I really like the fact you are always thinking about the risks on relying on 3rd party/big cloud players, I also share that vision which is not common enough sadly. Kudos for getting entirely the initial meaning/purpose of Internet, which is not meant to be centralized to a handful big entities.
one of those risks peopel never think about is no support whatsoever. these entities are now so big that you rely on the pure hope it will be fixed if its broken. just spend 3 nights with microsoft highest tier support until i got someone to fix a trivial license issue on microsofts end that blocked all exchange services for the entire tennant with several hundred user
Thank you for this video. Love watching this because it explains the difference/similarity between vpn and overlay. Again thank you for the layman's term explanation.
Very informative! Love to see how someone like you is on top of all this and keeps us informed of what is out there, the advantages and disadvantages, the pro's and con's, the pitfalls etc.. This allows us to make an informed choice. Thanks Tom for your time and effort in producing videos like this. Truly appreciated!
Long time subcriber here... Love your content! Looked at Cloudflare Tunnels. They are cool, but I really didnt like being dependent on their network to access my network. Plus, i kind felt like i was giving them access to view my private network if they wanted to. 😅 Anyway, keep up the good work, sir. Your opinion and POV are valuable to us all.
About 7 or 8 years ago I worked around the issue of having simple to setup VPN access or clients behind CG-NAT/dynamic ip addresses by implementing pritunl on my own AWS server. This works as an oVPN/Wireguard broker, and all the connections from routers/servers etc are coming from behind the firewall meaning no need for a static ip and works behind NAT. The other great thing is it has a centralised portal to manage all connections, organisations, and client certs/configs + monitoring the connections + it's open source and self hosted. Pritunl is barely (ever?) mentioned in all of LS vpn videos but in my opinion is one of the best pieces of software out there for this kind of thing. I will concede it does tunnel any traffic destined for the remote network through the server (it obviously supports split DNS/public routes through local gateway etc) - but that has never really cause nay issues for our clients in terms of speed or latency. The other plus is they have a wizard for edgerouters which makes the setup for our techs a couple of clicks - and likewise for our customers, they can deploy the software client/profile and cert themselves with a couple of clicks.
I've been using ZeroTier for a few years now (I was introduced to it through one of your videos in-fact!). I think one thing you should have added to this video though is performance. Wireguard and OpenVPN point-to-point are a lot faster than ZeroTier and TailScale. We're talking 50Mb vs 350Mb. So for anyone considering this just know it's not the fastest but these system (TailScale and ZeroTier) are super easy and very reliable.
That’s a bit subjective. It all depends on whether or not zerotier or Tailscale peers can establish a direct tunnel to each other and if the peer is running in userspace or in the kernel. For example, Tailscale on windows runs in userspace, but on Linux, it can use the kernel drivers for wireguard. For example, two Linux hosts can communicate gigabits per second to each other, but to a windows host, maybe not so fast. Same thing applies for zerotier. Depends on the host and install.
@@GrishTech Thank you for the clarification David. I wasn't aware of this and only saw poor performance compared with native Wireguard and OpenVPN (I am testing only on Windows).
@@droknrontalescale is ment to only be a control plane for wireguard, based on wireguard-go. Perhaps the out of the box TS config needed tweaking to get better speeds ?
I use Wireguard for security and not relying on a third party. It was strange that as soon as Tailscale popped up it seemed like a huge number of homelab enthusiasts jumped in the bandwagon. Especially people that generally highly regard security and self hosting
@@bivensrk Tailscale/Headscale != actually functional OpenVPN/Wireguard, few lines in iptables, can actually be controlled with firewalls and security . Tailscale, its routing rules interfere with every well known security solution in existance. No, I'm not migrating my perfectly functioning iptable rules to deal with Tailscale lack of motivation to either use kernel wireguard or using the TUN/TAP driver to supplement the user-land Wireguard. Other solutions could deal with this - NetMaker, Firezone, etc. - why not Tailscale?
One of the biggest issues i find with mesh vpn tech from Tailscale or ZT is access rules. I’m a bit more familiar with TS but controlling what client can access just sucks using TS access rules. Documentation isn’t great and writing it out in JSON is impractical if you are an unfamiliar engineer. So then you’re left with permit any any rules. The tech is great but access controls suck. At this point legacy VPNs are just better supported when it comes to access controls
I am always enthusiastic about your videos because they briefly describe the most important contexts. I have heard about the new technique and unfortunately have not yet understood what the advantages are supposed to be. It just looks like a legal man in the middle attack.
I use tailscale since some month ago for connect two synology storage systems with hyperbackup. Not the fastest way, but works really nice for me. I can place my offsite backup where ever I want without care about vpn connection or forwarding ports.
You pointed out the biggest problem with services like tailscale and twingate, entrusting your network access to a third party. No thanks. Glad to know theres a self hosted option though, I’d love to see a more in depth video on that!
Agree, I still want to give twingate a try (which is basically a form of proxy) so that I don't need to have any open ports on my router but then I would be relying on twingate servers to stay up all the time. Even if I were to go headscale and host it somewhere, then I still need to make sure that it is locked down and another possible point of failure.
I’m quite excited for zerotier 2.0, rewritten in rust! Hopefully they keep LF for self hosting root servers, improve performance a bit, and include DNS by default.
