the END of VPNs?!

Someone needs to make an open source version so we can host the controller ourselves. I dont like twingate being in control of the controller

NEVER, and I mean NEVER, rely on a third party for access into your own network. If it's not selfhosted, there is nothing secure or reliable about it.

I love that everyone is worried about it not being self hosted, it gives me hope

I know that Twingate sponsors this video, but I really value having control over my data. Therefore, I prefer Pritunl, because they have self-hosted option. Chuck, I think you should consider making a video about it. Congratulations on your video!
P.S.: The benefit of the Twingate provide is the endpoint controls.

I wonder what that top secret project was...
Also your editors did a pretty big brain move saving you money by downloading more RAM!

Hey Chuck!! I have been watching this channel for a very long time and since I've started watching this channel, I started studying for certifications. I have obtained A+ and Network+ but now I am ecstatic to share that I just passed my CCNA!! You and this channel were a massive part of that! Just wanted to say thank you! I love the content and I look forward to a whole lot more to come from you I'm sure.

Exciting stuff Chuck! I can't wait to get home and try this over the weekend. You make learning fun. Thanks.

Thank you so much for showing me this, I was looking for an easy and secure way to access my server, (which isn't in my house) and this does it just fine.

I use zerotier myself. It doesn't have the granular automatic control but it works for me and my (somewhat extended) family. I even use it to connect my cloud oracle servers with the rest of my network.

Yep, 0% trust on users, 100% trust on TwinGate. I've kinda heard of this concept a couple of times. It sounds interesting as tech though.
Nice video as always :)

Good Sir, you may have just solved a current issue my company is facing. The existing firewall doesn't allow granular rules for port forwarding (only forward IF FROM . This should help things SO much. Thanks for staying on top of things and sharing!

Thank you for let me know about these solution finally resolved 3 year problem to connect my home via starlink

I think the bit about the client and connector talking directly to one another is technically incorrect. While the relay knows which IPs and ports the client and connector use (after NAT), you cannot have them connect to each other. That is because the NAT routers will only accept packets originating from the relay for those ports.
So, in order to connect client and connector, the traffic has to be routed through the relay as a proxy. And while that traffic is probably encrypted, all of this is controlled by non-open software provided by Twingate. Thus, you essentially have to trust that Twingate is a. "not evil" and b. "stays secure".
Also, the ressources that are being exposed are controlled via a cloud instance ("controller") and also, who may connect to them. You essentially delegate control over what can be accessed to Twingate, putting a remote control to your network in their hands (aka "firewall piercing"). Surely, nothing to worry about, huh?

Great to see someone do this with QUIC, it's been on my mind for over a year now, their is an IETF workgroup working on proxy support and QUIC.
But routing all my traffic through someone else, not so happy.
Also: lots of VPNs just give you the subnet and nothing else, not routing everything through it. yep, split-tunnel
And lots of people set up a firewall on a VPN concentrator to control what people can reach.
21:20 very common among enterprise VPN vendors, I've never cared for it, but I guess good to see such features added by a company with a free option.

You have solved problem I've had for 12 months. Thanks so much xx

Like everyone else, I'm concerned too because it's not open source. An important point and strength of most self-hosted VPN applications are that they're open-source, so when you say "Managed" and a third-party server comes in between, personally, no matter how legit and reliable that company is, it's a red flag for me.

0:49 Thats not a VPN weakness but a lack of OPSEC on your part.
1:36 Zero trust? Doubtful. Basically you allow in a 3rd party onto your network because of the cloud control plane. BTW on the backend they use good old VPN protocols.
1:44 You can do that without VPN or this no-name sw vendor, its called "having proper firewall rules".
1:57 Gimmick, simply having an AV and fw rules doesnt mean the machine isnt infected or boned by a hacker.......

That looks like a great piece of software, but I am becoming increasedly concerned with amount of network infrastructure that is beginning to operate on closed source SaaS models.

