Travelling with your Self Hosted setup
You have put in the hard graft, you’ve got yourself a sweet home setup, you’ve got the media all set up, downloading and a server to play it from, and you’ve got your own DNS server, maybe your own mail server and a plethora of container servers running on your proxmox mesh...
Your setup is solid and it passed the partner test, you feel secure in the knowledge this is a secure home setup and you've got all your files off Google/Microsoft/Dropbox (delete as applicable)
Life is good…
Then the unthinkable happens, you’ve got to venture outside.
How do you access your services? How will you check those Grafana Stats, how do you watch the media you’ve been downloading? How do you know that the hotel/shopping mall/McDonalds/Pub (delete as applicable) wifi is secure?
Fear not, there are options.
Option 1 — Make it all public
The first and immediately obvious thing to do is make all those web portals public. Put an NginX Reverse proxy on the edge of that home network, some LetsEncrypt certificates and allow access from the outside in.
Seems logical enough right?
It is until we start thinking about security, and have you locked all your services behind some sort of centralised authentication solution. How sure are you your services are patched and secure? Do you have the bandwidth for all those bots and script kiddies trying to break each and every one of those services?
There are times when you’ll want a public-facing service, with most of the things you’re running on your home network I’d wager a bet that you don’t want those screens public.
Option 2 — Setup a VPN
Option 1 wasn’t going to cut it, it's insecure, a pita to set up and maintain and realistically while it could be locked down there is an easier way.
Install a VPN server at home and the client on your laptop/tablet/phone (delete as applicable).
All those services stay locked up at home, all you need to do is set up a server, link it to your external IP Address and you’ve got access to your home network while out and about...
This is good, it's a far better option than Option 1, and there are plenty of good VPNs to choose from.
You are however away from home, and that is a single point of failure. What happens if your router fails, the VPN server locks up, you get rate limited by your ISP?
There you are on the beach/in the mountains/in a bar in the city (delete as applicable) and suddenly that VM/Raspberry Pi/Container (delete as applicable) you’re VPN server is running on crashes. No way to fix that until you get home.
You just know that's going to be niggling in the back of your mind until the end of that outdoor venture...
Option 3 — Use a Mesh VPN
These options are all available, I know over the course of many years I’ve tried many of them and I’ve been there when things fail, go down and stop working.
The last couple of years however have been made much easier by using Tailscale
Essentially Tailscale has grown a huge amount since I first started using it, the basic premise for me however is simple.
I install Tailscale on everything I can. when you connect to my home wifi by default you have access to no services at home except internet access.
The magic button is installing the Tailscale client on endpoints like laptops, tablets, phones, Apple TV, travel routers etc
All my services are set to only present to the Tailscale network be they at home, on the clouds I use, wherever those services may be.
Doing this they all present as one flat network.
At its core Tailscale is creating a Wireguard mesh network for each device the client is installed on.
This means unlike a traditional home VPN solution where you’d need a port opened at your perimeter to allow the remote endpoint to connect to the OpenVPN/Wireguard/Router VPN (delete as applicable) you set up.
With this solution, the Tailscale endpoints “speak” to each other over the public cloud in an encrypted bubble. Doing so means there are no open ports on the external connection to my home router. One less point of entry.
While this is cool there are two scenarios you may run across
The first is,
What do you do when there are devices on which you can’t install Tailscale? How do you access those?
Tailscale has Subnet Routers
On one of the systems within the home environment, usually a Linux server when running the command
tailscale up --sshThis command would be extended to something like
tailscale up --ssh --advertise-routes=192.168.0.0/24,10.10.1.0/24In this example 192.168.0.0/24 might be a home network and 10.10.1.0/24 might be another home network.
This Linux box will now allow any other tailscale node to be able to access IP’s on your home network
As an aside, the switch
--sshIs also pretty useful, it sets up SSH access automatically to any node on the Tailscale network. no need to set SSH individually on every server. The SSH connection can be managed in the Tailscale Portal for types of access against accounts.
The second question is
How do you manage your traffic?
What do I mean by this?
You have the normal option when you are remote and connecting to a VPN (including tailscale) so the local internet is used when surfing public servers (BBC, Amazon, Google etc) and this will present you using the IP address of the place that you are.
When you want to connect to one of your home services, this will be routed over the VPN (tailscale in this case)
Globally some services are blocked for international IP addresses, BBC Iplayer is a good example of this, it's blocked for use out of the UK. Those influencers peddling Surfshark, NordVPN or ExpressVPN will often cite the Netflix example where Netflix has different content available depending on your global location.
My personal example was needing to access my bank account while in Thailand to transfer some money and the bank app wouldn’t let me in because I wasn’t in the UK.
Tailscale again has an answer to this problem and it is called Exit Nodes
You can set up as many exit nodes as you want, wherever you are running tailscale.
As with the previous example to do this on a Linux server running Tailscale run
tailscale up --advertise-exit-nodeIn the Endpoint client this server will now be listed as an exit node and you can pass ALL your traffic through this node.
In my home setup I have this running on a Raspberry PI and a Linux Box at home and a UK-based (London) cloud server, so even if my home network goes down, this feature still works.
What I’ve also done in the past when travelling to Thailand, Canada or Europe is setup a tiny cloud presence in that country as close to the location I’m staying and set this up as a local exit node as I’d feel that was safer than some of the hotel/Airbnb Wifi setups.
Some other things you can do with Tailscale
DNS
I wrote previously as an example of using PiHole to provide DNS scanning on Tailscale here again, this is just another layer of security when i’m on the tailscale network.
KASM
KASM is best explained as sandboxed container (docker) driven Applications and Linux desktops. I use KASM to segregate my work services like Slack, Web Browsers, and Google Meet away from my Home install.
I wrote up how to get Tailscale working inside an Ubuntu Desktop container here.
HTTPS
All the services on my Tailscale network with a web interface are presented using HTTPS, and I don’t make life hard in doing that, as in some projects it's a right pain to set up HTTPS on the front end.
I’ve set up Nginx Proxy Manager, NPM points to Cloudflare for its DNS on the domain I’ve hosted for internal systems. Cloudflare also provides a mechanism for updating the LetEncrypt Cert every 90 days automatically I just point the URL to the Tailscale IP in NPM and the URL to the NPM server in Cloudflare
Final thoughts
I don’t work for and am not paid by Tailscale, this is a post because I’ve just got back from another trip and using Tailscale has yet again made life easy, the Wife, Dog and I are not late-night party animals and like some to the comforts of home, so having this setup I was happy that the Wifi was secure, we could watch Plex and have access to home security setup.
