For people with CGNAT, what you can do is setup a VPS as the middle man. Setup wireguard onto the vps and on a device on your home network, and you can setup wireguard on the vps to forward requests or ports to your home network. This is basically what services such as tailscale do. I use this setup to host a mail server on my local network. No need to open ports on my network
This. Relatively easy to setup, you can host servers literally anywhere* as long as there is internet and it's super flexible. Just remember to have the clients keep their connection alive so the VPS is allowed to talk back to them.
What if I have a corporate network with public static IP and I want to establish a VPN between that and the LAN network of a 4G broadband router behind CGNAT. I need to access an IP camera in that 4G router's LAN
One thing to add (especially for macbook/iphone/ipad, not tried it on windows/android): If you still want to use your private vpn for security reasons (like public wifi) you can enable "On Demand Activation" in the client. Then activate whatever you need and set your home wifi SSID as an exception. This way if you have enabled the vpn profile it will automatically connect to your vpn whenever you're not at home (depends on your configuration). Really helpful if you have public wifis that are set to automatically connect and you are in range without knowing it. You have to disable split tunnel (or change the allowed IPs correct) but I'm not 100% sure how to do that at the moment. I suggest you create a second profile for it but importing the same profile a second time works when you name it something else.
If you need a privately hosted VPN and must be behind a CG-NAT, your best bet is to set up set up a one-to-many IPSec tunnel with NAT traversal. It'll require a bunch more setup & understanding of networks, so for most people Tailscale & Zerotier are better, but it can be done. Also minor thing, no RaspberryPi has cryptographic extensions, which is why it's so slow. If you need more speed it's *possible* you've got a router with AES-NI instructions, otherwise your home PC, old laptop, or an SBC that's a little beefier than a Pi would do the trick.
Tailscale have been working wonders for me, is technically an overlay network but is using wireguard under the hood, they have clients for Truenas (using the truecharts repo), OpenWRT, PFsense and even there are some experimental clients for RouterOS (mikrotik). I'm limited by my 10mbps upload speed but the overhead is not so much so I can stream 1080p content without transcoding.
I already had Pi-Hole installed. I followed this video after pausing, replaying at a slow speed to see what I was missing. I was able to get the VPN running perfectly on my Pi 4 Model B with my Samsung 22 Ultra. It worked so effortlessly on the first try. Now I can use public wifi and not be worried about people monitoring what I an doing. Thanks for posting this video.
1:36 traceroute can also show more than one hop if you are using a separate router from your ISP's modem. In that case, you'd likely see two hops, one of which is the router in front of the modem.
Indeed, but if you know enough to put a 3rd party router in, you likely already know enough to figure that out...or setup the VPN on your router and eliminate the need for a separate VPN server. Of course, router VPN servers tend to be a bit slower due to low end SoCs, but if you are already on a woefully asymmetrical ISP (I really hate DOCSIS for this), this won't likely matter much and will be similar to your upload speeds, anyway. Still a great video for the average not-as-techie power user! 😎
I've been using this for a year or more now. It's great that with Android at least it adds the wireguard tunnel into a quick access button next to my wifi and torch. Don't even have to open the app to turn it on, it's been great.
Tailscale's great, but as Jeff's clearly wanting to do this without any third-party cloud help -- other than his ISP, his DNS provider, his VPS provider, etc. -- it's fine. After all, Tailscale is built on Wireguard, and is really a cloud service to make configuration and discovery easier. I have both. I use Tailscale most of the time, but Wireguard is also there just-in-case.
'tracert' is probably a bygone era of Windows that does not have long filename support as 'traceroute.exe' would be longer than the 8.3 format for filenames
I am behind NAT and use Windscribe to deal with this issue. They offer port forwarding and can be a great alternative to dealing with NAT. I run Windscribe in a Docker container and Wireguard in another container. When I need to connect to my home network, I connect through the Windscribe IP to get into the Windscribe container which is then setup to forward the connection to the Wireguard container. It does of cause provide a bit more overhead because you are basically nesting VPN connections, but I have not had any issues with my use cases.
Will you be making a more in-depth video about tailscale? Also with the inclusion of self hosted orchestration using headscale. I see you gave it a shout out at the end. I've been trying it lately and it's handy. I'd like to see your thoughts on it as well as your ideal use cases. It works great with pikvm too.
I manage my own cloud-based ad-blocking VPN: . I pay $5/month to have a cloud-based Linux VM available with a static IP. . Installed Pi-Hole and OpenVPN on my remote VM. . Use the free OpenVPN client on all my computers and phone. That's it. It's not fast but gets the job done and allows me to show up as connecting from the US whenever needed. It also provides ad-blocking capabilities to any WiFi network I'm connected to, very useful on the road and also when connecting via mobile internet.
With zerotier you can also create a tunnel with your network, and with some configuration, you can even use your internet, and it doesn't matter if you are with CGNAT
Thanks for sharing this video and your thoughts & experience. I am retired network engineer, Cisco routers, cybersecurity consultant and more beginning with FORTRAN 1 when was sophomore @ Lane Tech H.S in summer workshop @ Illinois Institute of Technology. Over years I learned enough programming languages to make my head spin. Within the next month I’m hoping to upgrading to Fiber Optic local service provider. You motivated me to dust my Raspberry Pi off & explore PiVPN.
Wireguard is built into my ASUS RT-AXE7800 router. It works great. I have a 1gig/1gig fiber line from Frontier, I connect to it from work. Jeff, I saw that you have some variant of an Asus router, you should be able to run Wireguard right on the router from the VPN tab, I'd like to see a video on that
Jeff mentions that behing CG-NAT you can't use a dedicate IP address. I get around this by using CloudFlare and their tunneling application cloudflared. It creates a DNS entry automatically (if you have your DNS hosting with them, otherwise you have to manually register with your registrar) and then you can use that name to connect. My ISP is Xfinity/Comcast, which definitely uses CG-NAT on multiple layers, I can access RDP, TrueNAS, PVE & Hosts, File shares, etc. The only thing I've had issues with is actually setting up the VPN portion so that my phone uses that instead of its routing. This I think is partly due to cloudflared does not current support UDP connections
5:34 So it’s recommended not to set up a VPN unless you know exactly what you’re doing/what to configure? So how would a beginner securely access their server at home abroad without all the security risks? Or is it just not possible/not recommended for beginners to do, and to only keep it accessible when connected to a home network? I tried watching that Ansible guide you recommended in this video but it is not for beginners whatsoever
Hey fellow Jeff, Consider using IPv6 either within your VPN, or for your VPN ytansport and you might, emphasis on might, be able to sidestep some of those limitations, especially with CGNAT.