I'm behind Starlink's CG-NAT so my remote access options are limited. I would love to work out how to use a service like Cloudflare's secure tunnel on my pfsense external interface, so I can then use OpenVPN through the Cloudflare tunnel.
I see them as different purposes. An overlay VPN for unattended devices that always needs to be connected like servers, routers, etc. A traditional VPN requires user interaction, as such an Overlay VPN is a device connected network and a traditional agent VPN is a user connected network. Some people might not want to be always connected or might want to connect to a different corporate or business network or switch depending on the type of work required, which means a traditional VPN is not going away.
I've used all of your videos to build a pfSense for gaming. It uses a Ryzen 3 1300X can can route a Gigabit with NordVPN over multiple trunks. I have trunked, seemingly secure networks, with NordVPN, using traffic limiters for A+ bufferbloat gaming behind an AT&T fiber BGW-320. Thanks for the awesome guides. I can't seem to get it to work right using multiple NICs for WAN (using different IP addresses from my block), and split the DNS correctly between the WAN and VPN with policy routing. The NordVPN always has to go through the primary gateway which can break easily when I am using Squid Proxy for my non-VPN subnets. I bought a set of Static IPv4 addresses for my multiple NICs, but I need to run the second NIC via a public DHCP request to my AT&T GPON router, as pfSense won't let me have multiple WANs on the same subnet using my single gateway. Do I need to use IP aliases to set up multiple WANs on a single gateway? Do I need another pfSense to have another WAN giving me internet access?
Also, my AT&T router gives me /64 blocks of IPv6. Are these okay to assign in conjunction to my Static Block to my pfSense? I don't understand how to route the IPv6 while hiding my DNS from this primary AT&T router. Should I use SLAAC or IPv4 over IPv6? Do I need to use DNS64? Do you have any videos explaining the differences between SLAAC, 6rd Tunnels, 6 to 4 tunnels or the likes? I am kind of new to all of this. Been tuning everything for a year now. The last time I had experience with custom routers it was 10 years ago using DD-WRT. Random thought: SynProxy is a pretty cool feature imo and might be easier to set up than Squid. It helps some of my videogames lag less when servers cannot connect to my console directly.
For me, The only benefit of using TS or ZT Overlay Network with it's Coordination Servers is when your ISP doesn't provide a Public IP you can route or Nat. Both ON are Great BTW.
I use cloudflared ZT. I like that I can integrate that with Azure conditional access. No client required for web applications or ssh can be done via browser. Warp client can then handle other ports etc. It's free for small teams and I got 5 YubiKeys for setting up the free tier at a ridiculously reduced price, think they were £10 each.
Tailscale works great for me. It's free, easy to use, and supports ephemeral mode that deletes the instance when not active and adds again when active. It runs super well with PaaS that are bound to restart their containers every now and then.
What made me choose zerotier over the other overlay alternatives is that it splits the coordination plane into configuration and routing. A zerotier controller manages authentication and configuration of each node on a network, but it is also a node itself, meaning that it can be behind a Nat and still be able to communicate with each member of the network, sending config updates, adding new nodes, etc. Routing between each node is managed by the zerotier root servers, which are only responsible of connecting nodes together, aiding with UDP hole punching and relaying data if necessary. Having your own controller means that you own your network, every config has to be authorized by your self hosted controller, while still not needing it to have a publicly accessible ip address tied to it. The most a malicious zerotier root could do would be to mess up new connections and maybe listen in on the encrypted connection between each node (it can't decrypt it) when relaying.
@@itsmith32 my understanding is that if you want to host your own instance of headscale you'll need to have a public IP address to which you can forward ports. This is not always possible due to CG-NAT. With zerotier the routing and network configuration are separate parts. Zerotier inc does the routing (if you want), you host and control your own network, no port forwarding necessary to the controller.
@@user-hk3ej4hk7m Looks like you can do the same stuff with TS proprietary controller😁 and if you don't want to port forward you can use VPS for hosting.
@@itsmith32 I'd rather have my controller hosted on my home, it's not bandwidth intensive and it has control over the hole network. zerotier has that clear separation and that's why I prefer it, others may have other preferences.
I saw your comment on my comment on Network Chucks video. Ive used tailscale before and heard of headscale. I figured twingate was a wireguard overlay vpn but it seemed to have a lot more functionality than tailscale. Still, dont like the controller not being self hosted.
ROFL, I was also going to ask if Lawrence tested or tried Twingate, but it seems this is a very tight knit community... and I do agree with his position that it's not an open source solution. Not quite there yet but I am in the process of building a TrueNAS Scale from an old PC here, and looking up how exactly I'm going to open this up to the void... :P Might go for Tailscale or Headscale then...
Thanks for the good video. Initially, you suggested that you compare all three, but this wasn't included. Such a video would be fantastic. Especially interested to understand if Nebula is less prone to the controller (lighthouse) being compromised as the connectivity relies on certificates created outside the lighthouse and I am wondering if this would stop a compromised controller from adding a rogue node.
I think tailscale has the ability to create a subnet router inside the NAT. It was linux only for awhile. I think other os's can do it know also. Not played with it recently.
I just setup Tailscale and made a route to my home network. Wow, that was easy and I’m wondering why I didn’t do this a long time ago. Routes just the traffic I want to my services back home, while the rest of my traffic goes directly to the internet. I could also route all my traffic back through my home connection if I wanted to.
