I have been looking at the Tailscale configuration tutorial created by @BartButenaers, and also, previously configured Cloudflare Zero Trust to work on my devices/network with the encouragement of @TotallyInformation. Cloudflare ZT worked well until my main laptop needed rebuilding. Unfortunately, I never did get ZT to work again! This was down to me I feel, I understand what I am trying to configure, but I am not quite competent enough to completely understand the steps.
I decided that I needed a system that did not rely on any third parties with the possibility of changes in their configuration causing problems with any existing configuration of mine, or, if there are any disruptions to service. Something was needed that was under my control and that I completely understood how it worked, was reliable and secure. This is my attempt at a simple solution, it works fine for me, I know from experience it is reliable and secure, I used to use it to remotely troubleshoot machines and to permanently connect my local network with my Business Partners network in Scotland for development and loading software onto machines (not PCs). More specifically, I am comfortable re-configuring should something go wrong!
For those familiar with how a VPN works, jump over the italics.
A VPN (Virtual Private Network) is a secure way of sending and receiving information between your computer, phone, tablet or Router and a VPN Server. It communicates through an encrypted tunnel and enables you to look at, depending on configuration, any Website, Web Application, Network or Computer. Within the tunnel there is bi-directional encrypted data flow between the Client and the Server. The Client can be run on your device, or possibly the Router of any network you are on if supported. The Server could be provided by a third party, or the Router for your home/office network (if supported), or a Server within your home/office network. A VPN can be run using various Protocols such as OpenVPN and Wireguard (both of which I use).
VPN was described to me (a long time ago) as being like taking a journey on a Ferry across the English Channel. On a normal crossing you will see other ferries. If you have a Telescope or pair of Binoculars, you can examine the other ferry in more detail and possibly make out more of what the ferry is carrying. (You could liken this to packets of traffic travelling through the internet with some persons using Software tools to examine what is in each packet of data).
We may already know that the Channel Tunnel between UK and France follows a path similar to the ferry routes. You know the tunnel exists and with specialist tools, you might be able to find the location of the tunnel, and with more advanced equipment, detect that a train is passing through, but you don't know what is on that train, even if you do know exactly where the tunnel is beneath you. To equate this to our Client/Server setup, you may be able to locate the secure tunnel on the Internet, but other than detecting an encrypted packet passing through an encrypted tunnel, you will find it extremely difficult to break all the encryption involved with the VPN. This is a very much simplified explanation, but hopefully, a practical demonstration of how the VPN works.
Basically, a VPN server supplied a 3rd Party VPN Service will have secure Servers/Exit Points to the Internet (to mask or change your apparent location). If the VPN Server is installed in the Home/Office router or on a device within your Home/Office, it can give access to some, or all of your internal Network, and may also allow you to access the Internet from your Server location. This all depends upon how the VPN is configured. I will add here that all I want is access to my Home Network. CIDR, IP mapping, or any other configuration to change what devices a VPN allows access to is beyond me!.
The configuration of the VPN can involve the opening of ports on Routers to allow the VPN Client and Server to communicate with each other. Some Routers do this automatically when you configure a Tunnel, others, rules may have to be added on Routers to open the respective Ports. The VPN Server or Client is always behind the IP of the IP connection you are using, whether a Router or Device. All that is required is an IP Address or Domain Name for access to the Server. The communications are secure and effectively behind any point of connection to the Internet where any Let's Encrypt, or other TLS Certificate may be needed. Other than configuring the VPN Client and Server and possibly having to open the Ports, there are no other requirements for configuration or Security
My configuration gives me access to my Node-RED and Frigate CCTV servers as well as the rest of my Home Network, so I can carry out all tasks on my computers as if at Home. I did not have to open Ports for any of the VPN Clients (taken care of by the local App). On one of my routers (Firebrick 2900) I had to create a rule to open the Ports, whereas on the Teltonika RUTX, the Ports are taken care of by the Configuring of the Client.
Personally, I use a VPN if I am out and about, especially when using a local WiFi Hotspot or Network. With the VPN activated, I will get an encrypted tunnel between my device and the VPN Server therefore preventing any nefarious people from stealing my information, especially if they are carrying out a 'Man in the Middle' attack. Basically, someone sets up a Computer to intercept any traffic passing through the WiF/Hotspot before passing it on again to it's original destination. You would be oblivious to this happening and any unencrypted data from your communications can now be examined by them and any sensitive information gleaned, i.e. passwords, PINs etc.. HTTPS has made this kind of attack less common now, but the method can still be used to gather data. The same can happen with spoofed Mobile Network Cell towers.
There is a proviso, as with all secure communications, including Tailscale and Cloudflare, you have to trust someone to handle your encrypted traffic. The VPN Server will decrypt the data from your Tunnel and it will appear as normal internet/network traffic from then on. If the VPN Server is provided by a third Party the decryption takes place at the exit point of your VPN, this will be for a connection to the Internet, and so unencrypted data is handled by your VPN Provider. There is much discussion as to who are the best VPN providers, especially with regard to cost, and cost, to a certain extent, should not be the main driver in choosing a Company. There are plenty of Providers, some trustworthy, some not so trustworthy. Also the jurisdiction of the Providers servers may affect your choice, so choose carefully!
However, this does not affect you if you are accessing your own Home/Office network from a remote location. For this, you need your own VPN Server installed in or behind the router at whichever IP Address or Domain your network is behind. You can also use, for example, Tailscale or Cloudflare Zero Trust to do the same job.
In my case, I have VPN clients for both OpenVPN and Wireguard available on all of my/our devices that might want to VPN Home. We have a VPN Server installed on the Router we use in our Motorhome configured for both OpenVPN and Wireguard so that we are able to connect our remote location Network with our Home location Network. This configuration allows all devices in the Motorhome to connect to the Router's Network and then, via the Router's VPN Client, the Home Network without enabling VPN on any of the devices. Equally, because each remote device has a VPN Client, they can also connect to Home directly if needed. The reason we have two VPN Clients on each device is 'just in case', it is insurance. I have also seen examples of use where Tasker has been used to decide when a VPN Client on your device needs to connect or not.
Assuming a level of knowledge that allows you to use the CLI over SSH, let us start with our Office/Home Network VPN Server. I use a RaspberryPi Zero 2 W, loaded with Raspberry OS Lite (Headless) and SSH enabled.
As a VPN Server, I have discovered PiVPN. This package is easy to install, and to configure the VPN 'Profiles' (each remote devices configuration file) for both OpenVPN and Wireguard Clients using similar simple commands.
Once the RPi is up and running on the Home/Office Network, connection to the RPi is made by SSH and then following the instructions on the PiVPN website to create a VPN Server with which you can then use to create Client Certificates for both OpenVPN and Wireguard. PiVPN can run on any of your Pi servers, but personally I use a server dedicated to supply the VPN Server endpoint.
When I started with PiVPN, I was thinking too deeply about configuration. It is all simply done by using SSH to the Server and then CLI to create endpoints for both OpenVPN and Wireguard. These configuration files are required to configure your VPN Clients. Both of these Protocols are free and open-source and are considered to be very secure. (Example generation of a Config File pivpn ovpn add
or pivpn wg add
, then just follow the on screen instructions.)
On every Phone and Tablet (Android and IOS) I load the Official Apps for OpenVPN and Wireguard. The configuration files created by the server are then used by either uploading the file, or copying details into the Client App on each device. If you do as suggested and create a configuration file for each device, it means that the VPN connection profile can be revoked individually in case of loss or retirement of a device.
When downloading the Apps for your devices, MAKE SURE that you download Official Apps from the Official Site - there are people supposedly offering valid Apps are touted to have benefits over the original App in the various App Stores, but they may not be what they seem and might possibly steal your data amongst other things!
Be sure you have the correct Client App BEFORE you start using it - links are provided in the text! Protocol details can be seen on each site's web pages if you are interested.