IPv6 support globally still sucks. Yeah if it works it's great, but it's better to just always assume you're not going to have IPv6, especially when traveling abroad. Been waiting 20 years for IPv6 to go mainstream, reckon I'll be waiting another 20 lol You could implement both an IPv4 and an IPv6 VPN, but I always just target the lowest common denominator to accomplish what I need.
IPv6 works fine for me to deal with CGNAT. Some WiFis don’t provide IPv6 but at least over 4G it always works, so it’s fine for smaller tasks like checking HomeAssistant while travelling
@@BrianCroweAcolyte Yes. My home VPN will use IPv6 for the tunnel if it's supported and will pass both IPv4 and IPv6 through the tunnel, but it seems to be extremely rare that IPv6 is supported in public places that I connect from. A lot of people regard IPv6 as an extra complication causing extra attack surface with no real benefit, and while I have some sympathy with that view, I do like to have IPv6 on my own networks when possible.
@@davidberschauer1330 Here in the UK, I've literally never ever come across a 4G connection with IPv6. Though, I have seen some things that hint that maybe one of our networks is slowly working towards allowing IPv6.
YMMV, but I've found, in the states, that IPv6 is available and works in most places that i am, with the exception of retail wifi (most specifically a local chain of coffee shops that i frequent). My mobile provider (T-Mobile) def has working IPv6...in fact, their network is v6 *only* with an adaptation layer on top of it to make v4 work. I use v6-only for my personal setups almost completely because it ends up being *easier* to work with.
And just like that something I'd been meaning to set up for years was done thanks to this video. I was hoping to waste a whole afternoon setting this up but annoyingly I was done in about 10 minutes. Thanks Jeff!
well there are a lot of solutions. I usually just have anydesk and teamviewer setup, but for software projects i have done, in case of ip changes, instead of manually changing the ip after getting a notification, you can change the domain or subdomain settings automatically, i am pretty sure namecheap has an API you can use, not sure about other providers/registrar, but it was fairly easy to create a small service/program to check and update the ip from local device. In case of mobile data, the device behind the network can connect to a cheap-ish $5 or so VPS, and the other computers can connect to that server to create a network. tailscale i wanted to test out but didn't have the time.
I do basically the same, but I use OpenVPN on port TCP-443 for sidestepping the restrictions on corporate firewalls. I tried to do the same with Wireguard but Wireguard is UDP only and UDP protocol is locked in some corporate networks. Amazingly, I can even play games with Moonlight or Steam Link with only 10ms added latency from my work or other people houses (in the same city. I haven't tested that from other cities). My internet provider is FTTH with 800mb/s Symmetric without CG-NAT so bandwidth is not an issue.
I have the exact same Router as Jeff Geerling, - ASUS RT-AX86U, where you can run a VPN server on that device, thats both faster, and easier to setup than PiVPN, supports wireguard and DDNS. Also the router is already an always on device. Though before I have used PiVPN on a pi for many years to solve this exact problem, and it just works!
My old Raspberry pi1 with 512 MB is running OpenWrt with Wireguard and OpenVPN for quite a while already. It's not fast, the oldie but it does the job for me. The advantage of OpenWrt is that is an out of the box router/firewall/etc software with nice management interface.
@@JeffGeerling Indeed, OpenVPN runs approximately 7-8 Mbps and with WireGuard it can roughly double that number. Good enough to stream live TV. I can only guess what a pi4 will do, but I estimate at least a double or triple of those figures.
How do you go about connecting? I have a netbook with OpenWrt that I use as a server (which is behind the ISP's router) and I can't get to the internet. I clarify that I have public IP. The strange thing is that with a Linux distro it does work.
@@francocastilloARRouting may be an issue here as the VPN introduces a new network your isp router does not know of. Either a static route or an extra Nat may do the trick.
@@feicodeboer Fixed by creating a new firewall zone for WireGuard and enabling masquerading in the LAN zone, as well as allowing forwarding between these two zones.
According to my testing, Pi 4 is can handle up to 300mbit through Wireguard (Internet connection is 1000down/500up). OpenVPN is much worse (like 150), if you need more, you have to run the VPN server on something more powerful.
Thanks. Actually super helpful. I've been meaning to set up a vpn for a while now since my old openvpn died years ago. wireguard works so well. it's scary how fast it was to set up
I'm behind CGNAT and have been using tailscale for a couple years now. I've been so impressed by their service and how they keep expanding features. They are also very transparent in how they build their service. So although it's not zerotrust, its good enough for me.
Good video. It would have nice to also cover local dns resolution. Especially from mobile clients that's handy. And a comparison to other options like zerotier would have been nice, too. That should be enough content for a 2nd video :)
Only 2 days ago did I set up Wireguard at home, it's so much easier than OpenVPN to set up. I use a mini PC as a router so it has plenty of power for my 1gbit symmetric connection.
I use Twingate on my network, I find it easier and better than a VPN as I don’t have to open ports and it’s a bit easier to set up access levels and users etc
why not tailscale or zerotier? They're newer in how they work, no need to open ports on router, way easier... take a look! Oh, no need for a public ip, too, they work no problem if you're natted :)
Although you need the servers of Tailscale to get the devices to connect to each other I very much prefer Tailscale. It just works, no hassle with configs, no need to set anything up on your router/firewall, no Public IP hassle and it has been incredible reliable in my experience. Plus it is absolutely free for private usage. If you want to setup your own server for Tailscale you could even do that with headscale. And is is also based on Wireguard.
I think that software defined vpns such as zerotier or tailscale are more convenient. They, for example, suport internal DNSs and by default only route the relevant traffic through this virtual network. Tailscale has a exit node thing to allow routing everything to that exit node machine just like a classical VPN.
I have been running Pi-VPN for a month now and it works better than the pfSense implementation. I was able to get a full tunnel connection almost right out of the box. I just had to add my Pi-VPN IP subnet to the outbound NAT and voila. I will add a domain redirect to it soon. Since I have cloudflare, I can use the cloudflare ddns updater to update my IP if/when it changes and it will automatically update my records for my domain(s).