You can also self host a zerotier controller. It's somewhat of a pain, though, because the only interface they provide for that is a json api. There is a third party all in one docker image developed by Key Networks with a webserver GUI, but you do have to trust / be able to inspect the source for that software, and hope that it gets patched. You'd still be relying on some of their "root" servers for connections though, so I guess it doesn't entirely solve the issue of trust / control.
I like the managed routes feature on zerotier, then i just deploy zerotier on my routers and voila, remote devices with the zerotier one have all the routes, and devices connecting through my routers are able to reach the overlay or remote networks.
If anyone is interested in "Twingate" - last week Network Chuck posted a detailed video. Twingate looks sketchy to me. As Tommy said, it's closed source, and there's very little information about the company or the people behind it, which is also strange.
Great! VPN isnt dead! Public Cloud Solutions its exposed like your VPN incomming request too... Its like a big VPN public cloud server make the "gateway" function between the clients... Thank U !
Zerotier has the NDP emulation for their 6PLANE addresses which is amazingly well fitted for Docker container addresses. I haven't found anything similar on top of Wireguard to make me switch
If you are working or have clients in china, you absolutely need/want something like tailscale. I live here and it is the only thing that gets me direct site to site location links(china to china) without the fuss of going through another server.
What happens if a notebook with the Tailscale installed, that is usually outside, is in the company internal network? Which network it will use? The internal gave by DHCP server or the one Tailscale creates? Is there a way to block tailscale if the computer is in the company to ensure that there is no problem with the Active Directory (kerberos, name resolution) for example? - Thanks for the video
to me who is behind cgnat without v6 in the entire country it sounds like the solution i am looking for. i was thinking about getting a vpn provider (like purevpn) with portforwarding but the latency would add another 150ms as the servers are like 2000miles away.
In Aus they are calling then SD-wan basically overlay network vpn as u said. I was asked in a interview about it I said no big deal just site to site can you ping it after setup or not
As many others point out, I don't see how this would benefit me any more than setting up my VPN server, put it behind a deny all, and whitelist any access the clients need. I hear that it's easier to set up, but it seems there's actually more configuration to be done, not less. There's even an additional controller involved?! No thanks. Also I'm with everyone saying not to outsource my remote access methods to third parties. Like, ever. In all honesty it appears to me that these suites try to be a solution for people who might be uncomfortable with managing their ACLs, even though this might not be accurate. This whole zero trust cloud third party thing seems like the new networking hype I have to learn just to be able to say why I won't use it. Maybe (probably) I'm missing a lot of details, I just started to look into this rabbit hole.
I guess cloudflare tunnels are good if you don't want to deal with dynamic DNS via no-ip if you don't have a static IP and renewing let's encrypt certificates and you don't have to change anything if you reconfigure internal network (if you reset router to factory defaults etc). But I'm still using ssh and ssh tunnels for RDP/VNC and i think VPN is better in general. This solution might be useful only if your IP is not accessible at all I guess.
Hm. Maybe I'm misinterpreting the target audience. Setting up DDNS with the domain provider should be as easy as a click in most situations. Static IPs are common for enterprises. Certificate renewal can easily be automated. The situation you mention could make for a use case I guess, but also seems to be very niche to me. Somebody in the comments is mentioning Zero Trust use with Azure and 2FA, which is more of an actual real use case. I probably have to look into this a little more at some point. The third party thing still bugs me. Kinda the opposite of zero trust... Thanks for commenting!
Another option is Twingate, which uses split-tunneling by default! It allows orgs to adopt ZTN (Zero-Trust Networking) by implementing the principle of least access.
Looks similar, never used it, closed source, light on security details so I don't have a lot of desire to test it knowing there are open source solutions out there.
@LAWRENCESYSTEMS I'd be interested to know if you'd tried PBR (policy routing), with pfsense and tailscale where one host or network uses another remote pfsense+tailscale as an exit node?
@@LAWRENCESYSTEMS Lets say you wanted to have a system(s) on Site A exit Site B's internet connection. The rest of the systems(s) on Site A would exit to the local internet ISP.
@@LAWRENCESYSTEMS use case would be appear to be working from one state vs working from another. I think it would be possible via traditional VPN, where gateways are established. Not sure you can set up Tailscale as a gateway. Thought I'd bounce it off of you. Thanks for you time.
I only use Wireguard on Linux server (Pi400B with Quad9 DNS) under a 1 Gbps Dynamic line for my use case, as my users are under 10 to 15 per concurrent time. As Server's htop reports about 140 to 145 Mb at idle, with an increase of about 5 to 10 Mb per user load, its running fine for small office for the last 1 year. And, its Not on a Static public IP. Peace :-)
Isnt this just a patch for poor network segmentation on the target site. Which is the result of not doing/planning a risk based / information security /availability based network architecure...?