Great video Chuck. I mean I love this product already. Couple weeks ago, we deployed something pretty similar to Twingate and was called Checkpoint Harmony Connect. It pretty much did the same thing and I had to set up a docker inside our internal vm farm. You’re awesome because now I understand how it works. Cheers man and keep these videos up

This is awesome!!! Can’t wait to give this a test drive. The video was so fun to watch thanks for always providing such informative entertaining content! 😀

What happens when Twingate's cloud/business inevitably gets hacked? What are the safeguards to ensure the hackers don't get access to everything we've provisioned access to using Twingate? I, too, would be much more excited if I could run an open source version so that I could host the controller and not be dependent of Twingate. Thanks much for the great content.

This is almost like a middle ground between cloudflares secure tunnel and tailscale. Thanks for actually explaining how this works.

While this solution lacks the necessary security measures for implementation in large-scale or business networks, I must admit its enticing simplicity in terms of setup and operation. As someone with over a decade of experience as a network engineer with a proficiency in software development as well, I find myself pondering why I hadn't conceived of such a smart and user-friendly solution earlier. 😊

Great video and great product! Love how enthusiastic you are talking about it haha

VPN is perfectly securable... VPN connection should be to a firewalled VLAN. Then you can specify ACL on that VLAN that controls what the users can access.

Back in my day (2004) , we used Hamachi. It 'kinda' did the same thing without the extra layers of security. Then it got sold off to Logmein (say no more)
Great to see there are plenty of decent alternatives. Another great video Chuck, thankyou!

Threw away VPN after fighting with configuration issues for months and this works so much better!!

Thank you for this lesson in IT and how internet protocol is evolving 🙂

Nice technology. I wonder if this protocol will be abused. When a PC is behind NAT , a home router uses Port-NAT. A statefull firewall "expects" data on the inbound port. Since the TwinGate client installed on a PC behind a NAT. It is basicly a backdoor relayer (SOCK5 proxy) in your LAN environment. Why? External users can connect to other devices in your LAN. Oh well, it is a cool tech, but I hope IDS/IPS firewall can detect this kind of traffic in business environment. A employee can easily make backdoors in your network if you are not carefull. Thanks for the clip and explanation.

I'm genuinely surprised that you don't already have a VPN setup. Also, for the concern about them having full network access can't you just use subnets to segregate the data and have the VPN only get you into a specific subnet? I mean, at my job the VPN I use won't let me access stuff in the accounting network.

I'm rewatching this video cause I just passed my first Cisco certification and honestly want to thank you cause throughout all your content, you touch so many subjects that all were such great help to understand networking. So thanks man!

I know how this will go. At some point they will just remove the free tier entirely. Happened to like 5 different services I used in the past.
First they allow you to sign up for free, then remove the free tier when you rely on their service, so you either have to pay up, or quickly search for a replacement.

this and talescale are good for me because while i could set up a true vpn through to my nas on my own with playing with my firewall and such. i know that my family probably can't or won't. Having the ability with tailscale to share connection access to my nas from anywhere, with just making an account and having clicked the invite link i sent them, is FAR more intuitive for most home users than the alternatives i've tried to convince them to try in order to access my jellyfin through my nas;

The thumbnail is pure art 😂

Thanks Network Chuck… great explanation, easy to understand… thanks for helping me stay up to date!

Man, what a discovery this has been. Excellent video!

Great idea to use a proprietary service 'never heard of' as the single point into every aspect of your network!

A David Bombal and a NetwrokChuck video on the same day? TODAY IS MY LUCKY DAY

My brother, THANKS for sharing this USEFUL SOLUTION! =)
I'm gonna try it myself TODAY

A split tunnel SSL VPN is a way better option - entirely self hosted and self configurable, and only the traffic that needs to go over the VPN does so (this negates the "everything goes through the VPN device" point that Chuck makes, only specific traffic that you define will go through it)- and their are products out there for this that also have ACLs etc. - I hate the idea of this going through a 3rd party service/server to access a private network.