If you use Linode or any number of other services, you could have a container that updates your IP address via API if it ever changes. That's now I handle dynamic DNS.
Thanks for making this video, Jeff! Just wanted to add that for anyone who's short on time, setting up a self-hosted VPN with Wireguard or Tailscale can be done in less time. But I appreciate the effort you put into explaining this process.
Me: so jeff geerling made a video about self-hosted vpns and how to set it up. if i comment "well, fun fact, setting up a self hosted vpn with either wireguard(with some scripts ofc) or tailscale takes less than duration of this video.", will this go across as a mean comment to him? (like this video is too long dont watch it etc although i dont mean to) ChatGPT: It's possible that your comment could come across as mean-spirited, especially if Jeff Geerling put a lot of effort into creating the video and you're suggesting that it's not worth watching. However, if you phrase your comment in a respectful way and acknowledge the effort he put in, it should be fine. For example, you could say something like, "Thanks for making this video, Jeff! Just wanted to add that for anyone who's short on time, setting up a self-hosted VPN with Wireguard or Tailscale can be done in less time. But I appreciate the effort you put into explaining this process." This way, you're sharing your knowledge while still acknowledging the value of Jeff's video.
@@pcislocked tbh, tailscale is not really self-hosted, and stuff like headscale, which is a self-hosted version of tailscale, can be a bit annoying to set up, and not easy... instead, I'd use something like Yggdrasil Network, myself (or even stuff like tor or i2p, using them for legitimate purposes helps out everyone, and you can also set things up that only specific routers are even allowed to connect to your server)
@@jan_harald yeah tailscale is not technically fully self hosted in terms of management etc, but if your exit node is exposed to the internet, the connection is direct to the server. stuff like i2p is a bit too much for a normie like me xd
@@pcislocked I've been using Tailscale for a few years now, and it is fantastic, but I've had recurring problems with it failing to work without intervention after updates to either itself or Windows. Sometimes it seems to stop working for no reason at all. I've resorted to installing a secondary remote access program for the times when I need to remotely make Tailscale work again.
@@zoopercoolguy I've used Tailscale for several months but have never experienced the problem that you have. I'll tuck that away in case I do though and know that the issue is not unique. Thanks JB.
Massive thanks for posting this, and I haven’t even watched it yet! I’ve been trying to use pivpn to get access to my home network on and off for a while, never successfully. I’m sure you will give me the info needed to get it working.
Great Video. For my VPN to home use i am using Tailscale with exit-node and subnet advertising. I found out that for some reason PiVPN / Wire guard slows down speed more than Tailscale does. Weird. Anyways. Been using Tailscale for over a year now with not one single day being a problem.
Cool Jeff! I just did a build video of a pfsense firewall, it's super cheap and runs tailscale for VPN access. Tailscale also builds upon wireguard and it simplfies it even further for the end user. No need for additonal dynamic dns. Am working on my next video on how to add cellular failover cheapily and built into the box (IoT sims and funky adapters), so even if the internet goes down or interface fails I can still access the VPN to safely shutdown any machines.
I thought after he said "are all these terms too technical for you?" He was going to break them down in a simple eady to understand way or say that it's no big deal or something. Instead he basically said "go on and get out of here, boy" 😂😂
Honestly networking is full of voodoo magic and crazy things! It's too easy for someone to mess things up for me to officially recommend it. But breaking things is often the best way to learn.
I have 1gig symmetric fiber. My PiVPN on a Pi4 using WireGuard is usually able to push 600-700 mbps to another computer in town with a decent gigabit connection. Sometimes I can get faster and it seems that messing with the CPU governor has some impact, as does overclocking. Back when I used OpenVPN it usually was around 200 to 250 MBPS. If you're upload speed limited on most cable ISPs, it'll probably be able to run at that max speed no problem.
Couldn't have asked for better timing on this! This is a lot of what I want to do so I can administer my parents' HomeAssistant RPi that I'm going to set up
Does the connection persists/reconnect and do notifications from hassio still work after it loses the vpn connection? And does it automatically connect to the vpn when i leave my home? I’m still on the fence if i should use this or a reverse proxy.
What's the latency and speed of this kind of solution compare to ExpressVPN (provided I buy a good VPS from cloud service), I feel ExpressVPN is not fast enough for my need, wondering should I build a VPN myself, but if it's not going to be faster and lower latency compare to ExpressVPN, I won't bother to try. Any advise would be highly appreciated, thanks!
I use the free no-ip. Respond to an email once a month to keep it active. Both my asus router (as an AP) and my erx router have the option to use no-ip. Even if yours doesn't, the Windows program works flawlessly.
My newest ISP doesn't offer an open public IP, so I had to rent a VPS specifically to allow my home computer to be accessible to the world - using precisely this method
If you were worried about a DDoS of your home network, why hide the domain name but not the public IP address? Is that not just as attackable, since DNS maps the name to the numbers?
While it's not recommended the IP will change on a regular basis. Dynamic DNS changes it's referenced IP when your ISP gives you a new IP. Hence sharing a throwaway IP is not nearly as dangerous as sharing the dynamic DNS registry name.
Thanks for this Jeff. I've been ssh-tunneling in for years (which works), but I promised myself I'd tidy it up a bit one day. PiVPN will probably work for me, as I have a couple of Pis already running Pihole & unbound, so this video will help me with that. But man, either I'm getting slower with age, or you're speeding up! It's OK, I'll just have to pause a bit more often so let the info sink in :-) I also plan to move to DuckDNS for DDNS, as NoIP (free option) grinds my gears each month by threatening to expire.
Amazingly timely video! I literally just started setting up self-hosted VPN last night. Got a personal domain + DDNS working, then set up OpenVPN thats baked into pfSense.....just having trouble with the exported profiles connecting back...
That was my trouble with OpenVPN - and which is why I decided to flip over to Wireguard. The app worked a little more seamlessly (didn't have any weird issues).
@@JeffGeerling Well my VPN logs show an error regarding a missing HMAC that suggests a problem with a key definition in the exported profile, so I'm hoping I just missed some detail in the profile definition. And I'm in EXACTLY the same boat you are with asymmetric cable Internet (I'm stuck with awful Cox), 1 Gbps down but 40 Mbps up 😡
I used to split tunnel with Home Assistant, so just the Home Assistant app would be tunneled back to home network and everything else on the phone would use mobile data. But lately I've switched to a cloudflare tunnel with a domain I purchased for more flexibility ( I can log in easily from any device, not just on my app, and I don't have to explain how to enable the vpn after a phone restart to my wife).