I honestly don't really get it. I think tailscale and regular vpns serve different purposes, so tailscale isn't really killing VPNs, just displacing them from areas they were previously used in but didn't really fit
I was trying to setup a vpn for a customer who a wireless ISP internet connection, we could not get any vpn working as it looks like internet was using CG-Nat After looking for other options I came across Tom using Zerotier and Tailscale and both worked flawlessly for this setup
Or go for ipv6 if available, then you can run your vpn daemon on a host on the inside your network 20and you avoid the nightmare of cgnat ( which unfortunately gers mirecand mire vide soread on home internet connections)
With Tailscale I was not able to traverse the network once connected to the pfsense host from outside. Is there something misconfigured or maybe I was trying to access another machine before I had direct p2p connection. 🤔
@@LAWRENCESYSTEMS Thanks. Just watched network chucks overview of setting up twingate before seeing this. On the surface all look similar. Install agent on network configure services in cloud/controller instead of opening ports 😁 One of these is somewhere on my list after getting pf sence setup
@@LAWRENCESYSTEMS Same here. I did watch most of Chuck's video about Twingate and was turned off that it's completely closed source and no option to self host the controller. I'm staying with wireguard on pfsense.
This boggled my mind. Its a shame they got acquired by Ericsson. I thought their approach was on of the best I had seen, bar OpenZiti, the open source project I work on. But hey, big corps like to kill innovation and only deliver guaranteed returns.
Mesh networks are powerful tools, but security problems arise when they are given to ignorant users. Recently Linus (LTT) made a tutorial in "Tailscale for idiots" style that I think is very wrong. Firewalls exist for a reason, creating unsupervised tunnels for family and friends (and the firends of their friends...) with no supervision and no Vlan isolation, having ignorant users passing links to give access to that streaming service that everybody wants to watch but nobody wants to pay (which is why most of them use it)... that's a delicious cake for hackers: You get one, you get them all.
Well for small networks like the home with few users it's not much of an issue. When you get into like 300+ users for corporate / enterprise then it's a completely different beast all together. For something like tailscale I did not like the idea of default mesh network for all users. Lazy admins would certainly take this route just to get started without thinking things through like security.
No one should ever trust a cloud coordination server that is not under their direct control unless the third party is subject to strict liability in case of breach. And none are.
Stealing WiFi... Cough... Excuse me ... Being intrusive on someone's elses resource then using a vpn paid in crypto.... Ahhhj the good ol war driving days...
When you say using cloudflare means exposing your devices, what do you mean? I use cloudflare zero trust to connect to my office devices om a local network. What is exposed about that? Asking concerned
I really like the fact you are always thinking about the risks on relying on 3rd party/big cloud players, I also share that vision which is not common enough sadly. Kudos for getting entirely the initial meaning/purpose of Internet, which is not meant to be centralized to a handful big entities.
Thank you
one of those risks peopel never think about is no support whatsoever. these entities are now so big that you rely on the pure hope it will be fixed if its broken.
just spend 3 nights with microsoft highest tier support until i got someone to fix a trivial license issue on microsofts end that blocked all exchange services for the entire tennant with several hundred user
Thank you for this video. Love watching this because it explains the difference/similarity between vpn and overlay. Again thank you for the layman's term explanation.
Great video as always, defenatly that's not a VPN killer, I would never rely on a third party for access into my own network.
Then install your own coordination server with Headscale :)
Very informative! Love to see how someone like you is on top of all this and keeps us informed of what is out there, the advantages and disadvantages, the pro's and con's, the pitfalls etc.. This allows us to make an informed choice. Thanks Tom for your time and effort in producing videos like this. Truly appreciated!
Used to use hamachi until it was bought out but tailscale is now my go to. It just works and works well.
Long time subcriber here... Love your content! Looked at Cloudflare Tunnels. They are cool, but I really didnt like being dependent on their network to access my network. Plus, i kind felt like i was giving them access to view my private network if they wanted to. 😅 Anyway, keep up the good work, sir. Your opinion and POV are valuable to us all.
About 7 or 8 years ago I worked around the issue of having simple to setup VPN access or clients behind CG-NAT/dynamic ip addresses by implementing pritunl on my own AWS server. This works as an oVPN/Wireguard broker, and all the connections from routers/servers etc are coming from behind the firewall meaning no need for a static ip and works behind NAT. The other great thing is it has a centralised portal to manage all connections, organisations, and client certs/configs + monitoring the connections + it's open source and self hosted. Pritunl is barely (ever?) mentioned in all of LS vpn videos but in my opinion is one of the best pieces of software out there for this kind of thing. I will concede it does tunnel any traffic destined for the remote network through the server (it obviously supports split DNS/public routes through local gateway etc) - but that has never really cause nay issues for our clients in terms of speed or latency. The other plus is they have a wizard for edgerouters which makes the setup for our techs a couple of clicks - and likewise for our customers, they can deploy the software client/profile and cert themselves with a couple of clicks.
I've been using ZeroTier for a few years now (I was introduced to it through one of your videos in-fact!). I think one thing you should have added to this video though is performance. Wireguard and OpenVPN point-to-point are a lot faster than ZeroTier and TailScale. We're talking 50Mb vs 350Mb. So for anyone considering this just know it's not the fastest but these system (TailScale and ZeroTier) are super easy and very reliable.
That’s a bit subjective. It all depends on whether or not zerotier or Tailscale peers can establish a direct tunnel to each other and if the peer is running in userspace or in the kernel. For example, Tailscale on windows runs in userspace, but on Linux, it can use the kernel drivers for wireguard. For example, two Linux hosts can communicate gigabits per second to each other, but to a windows host, maybe not so fast. Same thing applies for zerotier. Depends on the host and install.