The pieces of this I did understand were so cool to me that I feel inspired to really dive in and learn substantially about networking. Thanks for all you do!

Awesome Chuck! THANK YOU, thank you, Thank You!

Interesting. I've been getting by with wireguard via my current firewall app for my remote access needs. My needs are very simple though, since they are just for myself. I find Wireguard is very fast at establishing connections, certainly faster than traditional ipsec or ssl vpn's, though it really needs work on the UI and could use a kill switch or toggle option.
I'd certainly consider twingate if I could host my own controllers (the part that lives outside my firewall). With the way some companies change their policies regarding their customers I'd be wary of anyone having full control over the part in the middle that makes it all work. Sure, it is VERY convenient, but that puts them in a position of power to change the deal later without consent (insert clip of Darth Vader changing the deal here>. That and it is a single target for attack and a data breech would be a big problem (it stores info about your internal network, public ip's and your users after all). Something I'll bookmark for the future though.

Chuck. Thanks love the video. ❤ maybe I missed it but how much better/different is this compared to a cloudflare tunnel?

Your production values are killer. The live overlay is amazing. Would love to know how you do that. :)

Thank you for having me discovering this LOVELY tool ! Amazing ! Easy, secure, fast !!!

To be honest, i never ever understand what are you talking about but i always love to watch you describing your content ❤❤

Great review. Couple of thoughts. It's not zero trust if you're proxying with a third party. It's third-party trust at a minimum. More likely, it's third party (Twingate) plus whoever else is listening at the third-party relay; think NSA. Also, Twingate software appears to be closed-source. Again we'd have to trust that Twingate's software does only what they claim it does. That's a big camel to swallow if you're security conscious.

I've been on a NetworkChuck geek binge today. Thanks Chuck!!

I'd like to see a video of you comparing Twingate to Cloudflare tunnels (zero trust, previously called Argo Tunnels). I've been using the latter for quite some time and it's nice not having to install a client to facilitate the split tunnel vpn connection.

Not going to lie, I did not expect that ending haha that got me good lol. WHAT ARE YOU DOING!? Videos are always awesome from you man. My personal opinion on VPNS:
I majored in cybersecurity and I knew from the get go, you are only as secure as the product you use nothing more, and nothing less. This is good for probably 80% of the world. But the other 20% I feel are like me and never agreeed to it. My favorite way to access stuff from other places is 2 step VPN through a firewall. Yeah it can still get session hijacked (remember the golden rule, you are only secure as the product you use). But at the end of the day I technically am MFA'ed to my VPN and I can control what user through my dedicated VPN can use. I think I should mention that I use sonicwall, and I am not talking about your commercial VPN's I am talking about a business level one which is completely different than what most at home users will use.

I needed this so much. thanks a lot

Twingate(simmilar to TailScale, Zero Tier) basically has VPN under the hood and alows to control via web admin and its felxible when it comes to auth devices(but you are loosing privacy, as it collects many info about your system), you can achive same result under using Wireguard connection and your IP behind DDNS and any LDAP for selection which items allow to users :) I personaly use Tailscale as backup solution just in case DDNS upgrade script fails. But I am not sure if it is safe enough

This is like magic!
I struggled a lot with trying to make this work using FTP or a Static IP address and the provider wanted to charge me a lot more for that service.
As some one who is not experienced in networking stuff, this worked like a charm.
I installed Docker to my WD Mycloud EX4100 and launched it in there, so no more annoying webpages to upload files or download them, I can just map the route directly to windows and its fantastic!
Thank you very much for sharing this!

I’d love to see a nitty gritty comparison and performance test between Twingate, Tailscale, and ZeroTier. I’ve been using Zerotier for a long time but Twingate’s more modern security features might be what makes me switch.

This sounds like a great solution for those like me who dont have access to the router admin pannel and port forwarding on the nas network. Cant wait to try it out.