I found that a lot of guest wifi spots (coffee shops, libraries, etc.) block the usual public WireGuard and OpenVPN ports - no access to home from such spots. Using 443 actually defeated them.
Welcome to the Pi-VPN gang! I've been using wireguard installed on my virtual machine server for years now. It's a great project that simplified the whole installation process!
I went with Netmaker, which allows me to skip the public issue for now, as either end can initiate the connection, so I can have an egress node at home, and one in the cloud for ingress, set up various VPNs on the same nodes or different sets of nodes, etc, and they don't mix. It uses Wireguard under the hood, and "users" are "external clients" and get a standard Wireguard config for a specific ingress node I define. The other nodes in the VPN run the Netmaker client, and form a mesh that is entirely (or nearly) configured by the Netmaker UI. I wonder if I could share my server with others and not break my security. Heh. The server just does config and such generally.
Год назад
MikroTik routers have WireGuard and DDNS built-in, so you could use your Raspberry Pi and/or other computers for better tasks… 😉
For the IP changing, I wanted to limit the access a DDNS service had on my DNS registrar, so I got a free Pulesway RMM account, that let you monitor 2 devices and when the RMM agent on my server detects an IP chnage I get an email and alert via the app on my phone and then change the DNS record manually, a 2 min job.
Hotel WiFi often blocks UDP (except for DNS). Only 443 TCP is reliably “open”. The lack of support for TCP is a downside. OpenVPN is not as fast or easy to setup, but at least I can trust it always works. Maybe you can use DNS or an NTP port for your WireGuard server, or maybe another common DNS port that is likely permitted, even on hotel Wi-Fi?
why not have the cronjob contact the domain registrar's API and update the record. if your domain registrar doesn't have an API use something like desec, cloudflare, cloudns, or a selfhosted server on a vps somewhere. the record ttl can be 1 so changes take little time to reflect.
Have a good trip! I'm pretty sure I need a virtual VPN. Each VM gets a bare metal GPU. Pi gets to be an orchestration manager. I'm willing to accept that no Pi will host a GPU but it can orchestrate them no problem 😒
Can't help but notice you have an Asus router. The newer firmware on the AX models have Wireguard built in. If you do have a Wireguard-capable Asus router (stock or Merlin), how does the admin and performance compare to PiVPN?
I ran PiVPN for a while but I think work was blocking that port or domain - so I switched to Tailscale and used my home PIHOle as an exit node and it's been much eaiser. But Your point was no 3rd party software so still a great video! I do like how you can use local IP addresses on pivpn but not tailscale.
I use Wireguard to route public IPs back home just out of spite of my ISP's horrendous international routing making it impossible to work from home, since I need to route at least 1Gbps down and up simultaneously I opted for an older i5-4590 based desktop but it works really well for my use case. It's a bit different from yours but this is another legitimate use case for VPNs.
I'm extremely impressed with the terminal output being a QR code. What a delightfully clever system
“Ok so he’ll copy and open it on something else…oh never mind.” That caught me off guard that even works.
Has anyone already decoded it? 😅
@@stefanmisch5272 it's a Wireguard tunnel config file but the endpoint is spoofed of course and unusable
It basically comes with wireguard server out of the box
The qr code is not really a useful thing .. would make sense just getting the token
This video is sponsored by Jeff Geerling VPN!
@RAM_845 Hahah. I comment on people I like to support. Especially if I talk with them outside of RUclips.
😆
🤭
@RAM_845 hahah nooo. Though I am also in Disbelief that I have known him for almost 5 years.
As a long time user of Jeff Geerling VPN, I can say, stop all the downloading
For people with CGNAT, what you can do is setup a VPS as the middle man. Setup wireguard onto the vps and on a device on your home network, and you can setup wireguard on the vps to forward requests or ports to your home network. This is basically what services such as tailscale do.
I use this setup to host a mail server on my local network. No need to open ports on my network
This. Relatively easy to setup, you can host servers literally anywhere* as long as there is internet and it's super flexible. Just remember to have the clients keep their connection alive so the VPS is allowed to talk back to them.
What if I have a corporate network with public static IP and I want to establish a VPN between that and the LAN network of a 4G broadband router behind CGNAT. I need to access an IP camera in that 4G router's LAN
Or just use IPv6
One thing to add (especially for macbook/iphone/ipad, not tried it on windows/android):
If you still want to use your private vpn for security reasons (like public wifi) you can enable "On Demand Activation" in the client. Then activate whatever you need and set your home wifi SSID as an exception. This way if you have enabled the vpn profile it will automatically connect to your vpn whenever you're not at home (depends on your configuration).
Really helpful if you have public wifis that are set to automatically connect and you are in range without knowing it.
You have to disable split tunnel (or change the allowed IPs correct) but I'm not 100% sure how to do that at the moment.
I suggest you create a second profile for it but importing the same profile a second time works when you name it something else.
If you need a privately hosted VPN and must be behind a CG-NAT, your best bet is to set up set up a one-to-many IPSec tunnel with NAT traversal. It'll require a bunch more setup & understanding of networks, so for most people Tailscale & Zerotier are better, but it can be done.
Also minor thing, no RaspberryPi has cryptographic extensions, which is why it's so slow. If you need more speed it's *possible* you've got a router with AES-NI instructions, otherwise your home PC, old laptop, or an SBC that's a little beefier than a Pi would do the trick.
Tailscale have been working wonders for me, is technically an overlay network but is using wireguard under the hood, they have clients for Truenas (using the truecharts repo), OpenWRT, PFsense and even there are some experimental clients for RouterOS (mikrotik). I'm limited by my 10mbps upload speed but the overhead is not so much so I can stream 1080p content without transcoding.
WireGuard does not take advantage of AES-NI.
Wireguard does not uses AES, but ChaCha, a cipher that works faster on this machine. It uses ARX instructions.
I already had Pi-Hole installed. I followed this video after pausing, replaying at a slow speed to see what I was missing. I was able to get the VPN running perfectly on my Pi 4 Model B with my Samsung 22 Ultra. It worked so effortlessly on the first try. Now I can use public wifi and not be worried about people monitoring what I an doing. Thanks for posting this video.
1:36 traceroute can also show more than one hop if you are using a separate router from your ISP's modem. In that case, you'd likely see two hops, one of which is the router in front of the modem.
Ah true. So not a bulletproof method!
Indeed, but if you know enough to put a 3rd party router in, you likely already know enough to figure that out...or setup the VPN on your router and eliminate the need for a separate VPN server. Of course, router VPN servers tend to be a bit slower due to low end SoCs, but if you are already on a woefully asymmetrical ISP (I really hate DOCSIS for this), this won't likely matter much and will be similar to your upload speeds, anyway.
Still a great video for the average not-as-techie power user! 😎
@@thewebmachine How difficult is this to set up? Does it depend on the router I'm using?
I've been using this for a year or more now. It's great that with Android at least it adds the wireguard tunnel into a quick access button next to my wifi and torch. Don't even have to open the app to turn it on, it's been great.
Personally, I prefer tailscale because I have a much better performance and the use is simpler I find... Thank you for your video.
@@Batwam0 yes indeed, if you have a fixed IP address you will not need to modify whatever the parameter in your router!
Tailscale's great, but as Jeff's clearly wanting to do this without any third-party cloud help -- other than his ISP, his DNS provider, his VPS provider, etc. -- it's fine. After all, Tailscale is built on Wireguard, and is really a cloud service to make configuration and discovery easier.
I have both. I use Tailscale most of the time, but Wireguard is also there just-in-case.
@@tomgidden absolutely ! Thank you for this precision ☺️
@@Batwam0 That's correct. No port forwarding with Tailscale.
'tracert' is probably a bygone era of Windows that does not have long filename support as 'traceroute.exe' would be longer than the 8.3 format for filenames
You seriously said "I'm a simple man" on a video about making your own VPN lol. Love it
I am behind NAT and use Windscribe to deal with this issue. They offer port forwarding and can be a great alternative to dealing with NAT. I run Windscribe in a Docker container and Wireguard in another container. When I need to connect to my home network, I connect through the Windscribe IP to get into the Windscribe container which is then setup to forward the connection to the Wireguard container. It does of cause provide a bit more overhead because you are basically nesting VPN connections, but I have not had any issues with my use cases.
Note: If you're behind CGNAT, port forwarding doesn't work.
Will you be making a more in-depth video about tailscale? Also with the inclusion of self hosted orchestration using headscale. I see you gave it a shout out at the end. I've been trying it lately and it's handy. I'd like to see your thoughts on it as well as your ideal use cases. It works great with pikvm too.
Possibly. Since I only used it once and don't run it right now I'd need to do a bit more work for that. Might do either that or Cloudflare Tunnel.
I manage my own cloud-based ad-blocking VPN:
. I pay $5/month to have a cloud-based Linux VM available with a static IP.
. Installed Pi-Hole and OpenVPN on my remote VM.
. Use the free OpenVPN client on all my computers and phone.
That's it. It's not fast but gets the job done and allows me to show up as connecting from the US whenever needed. It also provides ad-blocking capabilities to any WiFi network I'm connected to, very useful on the road and also when connecting via mobile internet.
With zerotier you can also create a tunnel with your network, and with some configuration, you can even use your internet, and it doesn't matter if you are with CGNAT
for Wireguard, also a notable mention for wg-easy - a dockerized Wireguard server with a GUI.
Thanks for sharing this video and your thoughts & experience. I am retired network engineer, Cisco routers, cybersecurity consultant and more beginning with FORTRAN 1 when was sophomore @ Lane Tech H.S in summer workshop @ Illinois Institute of Technology. Over years I learned enough programming languages to make my head spin. Within the next month I’m hoping to upgrading to Fiber Optic local service provider. You motivated me to dust my Raspberry Pi off & explore PiVPN.
Wireguard is built into my ASUS RT-AXE7800 router. It works great. I have a 1gig/1gig fiber line from Frontier, I connect to it from work.
Jeff, I saw that you have some variant of an Asus router, you should be able to run Wireguard right on the router from the VPN tab, I'd like to see a video on that
Nice! I have Wireguard in my Asus RT-AX56U Router as well but not sure how to set it up, can you point me to a guide thanks!
Tailscale is the best for most cases. Especially for those with spectrum/cable internet… you only overlay subnet routes you need!
Jeff mentions that behing CG-NAT you can't use a dedicate IP address. I get around this by using CloudFlare and their tunneling application cloudflared.
It creates a DNS entry automatically (if you have your DNS hosting with them, otherwise you have to manually register with your registrar) and then you can use that name to connect.
My ISP is Xfinity/Comcast, which definitely uses CG-NAT on multiple layers, I can access RDP, TrueNAS, PVE & Hosts, File shares, etc. The only thing I've had issues with is actually setting up the VPN portion so that my phone uses that instead of its routing. This I think is partly due to cloudflared does not current support UDP connections
5:34 So it’s recommended not to set up a VPN unless you know exactly what you’re doing/what to configure? So how would a beginner securely access their server at home abroad without all the security risks? Or is it just not possible/not recommended for beginners to do, and to only keep it accessible when connected to a home network? I tried watching that Ansible guide you recommended in this video but it is not for beginners whatsoever
Hey fellow Jeff,
Consider using IPv6 either within your VPN, or for your VPN ytansport and you might, emphasis on might, be able to sidestep some of those limitations, especially with CGNAT.
IPv6 support globally still sucks. Yeah if it works it's great, but it's better to just always assume you're not going to have IPv6, especially when traveling abroad. Been waiting 20 years for IPv6 to go mainstream, reckon I'll be waiting another 20 lol
You could implement both an IPv4 and an IPv6 VPN, but I always just target the lowest common denominator to accomplish what I need.
IPv6 works fine for me to deal with CGNAT. Some WiFis don’t provide IPv6 but at least over 4G it always works, so it’s fine for smaller tasks like checking HomeAssistant while travelling
@@BrianCroweAcolyte Yes. My home VPN will use IPv6 for the tunnel if it's supported and will pass both IPv4 and IPv6 through the tunnel, but it seems to be extremely rare that IPv6 is supported in public places that I connect from. A lot of people regard IPv6 as an extra complication causing extra attack surface with no real benefit, and while I have some sympathy with that view, I do like to have IPv6 on my own networks when possible.
@@davidberschauer1330 Here in the UK, I've literally never ever come across a 4G connection with IPv6. Though, I have seen some things that hint that maybe one of our networks is slowly working towards allowing IPv6.
YMMV, but I've found, in the states, that IPv6 is available and works in most places that i am, with the exception of retail wifi (most specifically a local chain of coffee shops that i frequent). My mobile provider (T-Mobile) def has working IPv6...in fact, their network is v6 *only* with an adaptation layer on top of it to make v4 work.
I use v6-only for my personal setups almost completely because it ends up being *easier* to work with.
And just like that something I'd been meaning to set up for years was done thanks to this video. I was hoping to waste a whole afternoon setting this up but annoyingly I was done in about 10 minutes. Thanks Jeff!
well there are a lot of solutions. I usually just have anydesk and teamviewer setup, but for software projects i have done,
in case of ip changes, instead of manually changing the ip after getting a notification, you can change the domain or subdomain settings automatically, i am pretty sure namecheap has an API you can use, not sure about other providers/registrar, but it was fairly easy to create a small service/program to check and update the ip from local device.
In case of mobile data, the device behind the network can connect to a cheap-ish $5 or so VPS, and the other computers can connect to that server to create a network.
tailscale i wanted to test out but didn't have the time.
THATS AMAZING! everything working well, dns, vpn, pihole, like a charm
How much easier this would be to follow (and use) if it weren't a RUclips video, but written instructions. Thanks, Jeff.
Boom! Thanks for posting the link, saved me the hassle while I'm flying home from UK
5:04 How do I grab my ip again? When I do a curl request on that site, it said that I have to pay to request it.
with Starlink you can use IPv6 for the incoming tunnel connection
Pro tip if your isp is AT&T. Even on a consumer accounts they will give you a block of static IP’s for $15 a month!.
I do basically the same, but I use OpenVPN on port TCP-443 for sidestepping the restrictions on corporate firewalls. I tried to do the same with Wireguard but Wireguard is UDP only and UDP protocol is locked in some corporate networks. Amazingly, I can even play games with Moonlight or Steam Link with only 10ms added latency from my work or other people houses (in the same city. I haven't tested that from other cities). My internet provider is FTTH with 800mb/s Symmetric without CG-NAT so bandwidth is not an issue.
I have the exact same Router as Jeff Geerling, - ASUS RT-AX86U, where you can run a VPN server on that device, thats both faster, and easier to setup than PiVPN, supports wireguard and DDNS. Also the router is already an always on device.
Though before I have used PiVPN on a pi for many years to solve this exact problem, and it just works!
Both are great ways to do it-I've been working on dropping that AX86U in favor of a box running OPNsense though... we'll see.
My old Raspberry pi1 with 512 MB is running OpenWrt with Wireguard and OpenVPN for quite a while already. It's not fast, the oldie but it does the job for me. The advantage of OpenWrt is that is an out of the box router/firewall/etc software with nice management interface.
It's a great solution if you don't need extra speed!
@@JeffGeerling Indeed, OpenVPN runs approximately 7-8 Mbps and with WireGuard it can roughly double that number. Good enough to stream live TV. I can only guess what a pi4 will do, but I estimate at least a double or triple of those figures.
How do you go about connecting? I have a netbook with OpenWrt that I use as a server (which is behind the ISP's router) and I can't get to the internet. I clarify that I have public IP. The strange thing is that with a Linux distro it does work.
@@francocastilloARRouting may be an issue here as the VPN introduces a new network your isp router does not know of. Either a static route or an extra Nat may do the trick.
@@feicodeboer Fixed by creating a new firewall zone for WireGuard and enabling masquerading in the LAN zone, as well as allowing forwarding between these two zones.
Kind of surprised Jeff didn't make an Ansible Collection for this and used that. Then runs that Ansible Collection from a Podman SystemD job.
If I'm remembering my history, the abbreviated "tracert.exe" probably had something to do with the 8.3 filename length.
According to my testing, Pi 4 is can handle up to 300mbit through Wireguard (Internet connection is 1000down/500up). OpenVPN is much worse (like 150), if you need more, you have to run the VPN server on something more powerful.
Yeah, the most I got internally through lan was around 270 Mbps, so that checks out!
Thanks. Actually super helpful. I've been meaning to set up a vpn for a while now since my old openvpn died years ago. wireguard works so well. it's scary how fast it was to set up
I love hearing everyone say how easy it was and I spent hours trying to get it to work... turns out I have cg-nat...
I'm behind CGNAT and have been using tailscale for a couple years now. I've been so impressed by their service and how they keep expanding features. They are also very transparent in how they build their service. So although it's not zerotrust, its good enough for me.
Yeah I think they do a great job at the whole user experience too.
@@JeffGeerling why didn't u use tailscale?
Good video. It would have nice to also cover local dns resolution. Especially from mobile clients that's handy. And a comparison to other options like zerotier would have been nice, too. That should be enough content for a 2nd video :)
Only 2 days ago did I set up Wireguard at home, it's so much easier than OpenVPN to set up. I use a mini PC as a router so it has plenty of power for my 1gbit symmetric connection.
Use ZeroTier if you have CG-Nat, works fine without any hassel. ZT works also fine without cg-nat.
I use Twingate on my network, I find it easier and better than a VPN as I don’t have to open ports and it’s a bit easier to set up access levels and users etc
I run my home VPN on my router. It's a Ubiquiti EdgeRouter X. You can do lots of interesting and/or useful stuff with it, but it's not simple to use.
0:34 hope you've showcased Wireguard, as this little in-kernel thingie absolutely kicks ass, even in such crippled implementations as on Mikrotiks.
Mikrotik RouterOS v7 has Wireguard and ZeroTier support built in.
why not tailscale or zerotier? They're newer in how they work, no need to open ports on router, way easier... take a look! Oh, no need for a public ip, too, they work no problem if you're natted :)
Although you need the servers of Tailscale to get the devices to connect to each other I very much prefer Tailscale. It just works, no hassle with configs, no need to set anything up on your router/firewall, no Public IP hassle and it has been incredible reliable in my experience. Plus it is absolutely free for private usage. If you want to setup your own server for Tailscale you could even do that with headscale. And is is also based on Wireguard.
I think that software defined vpns such as zerotier or tailscale are more convenient. They, for example, suport internal DNSs and by default only route the relevant traffic through this virtual network. Tailscale has a exit node thing to allow routing everything to that exit node machine just like a classical VPN.
Starlink now offers Public IP for 250 a month. But that has the 1TB restriction, the regular plan is back unlimited
@jeffgerling I think ur forgetting the second e, oh wait- ur a scammer :(
I have been running Pi-VPN for a month now and it works better than the pfSense implementation. I was able to get a full tunnel connection almost right out of the box. I just had to add my Pi-VPN IP subnet to the outbound NAT and voila. I will add a domain redirect to it soon. Since I have cloudflare, I can use the cloudflare ddns updater to update my IP if/when it changes and it will automatically update my records for my domain(s).
One option to deal with IP address changing is to setup a TOR hidden service which can serve as a backup if your IP changes.
Very informative. Been looking for a new use for the Pi 4 that used to be hooked up to my tv.
I love that the QR-Code you generated has your "totally real" public IP 😂
I wish you had hidden more easter eggs in that
I almost did but didn't have time today :(
If you use Linode or any number of other services, you could have a container that updates your IP address via API if it ever changes. That's now I handle dynamic DNS.
If you have a Fritz!Box Router, you can just enable Wire Guard and you got your vpn in a few seconds.
Jeff, can you share your script (the one you run by cron job) to update your current dynamic IP to your personal VPS?
Thanks for making this video, Jeff! Just wanted to add that for anyone who's short on time, setting up a self-hosted VPN with Wireguard or Tailscale can be done in less time. But I appreciate the effort you put into explaining this process.
Me: so jeff geerling made a video about self-hosted vpns and how to set it up. if i comment "well, fun fact, setting up a self hosted vpn with either wireguard(with some scripts ofc) or tailscale takes less than duration of this video.", will this go across as a mean comment to him? (like this video is too long dont watch it etc although i dont mean to)
ChatGPT: It's possible that your comment could come across as mean-spirited, especially if Jeff Geerling put a lot of effort into creating the video and you're suggesting that it's not worth watching. However, if you phrase your comment in a respectful way and acknowledge the effort he put in, it should be fine. For example, you could say something like, "Thanks for making this video, Jeff! Just wanted to add that for anyone who's short on time, setting up a self-hosted VPN with Wireguard or Tailscale can be done in less time. But I appreciate the effort you put into explaining this process." This way, you're sharing your knowledge while still acknowledging the value of Jeff's video.
@@pcislocked tbh, tailscale is not really self-hosted, and stuff like headscale, which is a self-hosted version of tailscale, can be a bit annoying to set up, and not easy...
instead, I'd use something like Yggdrasil Network, myself (or even stuff like tor or i2p, using them for legitimate purposes helps out everyone, and you can also set things up that only specific routers are even allowed to connect to your server)
@@jan_harald yeah tailscale is not technically fully self hosted in terms of management etc, but if your exit node is exposed to the internet, the connection is direct to the server. stuff like i2p is a bit too much for a normie like me xd
@@pcislocked I've been using Tailscale for a few years now, and it is fantastic, but I've had recurring problems with it failing to work without intervention after updates to either itself or Windows. Sometimes it seems to stop working for no reason at all. I've resorted to installing a secondary remote access program for the times when I need to remotely make Tailscale work again.
@@zoopercoolguy I've used Tailscale for several months but have never experienced the problem that you have. I'll tuck that away in case I do though and know that the issue is not unique. Thanks JB.
It's tracert because of DOS's character limitation of 8 for the name and 3 for the extension.
Massive thanks for posting this, and I haven’t even watched it yet! I’ve been trying to use pivpn to get access to my home network on and off for a while, never successfully. I’m sure you will give me the info needed to get it working.
What is the best vpn? (Except Jeff vpn)
Great Video.
For my VPN to home use i am using Tailscale with exit-node and subnet advertising.
I found out that for some reason PiVPN / Wire guard slows down speed more than Tailscale does. Weird.
Anyways. Been using Tailscale for over a year now with not one single day being a problem.
Also, ZeroTier as an alt to Tailscale, client and server are FOSS if you want to run your own
I am using Tailscale - which is super-easy to handle and set up.
Cool Jeff! I just did a build video of a pfsense firewall, it's super cheap and runs tailscale for VPN access. Tailscale also builds upon wireguard and it simplfies it even further for the end user. No need for additonal dynamic dns. Am working on my next video on how to add cellular failover cheapily and built into the box (IoT sims and funky adapters), so even if the internet goes down or interface fails I can still access the VPN to safely shutdown any machines.
wg-easy is also a pretty nice option for rolling wireguard with a simple web management UI.
I thought after he said "are all these terms too technical for you?" He was going to break them down in a simple eady to understand way or say that it's no big deal or something. Instead he basically said "go on and get out of here, boy" 😂😂
Honestly networking is full of voodoo magic and crazy things! It's too easy for someone to mess things up for me to officially recommend it. But breaking things is often the best way to learn.
I have 1gig symmetric fiber. My PiVPN on a Pi4 using WireGuard is usually able to push 600-700 mbps to another computer in town with a decent gigabit connection. Sometimes I can get faster and it seems that messing with the CPU governor has some impact, as does overclocking. Back when I used OpenVPN it usually was around 200 to 250 MBPS. If you're upload speed limited on most cable ISPs, it'll probably be able to run at that max speed no problem.
great vid jeff, had to revisit this so I can vpn in while i'm in the hospital here, thanks for the great videos!
Couldn't have asked for better timing on this! This is a lot of what I want to do so I can administer my parents' HomeAssistant RPi that I'm going to set up
Does the connection persists/reconnect and do notifications from hassio still work after it loses the vpn connection?
And does it automatically connect to the vpn when i leave my home?
I’m still on the fence if i should use this or a reverse proxy.
Hey @Jeff Geerling, I don't know if you know, but your Asus Router... actually provide hosting OpenVPN server in it's firmware
What's the latency and speed of this kind of solution compare to ExpressVPN (provided I buy a good VPS from cloud service), I feel ExpressVPN is not fast enough for my need, wondering should I build a VPN myself, but if it's not going to be faster and lower latency compare to ExpressVPN, I won't bother to try. Any advise would be highly appreciated, thanks!
Now that PiVPN is no longer being maintained, it would be really cool to see you do a video on how to replace it.