@@GrishTech Thank you for the clarification David. I wasn't aware of this and only saw poor performance compared with native Wireguard and OpenVPN (I am testing only on Windows).
@@droknrontalescale is ment to only be a control plane for wireguard, based on wireguard-go. Perhaps the out of the box TS config needed tweaking to get better speeds ?
As always objective & unbiased . thanks
I use Wireguard for security and not relying on a third party. It was strange that as soon as Tailscale popped up it seemed like a huge number of homelab enthusiasts jumped in the bandwagon. Especially people that generally highly regard security and self hosting
So, you're saying that Tailscale != security?
we're fed up dealing with annoying VPN configuration UIs in hardware
@@bivensrk Tailscale/Headscale != actually functional
OpenVPN/Wireguard, few lines in iptables, can actually be controlled with firewalls and security . Tailscale, its routing rules interfere with every well known security solution in existance. No, I'm not migrating my perfectly functioning iptable rules to deal with Tailscale lack of motivation to either use kernel wireguard or using the TUN/TAP driver to supplement the user-land Wireguard. Other solutions could deal with this - NetMaker, Firezone, etc. - why not Tailscale?
I also don’t know why introduce 3rd parties
Considering the way Tailscale works and its simplicity, it looks like a fair tradeoff. Secure enough and much easier to get it working
Thanks for this video, answered a question I had about the differences between VPN's and Cloud Flare Tunnel
happy to see a video on this topic esp after the recent Network Chuck video
Tailscale has really nailed the ease of setup.
They have a solid product for sure.
Yes, while Headscale made it yours and secure
One of the biggest issues i find with mesh vpn tech from Tailscale or ZT is access rules. I’m a bit more familiar with TS but controlling what client can access just sucks using TS access rules. Documentation isn’t great and writing it out in JSON is impractical if you are an unfamiliar engineer. So then you’re left with permit any any rules. The tech is great but access controls suck. At this point legacy VPNs are just better supported when it comes to access controls
I am always enthusiastic about your videos because they briefly describe the most important contexts. I have heard about the new technique and unfortunately have not yet understood what the advantages are supposed to be. It just looks like a legal man in the middle attack.
I use tailscale since some month ago for connect two synology storage systems with hyperbackup. Not the fastest way, but works really nice for me. I can place my offsite backup where ever I want without care about vpn connection or forwarding ports.
You pointed out the biggest problem with services like tailscale and twingate, entrusting your network access to a third party. No thanks. Glad to know theres a self hosted option though, I’d love to see a more in depth video on that!
Agree, I still want to give twingate a try (which is basically a form of proxy) so that I don't need to have any open ports on my router but then I would be relying on twingate servers to stay up all the time. Even if I were to go headscale and host it somewhere, then I still need to make sure that it is locked down and another possible point of failure.
You better try rather watching videos.
I’m quite excited for zerotier 2.0, rewritten in rust! Hopefully they keep LF for self hosting root servers, improve performance a bit, and include DNS by default.
Tried ZT a little, but when I've found that I cannot use my exit node behind home router I have stopped trying.
I'm behind Starlink's CG-NAT so my remote access options are limited. I would love to work out how to use a service like Cloudflare's secure tunnel on my pfsense external interface, so I can then use OpenVPN through the Cloudflare tunnel.
I see them as different purposes. An overlay VPN for unattended devices that always needs to be connected like servers, routers, etc. A traditional VPN requires user interaction, as such an Overlay VPN is a device connected network and a traditional agent VPN is a user connected network. Some people might not want to be always connected or might want to connect to a different corporate or business network or switch depending on the type of work required, which means a traditional VPN is not going away.
I've used all of your videos to build a pfSense for gaming. It uses a Ryzen 3 1300X can can route a Gigabit with NordVPN over multiple trunks. I have trunked, seemingly secure networks, with NordVPN, using traffic limiters for A+ bufferbloat gaming behind an AT&T fiber BGW-320.
Thanks for the awesome guides.
I can't seem to get it to work right using multiple NICs for WAN (using different IP addresses from my block), and split the DNS correctly between the WAN and VPN with policy routing. The NordVPN always has to go through the primary gateway which can break easily when I am using Squid Proxy for my non-VPN subnets. I bought a set of Static IPv4 addresses for my multiple NICs, but I need to run the second NIC via a public DHCP request to my AT&T GPON router, as pfSense won't let me have multiple WANs on the same subnet using my single gateway. Do I need to use IP aliases to set up multiple WANs on a single gateway? Do I need another pfSense to have another WAN giving me internet access?
Also, my AT&T router gives me /64 blocks of IPv6. Are these okay to assign in conjunction to my Static Block to my pfSense? I don't understand how to route the IPv6 while hiding my DNS from this primary AT&T router. Should I use SLAAC or IPv4 over IPv6? Do I need to use DNS64? Do you have any videos explaining the differences between SLAAC, 6rd Tunnels, 6 to 4 tunnels or the likes? I am kind of new to all of this. Been tuning everything for a year now. The last time I had experience with custom routers it was 10 years ago using DD-WRT.
Random thought:
SynProxy is a pretty cool feature imo and might be easier to set up than Squid. It helps some of my videogames lag less when servers cannot connect to my console directly.
