL.
You could also use a 3rd party service like noip.com.
From reading the documentation for your router, it looks to me like DDNS is baked into the hardware already. It also looks like WIreGuard is natively supported by your router so you could get another GL-MT300N-V2, set one up as a WireGuard server, and use the other as the client. I think it depends on how you want to route the traffic at your parents house. I use separate server in my home for the VPN just to keep things compartmentalized. (It was also a fun project and a reason to dive back into a bit of Linux server admin.)
I have a Firewalla Gold, Gold Plus, two Purples and two Blue Pluses. It’s very easy to configure via their phone interface. I’m using WireGuard to connect multi-site VPN’s… examples are in these documents: