Home based VPN without setting up port forwarding..

toString · Thursday at 18:21

I have a Pi4 with wireguard (I think from the pi-vpn suite). I use this to get into my house from anywhere else I might be. Works perfectly - just tap a button in the app, done.
I do however have a static IP and a good router to setup the port forward.

I want one in another country (in-laws) but they have no static IP (could even be CGNAT for all I know) and crap-tier router.

Is there any other solution I could use? I've heard of talescale? But I also heard it's worse than wireguard..
Thanks for any info..

R.C.Anderson · Friday at 11:33

Tailscale should do what you need, as would other, similar providers (I've not actually used tailscale, but I have used zeroteir, which is similar)

My understanding, is they're effectly a VPN that utilises an external service to connect through (but still encrypted through that service). Having the service in the middle allows both ends to initiate an outgoing connection & therefore not need a port open to allow incoming connections.

You bigger issue will be the setup at your in-laws place. You will either need to setup the SW on each device you want to connect to your network, or if you want the whole lot, you'll need a router level VPN, but if the router is an ISP provided one, it's unlikely it will support this.

toString · Friday at 13:59

Oh maybe I completely missunderstood talescale then? I assumed it was like wireguard on my pi.. Where I 'appear' on my phone like I'm on my home network (192.168.1.1 opens router page etc).
Are you saying TS is not like this?

Steveocee · Friday at 14:56

toString said:
I have a Pi4 with wireguard (I think from the pi-vpn suite). I use this to get into my house from anywhere else I might be. Works perfectly - just tap a button in the app, done.
I do however have a static IP and a good router to setup the port forward.

I want one in another country (in-laws) but they have no static IP (could even be CGNAT for all I know) and crap-tier router.

Is there any other solution I could use? I've heard of talescale? But I also heard it's worse than wireguard..
Thanks for any info..

Tailscale is relayed via their network so this would work for you. You'd need ot put a Pi behind their router and it then connects out. Tailscale meshes all nodes together and I think you'd just end up sticking a route in to go out via their internet.

Easy. No forwarding needed.
-or-
Spend like £3 a month on a VPS, set up Wireguard server and remove the need for a residential connection to support your ~~torrenting~~ online needs.

R.C.Anderson · Friday at 15:00

It is, and it isn't.

Wireguard is a VPN protocol, as is OpenVPN (amongst many, but they're the 2 most common, especially in the consumer space). They're basically specifying how the data is encrypted/decrypted.

Tailscale is a service, which uses the wireguard protocol for your connection, but uses it slightly differently to your Pi-VPN.

A traditional VPN will have a VPN server (e.g. your Pi running at your home). Clients will communicate to that server directly & establish a connection. Direct A<->B. Whereas Tailscale is A<->C<->B but isn't decrypted at C.

As an anecdote, think of it as you want to send a letter to the address 123 vpn street (the VPN server). You (the client) writes the address of the server on the envelope (the encrypted data) & post (the internet) it. Because the address is on there, it gets to that address & therefore the connection is made.
If, however 123 vpn street has a locked fence (your firewall, without any open ports) (or in a CGNAT example, is a block of flats, with only the main building address available, not the individual flats), if you tried this again, your letter wouldn't be able to be delivered, as although the postie might know the address to deliver the letter to, it can't get there (or doesn't know which flat, in the CGNAT example).
In this case, using something like tailscale is like posting your letter to a PO box. The PO box securty is handled by someone else & can accept all incoming mail, then someone from 123 vpn street can leave their home, when they are ready & have the key & go to the PO box & pickup any mail that's arrived, thus establishing the connection.

They're not perfect annecdotes, but hopefully gives you more of an idea of how the differences work.

Steveocee · Friday at 16:06

R.C.Anderson said:
It is, and it isn't.

Wireguard is a VPN protocol, as is OpenVPN (amongst many, but they're the 2 most common, especially in the consumer space). They're basically specifying how the data is encrypted/decrypted.

Tailscale is a service, which uses the wireguard protocol for your connection, but uses it slightly differently to your Pi-VPN.

A traditional VPN will have a VPN server (e.g. your Pi running at your home). Clients will communicate to that server directly & establish a connection. Direct A<->B. Whereas Tailscale is A<->C<->B but isn't decrypted at C.

As an anecdote, think of it as you want to send a letter to the address 123 vpn street (the VPN server). You (the client) writes the address of the server on the envelope (the encrypted data) & post (the internet) it. Because the address is on there, it gets to that address & therefore the connection is made.
If, however 123 vpn street has a locked fence (your firewall, without any open ports) (or in a CGNAT example, is a block of flats, with only the main building address available, not the individual flats), if you tried this again, your letter wouldn't be able to be delivered, as although the postie might know the address to deliver the letter to, it can't get there (or doesn't know which flat, in the CGNAT example).
In this case, using something like tailscale is like posting your letter to a PO box. The PO box securty is handled by someone else & can accept all incoming mail, then someone from 123 vpn street can leave their home, when they are ready & have the key & go to the PO box & pickup any mail that's arrived, thus establishing the connection.

They're not perfect annecdotes, but hopefully gives you more of an idea of how the differences work.

Tailscale = Wireguard with cloud relay service built in.

spile · Saturday at 07:22

Use a DDNS service like NoIP. I use an updater script on the RPI that uses cPanel on my website but that’s not going to work for your parents.

toString · Saturday at 19:53

R.C.Anderson said:
It is, and it isn't.

Wireguard is a VPN protocol, as is OpenVPN (amongst many, but they're the 2 most common, especially in the consumer space). They're basically specifying how the data is encrypted/decrypted.

Tailscale is a service, which uses the wireguard protocol for your connection, but uses it slightly differently to your Pi-VPN.

A traditional VPN will have a VPN server (e.g. your Pi running at your home). Clients will communicate to that server directly & establish a connection. Direct A<->B. Whereas Tailscale is A<->C<->B but isn't decrypted at C.

As an anecdote, think of it as you want to send a letter to the address 123 vpn street (the VPN server). You (the client) writes the address of the server on the envelope (the encrypted data) & post (the internet) it. Because the address is on there, it gets to that address & therefore the connection is made.
If, however 123 vpn street has a locked fence (your firewall, without any open ports) (or in a CGNAT example, is a block of flats, with only the main building address available, not the individual flats), if you tried this again, your letter wouldn't be able to be delivered, as although the postie might know the address to deliver the letter to, it can't get there (or doesn't know which flat, in the CGNAT example).
In this case, using something like tailscale is like posting your letter to a PO box. The PO box securty is handled by someone else & can accept all incoming mail, then someone from 123 vpn street can leave their home, when they are ready & have the key & go to the PO box & pickup any mail that's arrived, thus establishing the connection.

They're not perfect annecdotes, but hopefully gives you more of an idea of how the differences work.

Thanks all for the replies. Especially you RC. I will give it a go. I do like the sound of talescale for situations like this. Hopefully get it done right enough that next time we are there I can plug it in and leave it without having to bring a keyboard and screen with me lol..

Steveocee · Sunday at 13:03

spile said:
Use a DDNS service like NoIP. I use an updater script on the RPI that uses cPanel on my website but that’s not going to work for your parents.

Wouldn't work if connection is behind CGNAT

Goose · Sunday at 16:14

I use Tailscale for the same reasons as you OP, including on my raspberry pi and I installed it on my brothers Apple TV box so he can access my Plex server without me having to open a port for it in my router.