For me, The only benefit of using TS or ZT Overlay Network with it's Coordination Servers is when your ISP doesn't provide a Public IP you can route or Nat. Both ON are Great BTW.
I use cloudflared ZT. I like that I can integrate that with Azure conditional access. No client required for web applications or ssh can be done via browser. Warp client can then handle other ports etc. It's free for small teams and I got 5 YubiKeys for setting up the free tier at a ridiculously reduced price, think they were £10 each.
Tailscale works great for me. It's free, easy to use, and supports ephemeral mode that deletes the instance when not active and adds again when active. It runs super well with PaaS that are bound to restart their containers every now and then.
This video saved me hours or google searches, thanks!!!
What made me choose zerotier over the other overlay alternatives is that it splits the coordination plane into configuration and routing. A zerotier controller manages authentication and configuration of each node on a network, but it is also a node itself, meaning that it can be behind a Nat and still be able to communicate with each member of the network, sending config updates, adding new nodes, etc. Routing between each node is managed by the zerotier root servers, which are only responsible of connecting nodes together, aiding with UDP hole punching and relaying data if necessary.
Having your own controller means that you own your network, every config has to be authorized by your self hosted controller, while still not needing it to have a publicly accessible ip address tied to it. The most a malicious zerotier root could do would be to mess up new connections and maybe listen in on the encrypted connection between each node (it can't decrypt it) when relaying.
Hmmm... Which of this stuff cannot be accomplished with Headscale?
@@itsmith32 my understanding is that if you want to host your own instance of headscale you'll need to have a public IP address to which you can forward ports. This is not always possible due to CG-NAT. With zerotier the routing and network configuration are separate parts. Zerotier inc does the routing (if you want), you host and control your own network, no port forwarding necessary to the controller.
@@user-hk3ej4hk7m Looks like you can do the same stuff with TS proprietary controller😁 and if you don't want to port forward you can use VPS for hosting.
@@itsmith32 I'd rather have my controller hosted on my home, it's not bandwidth intensive and it has control over the hole network. zerotier has that clear separation and that's why I prefer it, others may have other preferences.
I saw your comment on my comment on Network Chucks video. Ive used tailscale before and heard of headscale. I figured twingate was a wireguard overlay vpn but it seemed to have a lot more functionality than tailscale. Still, dont like the controller not being self hosted.
The good thing is it enables admins to fine-tune access to specific resources that the users need access.
ROFL, I was also going to ask if Lawrence tested or tried Twingate, but it seems this is a very tight knit community... and I do agree with his position that it's not an open source solution. Not quite there yet but I am in the process of building a TrueNAS Scale from an old PC here, and looking up how exactly I'm going to open this up to the void... :P Might go for Tailscale or Headscale then...
Great explanations! Thank you Tom !
Thanks for the demo and info, have a great day
Thanks for the good video. Initially, you suggested that you compare all three, but this wasn't included. Such a video would be fantastic. Especially interested to understand if Nebula is less prone to the controller (lighthouse) being compromised as the connectivity relies on certificates created outside the lighthouse and I am wondering if this would stop a compromised controller from adding a rogue node.
Thanks for this interesting video! I wonder, would IP6 change anything in this setup or generally in an openvpn, given that there would be no Nat?
Any chance you could do a follow up video with performance metrics? Such as throughput of wireguard vpn vs tailscale, etc.
I think tailscale has the ability to create a subnet router inside the NAT. It was linux only for awhile. I think other os's can do it know also. Not played with it recently.
Working just great with Headscale and GNU/L
I just setup Tailscale and made a route to my home network. Wow, that was easy and I’m wondering why I didn’t do this a long time ago. Routes just the traffic I want to my services back home, while the rest of my traffic goes directly to the internet. I could also route all my traffic back through my home connection if I wanted to.
Great stuff useful thanks. So is twingate classed as overlay networks to?
You can also self host a zerotier controller. It's somewhat of a pain, though, because the only interface they provide for that is a json api. There is a third party all in one docker image developed by Key Networks with a webserver GUI, but you do have to trust / be able to inspect the source for that software, and hope that it gets patched. You'd still be relying on some of their "root" servers for connections though, so I guess it doesn't entirely solve the issue of trust / control.
Headscale does it for them😅
Another note some of the commands for headscale have been updated as well I believe it was to parody Tailscale terms
This does seem to be a sequel to the preoperatory Hamachi VPN. I would call it a scalable VPN, as it's much easier to set up and deploy I'd assume.
Hamachi was the best for the short time before it was aquired by LogMeIn.
I like the managed routes feature on zerotier, then i just deploy zerotier on my routers and voila, remote devices with the zerotier one have all the routes, and devices connecting through my routers are able to reach the overlay or remote networks.
If anyone is interested in "Twingate" - last week Network Chuck posted a detailed video. Twingate looks sketchy to me. As Tommy said, it's closed source, and there's very little information about the company or the people behind it, which is also strange.
I watched it too but am not jumping in quite yet...
Networkchuck does a lot of videos for his sponsors as ads but disguises them as ‘tech tutorials’.
@@metal-beard no shame in that game.
Great! VPN isnt dead! Public Cloud Solutions its exposed like your VPN incomming request too... Its like a big VPN public cloud server make the "gateway" function between the clients...
Thank U !