From your video, Twingate has the same functionality as a good enterprise VPN such as one offered by Fortigate: Split tunnel, device/port/protocol control etc. Positive: it is about 10 fold simpler to setup; has an integrated MFA that does not cost extra; can use an already configured identity provider (Azure Ad, Google Wrokspace, etc). Negative: a third party (Twingate) has to be now added into the circle of trusted providers on the network; does not have a capacity for traffic inspection and logging that is available on a good enterprise FW.

I'm using Wireguard on my Router... Easiest setup ever and I also can control what each VPN connection can or can't connect to.
No need for twingate which runs outside my home, I can even use this setup on a dynamic IP address.
I can't see me switching to a service that isn't selfhosted, it's too risky for me.

This is absolutely NOT zero trust. In this scenario you have to trust twin gate and there are multiple points of failure. First is the fact that this is closed source software, if TG get compromised or otherwise do something untrustworthy, they can push a malicious update to this software and you would never know. This requires you to trust them. Another point of failure is the fact that TG have the auth tokens. So this requires you to trust them not to leak those. Calling this Zero Trust is damaging your credibility.

First and foremost I want to say thank you for everything you have helped me with over the years. I moved to the us to take care of my mother niece and nephew a few years back. He would sit with me while I watched youtube from time to time and he always loved watching your channel. One of the funniest things he ever said was after I shaved and shortened my beard by better than half. You see he had met friends of mine and others who could give zz-top a run for their money. He was convinced, probably because of Dumbledore, that wisdom didn't come with age. No. The true measure of a man, his Knowledge and wisdom were dependent upon the quality of ones beard. Apparently the thicknesses was a measure of general knowledge. The more hair you had the more general knowledge you had. The length of ones beard was how you you determined seniority. Thick beard you knew about all kinds of different things. The longer the beard the more people should listen to you.
Those were more or less the rules he came up with As I remember them.
He asked me if you were really smart and I told him you were. He asked if you were as smart as me and I told him that you were so smart that you were teaching me things that I didn't know.
He began calling you mister beard at that point.
I told you all of that in order to get to this point. I decided I needed to get rid of some of the length of my beard. When my nephew saw me he was beside himself. He was upset because your beard was bigger than mine and He didn't want me to be a dummy so I had to grow it back. And I was going to have to watch more videos of yours because you taught me things and that of course wouldn't make it grow back faster since now I was stupid.
I hope you got as big a laugh out of that as I did.

I loved the intro video music, was on point bro 👌

This really looks like Tailscale. The UI looks very similar down to the ordering of the menu items within the control panel. Sure there’s some nicer things that seem to just add UI wrappers on top of where Tailscale has ACLs defined as code. And with Tailscale, there’s also the OSS control plane Headscale that can be run with the native Tailscale programs/apps. Not really sure that Twingate is a better alternative for selfhosted or otherwise…

Hate VPNs and love Twingate!!! Glad the word is getting out

Also need to hit the notifications bell. I was subscribed for months and just realized I have to turn on notifications.

I use ZeroTier, which is not as advanced in features, but has windows compatibility with bidirection lan egress (extra config needed), and as far as security and zerotrust... /32 routes. Or if usecase dictates, is a replacement for ipsec site-to-site that works behind double and triple NATs with no static IPs.

its the same as you can do with cloudflare, but it looks a bit easier... I'll give it a try :)
... aaaand your vid is an absolute banger! .... as usual ;)
and btw: almost 3 mio subs! 🥳

I just love how excited about Tech you are man! I am the SAME way, and I think we come from the same generation of IT pros. They just don't make em like you anymore. All these kids want to go straight into dev and make 200k/yr, and you are one of the FEW people that is Making SysAdmins Great Again. Thanks for all that you do.

Seems great sollution for remote access to automation devices like PLC controllers, i didn't try it yet but will do asap. Thanks!!!

It just works!!! Installed on a Raspberry Pi 2B and its works!!!