As a CG-NAT victim myself, I recommend Tailscale a lot! One of my favorite pieces of software
Oh, I've been using Wireguard to tunnel traffic from my proxy with public IP to local home server, works reasonably well
First and only person that I've seen that is telling realistic use cases and no lofty claims about VPNs
I use the free no-ip. Respond to an email once a month to keep it active. Both my asus router (as an AP) and my erx router have the option to use no-ip. Even if yours doesn't, the Windows program works flawlessly.
My newest ISP doesn't offer an open public IP, so I had to rent a VPS specifically to allow my home computer to be accessible to the world - using precisely this method
Another ThinkCentre tiny dude here. These little guys are absolute treasures if you want cheap and reliable PCs for your home lab.
If you were worried about a DDoS of your home network, why hide the domain name but not the public IP address? Is that not just as attackable, since DNS maps the name to the numbers?
While it's not recommended the IP will change on a regular basis. Dynamic DNS changes it's referenced IP when your ISP gives you a new IP. Hence sharing a throwaway IP is not nearly as dangerous as sharing the dynamic DNS registry name.
Thanks for this Jeff. I've been ssh-tunneling in for years (which works), but I promised myself I'd tidy it up a bit one day. PiVPN will probably work for me, as I have a couple of Pis already running Pihole & unbound, so this video will help me with that. But man, either I'm getting slower with age, or you're speeding up! It's OK, I'll just have to pause a bit more often so let the info sink in :-) I also plan to move to DuckDNS for DDNS, as NoIP (free option) grinds my gears each month by threatening to expire.
Amazingly timely video! I literally just started setting up self-hosted VPN last night. Got a personal domain + DDNS working, then set up OpenVPN thats baked into pfSense.....just having trouble with the exported profiles connecting back...
That was my trouble with OpenVPN - and which is why I decided to flip over to Wireguard. The app worked a little more seamlessly (didn't have any weird issues).
@@JeffGeerling Well my VPN logs show an error regarding a missing HMAC that suggests a problem with a key definition in the exported profile, so I'm hoping I just missed some detail in the profile definition. And I'm in EXACTLY the same boat you are with asymmetric cable Internet (I'm stuck with awful Cox), 1 Gbps down but 40 Mbps up 😡
I used to split tunnel with Home Assistant, so just the Home Assistant app would be tunneled back to home network and everything else on the phone would use mobile data. But lately I've switched to a cloudflare tunnel with a domain I purchased for more flexibility ( I can log in easily from any device, not just on my app, and I don't have to explain how to enable the vpn after a phone restart to my wife).
Also MikroTik ROS v7 supports Wireguard :)
So you don't even need separate device
CGNAT Starlink workaround: Starlink Router in Bypass mode, use a third party router with IPv6 support enabled in the settings.
I found that a lot of guest wifi spots (coffee shops, libraries, etc.) block the usual public WireGuard and OpenVPN ports - no access to home from such spots. Using 443 actually defeated them.
You can self host your own Tailscale cloud with Headscale
Jeff: 30mbps upload is slow
Me: has only 12mbps upload.
Welcome to the Pi-VPN gang! I've been using wireguard installed on my virtual machine server for years now. It's a great project that simplified the whole installation process!
Hi i need wireguard vpn
I need .conf file
I created my own VPN using OpenVPN on my Synology NAS. Needed a secure way to remote into my home network when traveling.
I went with Netmaker, which allows me to skip the public issue for now, as either end can initiate the connection, so I can have an egress node at home, and one in the cloud for ingress, set up various VPNs on the same nodes or different sets of nodes, etc, and they don't mix. It uses Wireguard under the hood, and "users" are "external clients" and get a standard Wireguard config for a specific ingress node I define.
The other nodes in the VPN run the Netmaker client, and form a mesh that is entirely (or nearly) configured by the Netmaker UI.
I wonder if I could share my server with others and not break my security. Heh. The server just does config and such generally.
MikroTik routers have WireGuard and DDNS built-in, so you could use your Raspberry Pi and/or other computers for better tasks… 😉
For the IP changing, I wanted to limit the access a DDNS service had on my DNS registrar, so I got a free Pulesway RMM account, that let you monitor 2 devices and when the RMM agent on my server detects an IP chnage I get an email and alert via the app on my phone and then change the DNS record manually, a 2 min job.
I wonder if the radioisotope in a smoke detector can be used to make a better RNG and give the VPN better encryption.
It would certainly be more fun to do it that way!
Hotel WiFi often blocks UDP (except for DNS). Only 443 TCP is reliably “open”. The lack of support for TCP is a downside. OpenVPN is not as fast or easy to setup, but at least I can trust it always works. Maybe you can use DNS or an NTP port for your WireGuard server, or maybe another common DNS port that is likely permitted, even on hotel Wi-Fi?
idk why i get this suggested after i struggled for 5 days, i made it but now i find this guy
Oh, man... that pi vpn web site is HILARIOUS!!! "Although this is geared toward running on a $35 Raspberry Pi"...
why not have the cronjob contact the domain registrar's API and update the record. if your domain registrar doesn't have an API use something like desec, cloudflare, cloudns, or a selfhosted server on a vps somewhere. the record ttl can be 1 so changes take little time to reflect.
Yeah, I'm just lazy really. Name.com has an API but I can't be bothered to get it integrated.
@@JeffGeerling the best excuse for not doing something haha
Have a good trip! I'm pretty sure I need a virtual VPN. Each VM gets a bare metal GPU. Pi gets to be an orchestration manager. I'm willing to accept that no Pi will host a GPU but it can orchestrate them no problem 😒
Can't help but notice you have an Asus router. The newer firmware on the AX models have Wireguard built in. If you do have a Wireguard-capable Asus router (stock or Merlin), how does the admin and performance compare to PiVPN?
I ran PiVPN for a while but I think work was blocking that port or domain - so I switched to Tailscale and used my home PIHOle as an exit node and it's been much eaiser. But Your point was no 3rd party software so still a great video! I do like how you can use local IP addresses on pivpn but not tailscale.
I use Wireguard to route public IPs back home just out of spite of my ISP's horrendous international routing making it impossible to work from home, since I need to route at least 1Gbps down and up simultaneously I opted for an older i5-4590 based desktop but it works really well for my use case. It's a bit different from yours but this is another legitimate use case for VPNs.
When you mean access your home network in the beginning of the video, you meant access your home country's internet right?