Zerotier has the NDP emulation for their 6PLANE addresses which is amazingly well fitted for Docker container addresses. I haven't found anything similar on top of Wireguard to make me switch
Ubiquiti just updated the firmware for its UDR which includes enhancement for its Teleport VPN. Can you do a video on this improvement (if any)?
Well. This went viral. Good performing video.
If you are working or have clients in china, you absolutely need/want something like tailscale. I live here and it is the only thing that gets me direct site to site location links(china to china) without the fuss of going through another server.
excellent information as always! please make a video on Twingate also
Looks similar, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.
Would live to learn what's the status on yggdrasil now. Is it usable, or not? How does it compare with these solutions?
Was my first though, what about the reliability of the third party? I honnestly don't see the point to take that risk. Thx Tom for sharering.
What happens if a notebook with the Tailscale installed, that is usually outside, is in the company internal network? Which network it will use? The internal gave by DHCP server or the one Tailscale creates? Is there a way to block tailscale if the computer is in the company to ensure that there is no problem with the Active Directory (kerberos, name resolution) for example? - Thanks for the video
to me who is behind cgnat without v6 in the entire country it sounds like the solution i am looking for. i was thinking about getting a vpn provider (like purevpn) with portforwarding but the latency would add another 150ms as the servers are like 2000miles away.
In Aus they are calling then SD-wan basically overlay network vpn as u said.
I was asked in a interview about it I said no big deal just site to site can you ping it after setup or not
Have you looked at Twingate at all? The granularity and redundancy seems to make a pretty resilient solution.
So does TailScale. Twingate has a lack of details on how their security works VS TailScale being open source and very detailed so I use that.
Would very much appreciate updated Headscale setup and use tutorial.
ruclips.net/video/-9gXP6aaayw/видео.html
i love twingate .... ease to use and simple ..... runs on my docker .... loving it . killers of traditional VPNs
I rilly think u need to do a video about Twingate, under the hood working, pros &cons!
Otherwise thanks for the informative in depth content!!!
Except Twingate has a lack of details on how their security works VS TailScale being open source and very detailed so I use that.
As many others point out, I don't see how this would benefit me any more than setting up my VPN server, put it behind a deny all, and whitelist any access the clients need. I hear that it's easier to set up, but it seems there's actually more configuration to be done, not less. There's even an additional controller involved?! No thanks. Also I'm with everyone saying not to outsource my remote access methods to third parties. Like, ever. In all honesty it appears to me that these suites try to be a solution for people who might be uncomfortable with managing their ACLs, even though this might not be accurate. This whole zero trust cloud third party thing seems like the new networking hype I have to learn just to be able to say why I won't use it. Maybe (probably) I'm missing a lot of details, I just started to look into this rabbit hole.
I guess cloudflare tunnels are good if you don't want to deal with dynamic DNS via no-ip if you don't have a static IP and renewing let's encrypt certificates and you don't have to change anything if you reconfigure internal network (if you reset router to factory defaults etc). But I'm still using ssh and ssh tunnels for RDP/VNC and i think VPN is better in general. This solution might be useful only if your IP is not accessible at all I guess.
Hm. Maybe I'm misinterpreting the target audience. Setting up DDNS with the domain provider should be as easy as a click in most situations. Static IPs are common for enterprises. Certificate renewal can easily be automated. The situation you mention could make for a use case I guess, but also seems to be very niche to me. Somebody in the comments is mentioning Zero Trust use with Azure and 2FA, which is more of an actual real use case. I probably have to look into this a little more at some point. The third party thing still bugs me. Kinda the opposite of zero trust... Thanks for commenting!
Another option is Twingate, which uses split-tunneling by default! It allows orgs to adopt ZTN (Zero-Trust Networking) by implementing the principle of least access.
Looks similar, never used it, closed source, light on security details so I don't have a lot of desire to test it knowing there are open source solutions out there.
@LAWRENCESYSTEMS I'd be interested to know if you'd tried PBR (policy routing), with pfsense and tailscale where one host or network uses another remote pfsense+tailscale as an exit node?
Not sure I understand the question.
@@LAWRENCESYSTEMS Lets say you wanted to have a system(s) on Site A exit Site B's internet connection. The rest of the systems(s) on Site A would exit to the local internet ISP.
@@bmp6361 does not sound like a great way to set thing up and I am not sure if Tailscale would route that way.
@@LAWRENCESYSTEMS use case would be appear to be working from one state vs working from another. I think it would be possible via traditional VPN, where gateways are established. Not sure you can set up Tailscale as a gateway. Thought I'd bounce it off of you. Thanks for you time.
What do you think about DPN ?
I only use Wireguard on Linux server (Pi400B with Quad9 DNS) under a 1 Gbps Dynamic line for my use case, as my users are under 10 to 15 per concurrent time. As Server's htop reports about 140 to 145 Mb at idle, with an increase of about 5 to 10 Mb per user load, its running fine for small office for the last 1 year. And, its Not on a Static public IP. Peace :-)
Isnt this just a patch for poor network segmentation on the target site. Which is the result of not doing/planning a risk based / information security /availability based network architecure...?
I'm using open vpn and don't need relay on "coordination servers" or need "help" from others to send my data.
Great content! It would be good to hear your thoughts on Netbird (relatively new alternative to tailscale).
Never used it nothing about it looks so compelling that I would prefer it over existing solutions I have used.
Cat6 !