Network Chuck must somehow be listening in to my device or something Hahaa. A couple weeks ago my company asked me to look into ticketing software.. he released a video on how to create your own. I just got asked about getting a VPN to use and then he releases this video. Love your videos man haha

I love it when Chuck says something is easy, and then in about 60 seconds into the process my eyes start glazing over. 🤣

I am a networking novice, so I really appreciate your videos. They teach me a ton. I’m curious what you think about devices like firewalla. I got one recently and use its internal VPN with WireGuard. Seems to work okay, but curious if I”m missing something or not as secure as they like to say I am.

Had the same issue, solved it with tailscale. It is also Free up to 20 devices. And you can share only single devices with certain users.

I personally use TeamViewer which is a paid for service and software. But I would love to see an open-source version of the software you just described. I want to host the monitoring myself so I don't have to rely on an outside company.
Excellent video! I will definitely be trying this out!

Could you make a video on how to host your own VPN locally, and as simply as possible?

Damn, this is so easy, and you just earned my subscription
Thank you!

I really like these videos youre making... I would really like to sit down and talk about all this with you because it hits home strangely with everything thats been bothering me for the last 6 years or so and feel so far behind still .... need to ctch up big time... wiercd but funny cause just found an old chucke cheese token .... idk but you got all the knowledge im interested in ... thx chuck

My Master's thesis was about zero-trust networking. This technology is great and pretty safe at so many levels especially with DDoS and other types of threats. Great explanation as usual Chuck!

I’m a bit unease with controller being hosted on a private cloud . Specially if are the ones running the “firewall rules” created.

This is a looks like a great product. Must do some testing using this but I do understand that not everything is under your control.

I am completely computer illiterate but will now begin to learn how to use one
The only thing I understood from this clip was have a coffee, which I am drinking while I am watching this
Thanks for the info just subscribed

We need someone to tell this guy about WireGuard and iptables.
It's 10 lines of WireGuard's config and LITERALLY 5 rules of iptables.
2 minutes to get it up and you have full control of what's going inside the tunnel.

Seems like twingate is either using TLS sessions OR its actually a traditional VPN under the hood with some ZTNA security features.

Im so glad I found this channel! Thanks Mr. NetworkChuck for providing great instruction, and excellent videos!

The best "VPN" I ever did use.
Big thanks for sharing this !

Question: Chuck you mentioned CGNAT. Is this capable of working in a UCaaS environment to get from the UCaaS host to the customer through a CGNAT environment?

I love your videos ❤

it sounds good, but still there is no guarantee that your third party vpn provider won't get hacked or sell your data. If I do care about my data, I would rather setup a wireguard server instead, as it's fast, secure, and fully under my control.

This seems very similar to tailscale, which is what i prefer as it can be self hosted, open souce, and instead of TLS, tailscale used wireguard backend. But it is no where near as pointy clicky as this solution. Great video chuck

the thumbnail of this vis is brilliant lmfao i havent laughed out loud like that in awhile

Funny cause I just found this a few days ago and started using it.

I will demo this because I'm curious, but I will say right off the bat that I'm not wild about deploying anything that requires something in the external cloud to function. ¯\_(ツ)_/¯

Hi Network Chuck, I'm curious when setting this up are the tokens acting as a secure hash between the devices?

I wanted something that allows me to operate my telescope when I'm working away, this works perfectly ! access to 1 IP address only is all thats needed, but I can now work remotely from my ipad app.

Great video.
Maybe if someone could compare Twingate to CloudFlare Tunnels to Wireguard please.

I’ll for sure use this but I think vpn is here to stay. I don’t think I trust twingate that much for it to be the only way to my homelab.

Your channel always has excellent videos, it helped me in critical moments and in some cases, I managed to predict and eliminate catastrophes before their birth.
But this video is insane!
Thanks!

May I ask what do you use to write on the screen ?...is that during editing or while filming ? I can see that you have a Wacom tablet

You made me get myself into loving hacking and network. You are amazing man!

You said, "VPNs are old", but proxy servers are even older. They're the precursor to VPNs. Just had to point that out. Doesn't mean this method isn't effective.