Hey all! This sub has been extremely helpful in getting my first VE up and running, and it’s truly an amazing feeling.
I’d like to know how y’all are setting up your remote access. From what I understand, simple port forwarding isn’t very secure, and most people are going with tailscale.
What’s the latest and greatest? Since I’m using this for a homelab to experiment, I’m interested in learning different methods. (This topic seems extremely difficult to google, thanks to many different methods all trying to me sold to me at low low prices)
I was told to use WireGuard by someone who knows their security stuff. So that’s what I’ve used ever since.
It’s very easy to setup. Just get a docker-compose file and run it. Done. I think in the documentation it says to run it in the host network, but that’s not necessary. Just make the container or container host VM/LXC get it’s own IP from your router and bind it.
Nice bonus feature there is that everything in the same network as your WireGuard server, is accessible through the tunnel as well if you set it up to route all traffic through the tunnel.
Another good way is to have key pair login only to a VM/Container and only expose it to the world.
VPN tunnel, such as WireGuard or Tailscale is the best way though.
Well, if you want to hop on the latest industry buzzword train. Zero Trust Network Access is something to look at. I’ve had good luck with Cloudflare Tunnels. You can sign up for a free account and you have access to a wide variety of tools from Cloudflare.
MRP seems to have a solid video on Cloudflare Tunnels.
Just note that with Cloudflare tunnels your media transfer is limited. A brief overview of that can be found in the documentation.
Although, like many others are saying you can set up Tailscale or a self hosted VPN, or if you have you own firewall it may come with a VPN server.
I don’t have experience with Tailscale so I can’t speak on that. But I do have experience with self hosted or firewall based VPNs. Those last two solutions work really well. However, for both of those you would need to sign up with a Dynamic DNS service like no-ip unless you have a static IP address from your ISP. Although I believe that gets more difficult if you have CGNAT(I have zero experience with this, so if someone with more experience can weigh in that would be appreciated)
Now, with all of those options in mind you would still need to take network segmentation and firewall rules or ACLs into account.
With the firewall and self hosted vpn you would be opening a port on your firewall directly to the internet. It would go something like this(basic overview):
Internet >> open port on WAN >> Firewall directs traffic to >> your network.
You would want to set up some sort of controls (firewall rules, ACLs, VLANs, etc.) to control the access the VPN user has to the network otherwise the VPN user has access to everything on your network.
Since I moved to WireGuard I’ve not looked back once. A lot of people suggest Tailscale. I’m sure it has a place but if you have your own public IP there’s no reason not to use native WireGuard. Very secure and fewer points of failure from what I can make out.
Tailscale is the latest and greatest! I just install it in the Proxmox host itself. But read these docs, there’s a gotcha involving resolv.conf in containers if you use Magic DNS.
I usually create a virtual router, then have Wireguard setup with that. Not exposing the Proxmox host directly to the Internet, but the router. Also good to have a 2nd way in like netbird. And test that works while the primary one is “off/broken”.
Cloudflare Zero Trust Tunnels with Cloudflare Access for Policy-Based Access Control and MFA.
You automatically receive WAF and DDOS protection on top of DNS, no publicly exposed ports, and simple access via FQDNs, even with browser-rendered SSH or RDP/VNC to your Proxmox nodes.
If you wish, you can also enable the Secure Web Gateway for DNS, L3-L7 filtering, and SSL inspection. This allows you to restrict access to your workloads from devices running the Cloudflare Agent only if the SWG can successfully inspect the traffic and device posture requirements are met.
All of these features can be deployed and configured using Terraform and are available completely free of charge.
It’s a comprehensive security stack, while other here mentioned solutions are disjointed fragments of one.
what FW are you using ? most of them have secure ipsec clients for mobile + normal pc built in so there is no point installing 3rd party tool (like tailscale) for that.
if you don’t … then look around for 3rd party tool
Currently I have an ASUS router, just a a regular RT-AX58U.
This router allows me to create a VPN Server - both using OpenVPN and Wireguard as protocols. The router can also tie my WAN IP adress to a DDNS adress something like .asuscomm.com
Using my phone or laptop, I just connect through desired protocol and now I’m effectively on my home LAN. Can visit the Proxmox Web UI or SSH into it just as easy, both on phone or laptop. Much more secure than forwarding a port as I’ve understood it. I like the versatility of accessing my entire home LAN and every peer in it - but ofc some might want to limit to just one or two specific peers. Perhaps Tailscale is then better.
Most routers can do this I believe, I’m holding out with this one for now until a 10G upgrade coming at the start of next year. But VPN Server will surely be on the must-have list.
Tailscale all the way. It’s easy and just works. Perfect for a homelab unless you intend on developing into some sort of network role, then learn about more common industry standards.