🤣
If you ever remove the problem of trust, you have removed humanity.
I honestly don't really get it. I think tailscale and regular vpns serve different purposes, so tailscale isn't really killing VPNs, just displacing them from areas they were previously used in but didn't really fit
I was trying to setup a vpn for a customer who a wireless ISP internet connection, we could not get any vpn working as it looks like internet was using CG-Nat
After looking for other options I came across Tom using Zerotier and Tailscale and both worked flawlessly for this setup
let me explain: clickbait.
I've been using netmaker to run both simple and overlay VPN networks. Should I consider headscale for any reason?
Or go for ipv6 if available, then you can run your vpn daemon on a host on the inside your network 20and you avoid the nightmare of cgnat ( which unfortunately gers mirecand mire vide soread on home internet connections)
how about Twingate ? have you had a look at it ? is it similar to tailscale ? thanks for the inofrmation
Looks similar, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.
With Tailscale I was not able to traverse the network once connected to the pfsense host from outside. Is there something misconfigured or maybe I was trying to access another machine before I had direct p2p connection. 🤔
Possibly rules were missing. ruclips.net/video/P-q-8R67OPY/видео.html
Do I see it correct, that Synology‘s QuickConnect is quite the same with synology as coordination server?
QuickConnect just a reverse proxy that your Synology connects to to allow access. Much less complicated than a coordination server.,
I might be being dumb but how does the overlay network differ from Cloudflare tunnels ?
Cloudflare tunnel is just a reverse proxy to Cloudflare servers.
@@LAWRENCESYSTEMS Thanks.
Just watched network chucks overview of setting up twingate before seeing this.
On the surface all look similar.
Install agent on network configure services in cloud/controller instead of opening ports 😁
One of these is somewhere on my list after getting pf sence setup
What about something like Twingate? I think NetworkChuck recently made a video about it.
Looks similar to tailscale, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.
@@LAWRENCESYSTEMS Same here. I did watch most of Chuck's video about Twingate and was turned off that it's completely closed source and no option to self host the controller. I'm staying with wireguard on pfsense.
Is slack nebula something similar to this ??
Yes
I wish they would cut thru all the buzz words and just call this VPN-NG or 2.0 .... This stuff was done 20 years ago with Cisco VPN Concentrators.
Funny you mention that, as Cisco is now looking to kill the VPN all together utilizing their Zero trust and duo MFA tools
Is this coffee mug a bit of a tease?
We do have coffee mugs in our store lawrence.video/swag/
Cradlepoint is depreciating their overlay this year forcing me to go vpn .
This boggled my mind. Its a shame they got acquired by Ericsson. I thought their approach was on of the best I had seen, bar OpenZiti, the open source project I work on. But hey, big corps like to kill innovation and only deliver guaranteed returns.
Another option is Netbird.
Is Headscale hostable in a HA manner?
If you use it in a container and thus in Kubernetes, sure. Or you can have it in a vm and use the traditional VM H/A.
@@GrishTech but can you run more than one controller for graceful takeover if a controller fails? For me, that's the benchmark of HA.
@@philipgriffiths5779 I don't believe that's supported.
I seriously wish modern "VPNs" had chosen a different name, as they're use and purpose is very different than traditional Virtual Private Networks.
I'm another step closer to -white- allow lists for everything network related.
Facts are facts
Mesh networks are powerful tools, but security problems arise when they are given to ignorant users. Recently Linus (LTT) made a tutorial in "Tailscale for idiots" style that I think is very wrong. Firewalls exist for a reason, creating unsupervised tunnels for family and friends (and the firends of their friends...) with no supervision and no Vlan isolation, having ignorant users passing links to give access to that streaming service that everybody wants to watch but nobody wants to pay (which is why most of them use it)... that's a delicious cake for hackers: You get one, you get them all.
Well for small networks like the home with few users it's not much of an issue. When you get into like 300+ users for corporate / enterprise then it's a completely different beast all together.
For something like tailscale I did not like the idea of default mesh network for all users. Lazy admins would certainly take this route just to get started without thinking things through like security.
No one should ever trust a cloud coordination server that is not under their direct control unless the third party is subject to strict liability in case of breach. And none are.
Overlay looks way too complicated. I'm sticking with my Raspberry Pi & Wireguard. Easy-Peasy, I have full control, and no dependency on a 3rd party.
Your logo is too generic… this channel is amazing
The statement that "overlay networks are VPN killers" is likely an oversimplification and doesn't capture the full nuances of these technologies.
VPN can be MITM attack
First
Hey Tom, what about Twingate? 😉🤣
You missed the chance to include Twingate. :D
¯\_(ツ)_/¯
Overlay network is a VPN with extra annoying steps
Stealing WiFi... Cough... Excuse me ... Being intrusive on someone's elses resource then using a vpn paid in crypto....
Ahhhj the good ol war driving days...
Killer is the BS & clickbait universe marker-word.
Tailscale is pure 💩
this used to be a respectable channel, shame he's just a paid for shill now
Huh? 🤔 This wasn't sponsored
When you say using cloudflare means exposing your devices, what do you mean? I use cloudflare zero trust to connect to my office devices om a local network. What is exposed about that? Asking concerned
Are you using cloudflare tunnels?
I am new to your channel, clearly stole the logo bud, have got any flack for this?