 Welcome to the Home Lab Show, Episode 36, and we're going to dive into VPNs. And now there's a delayed start today for those of you that already noticed and commented because we can't get the time right, you know, it's just technology is hard. I got to read AM and PM. There's a reason I can argue things should all be in military time, right, Jay? Exactly. I mean, and to be fair, I've always had a problem with time. Like even back in the day, like setting my VCR to record a show when I was out of the house was really hard to do. It wasn't hard for anyone else, but, you know, it was complicated. But then I try to learn complicated technology, so I'm also a hypocrite, but that's another story. Yeah. But now that we have that fixed and only started a few minutes late, VPNs are a topic that we want to dive into because there's a lot of confusion around them. We picked the two most popular ones. There's going to be other people that may have some, you know, let's talk about and we'll do that probably separate things like overlay networks, because those are not exactly like a VPN, but they're a different concept all together. And actually, I like the way Jay described overlay networks. This is how VPNs should work when I explain zero tier to him, things like that. So that will probably be a separate topic. So we're going to keep it narrower in scope as we can to open VPN and wire guard. I would say amongst the homelab people, they're extremely popular protocols out there. Someone go, what about IPsec? And I think there's a small part of me that feels like IPsec is slowly maybe fading away. It's not going to fade away soon, but I don't know. Maybe that's just my opinion and someone will tell me I'm wrong. And I'm fine with that. But what are the odds that the majority of the companies out there that use IPsec have Internet Explorer being used in some form or fashion today? 100%. Yeah. Well, wire guard being new. And when we get to that part, we'll talk about how wire guard is probably more suited to be a replacement for IPsec for a lot of reasons. But, you know, before we get too far off topic, if you're looking for a good place to run your VPN, the sponsor of the show, the node would be a good place. Now, one of the things I've done is I have entire tutorial on how to set up your own wire guard server and that way you're in control of your VPN. Where would you need to set that up? Well, you can't really set up at home. You're not VPNing to somewhere for privacy reasons. You want to VPN if you're using a privacy oriented VPN, you would want to set it up in an external cloud server. And the node has an offer for you. They've been a long time sponsor. Well, since the very beginning, pretty much of the show and a great place to run all the projects we talk about on a show, including VPN, the project we're going to dive into today. So whether you want to run an open VPN server or a wire guard server or just really any other fun project and you don't want to put it in your cloud, but put it in their cloud because it's maybe something you don't want in your cloud. A blood is a great place to do that. We thank them for sponsoring the show. And by the way, if you're listening to this, you've probably downloaded it from the podcast apps that are hosted over on Leno. That's just we upload all of the sync. So we think Leno to be a sponsor. Let's dive into VPNs. Yes, let's do that. Oh, and a little orata I will cover. We did recycle and I think we have it all fixed. And there's been some problems with some of the back episodes not showing up and only would show the last few of them. Hopefully we have that all addressed. There is, well, a lot of difficulty when you submit podcast apps to make sure they're everywhere. So hopefully for those of you who did reach out directly to me or in my forums on this, I'm hoping it's fixed. It's more challenging than you might think to get a bunch of different podcast apps who pull RSS feeds, by the way, we have an RSS feed. So you can actually pull directly from that. We make this as easy as possible to download directly from the website. I know it's not nearest convenient is having your podcast app just grab and put all the episodes together. But because there's so many feeds, that's some of the problems we have with it. So yeah, and I want to just take a moment and just say how much I love RSS. I feel like it's one of those technologies that's just so underutilized. And it's a shame because it's great. Like I found a way to even add YouTube videos to an RSS feed into a feed reader. So I have like YouTube videos with the text articles and blog posts and how tos and things all in one place. And RSS is great. But unfortunately, I think it just needs more love from the community because most people I've forgotten it exists, I think. Yeah, and it's still that old underlying protocol for everything. So yes, definitely a challenge. And I seen right away, someone mentioned asking if we can get the schedule on there. We're getting really close. B.J. pretty much have solidified on doing this on 11 o'clock Eastern time on Wednesdays. I we're going to get to the point where it's going to be a recurring thing. So you don't have to rely on YouTube notices. But yeah, I did not create this as early as I thought I would because of things and stuff. But we're getting closer to having it as a better schedule. Pretty much expect us to be there at 11 on Wednesdays. We've got that as a recurring event for us. So hopefully that makes sense on there. Yeah, we'll we'll get that recurring other places eventually, too. Yeah. All right. Back to the topic at hand. Now, when it comes to VPN, there are two separate use cases, essentially that we will talk about here. The really common one is where all the homelab people are really big. And this is partly a rub I have a little bit because it's oversold with too many people reading ads for it is privacy oriented VPNs. And I always don't I don't know. I'm always got a problem with all the ads read by like everyone on YouTube and every podcast is sponsored by in certain name of VPN product. It's one of those things I think it's oversold because it's easy to sell online and it's easy to say, do you want your cable company or Internet provider knowing where you're going? No, pay us and only we can know where you're going. And that's that's a problem. I mean, there may be times you want to use it. There's obviously a more realistic, let's just be honest type thing of what people are reusing them for. Yes, we know that if you're torrenting and things like that, you're downloading something or you're trying to get around region lock codes for things in your area, you may not have access to certain content because it says, hey, you only have access in this region. VPNs are a way to make you appear differently. The overselling of privacy is something I am at odds with because it's not necessarily always going to help your privacy as much as you think it does mask your IP to an extent. But as if anyone spent any time researching these VPN companies are well known for being shady. So heads up on that. All right, rant over. Let's get more to the exact topic there because which one's the best VPN is whichever one you decide to trust. I won't throw my name on any of them. And I turned down sponsorships at least once or twice a week for these VPN companies. If you notice, there's not an ad role for VPN companies. Right, I turned out one myself because I just and I'm not going to say the name of the VPN company. They they have at the least of the time I looked at them, they had not had any problems at all, but I'm thinking that they might tomorrow. And then I want to go back through a bunch of videos and scrub the ad out of the front if they get owned. So yeah, same problem here. Yeah, ah, nonetheless. So let's talk about if you're using a VPN for privacy, as in you need to get all of your traffic routed from where you are out of a different route. This is a solid, like I said, there are plenty of good reasons to use it for that. And that type of VPN will just refer to as a privacy VPN. It's also a full tunnel VPN. And that's probably a first good thing to define. What is full tunnel versus split tunnel? Now, split tunnel is used a lot in the business market because you don't necessarily want all your traffic going directly to the business endpoints. And with full tunnel traffic, that means when I connect my PC or you can do this at the firewall level and route everything over it, you're putting everything over the tunnel to get over to the other side because that's where you want all your traffic. You want it encrypted. And this is where the encryption is going to occur from where you start the VPN, whether it's at your PC or at your firewall, you're going to have all the traffic encrypted from that point and then the possibly unencrypted whatever traffic is traversing it, it's a tunnel. So all traffic within that tunnel is invisible that routes across there to this other end. So if you have people in between, such as your Internet Search Rider, they become blinded to it. The only thing they do is there was some type of tunnel created from point A to point B. The contents of that tunnel are mysterious. The volume of traffic, though, they can still see. So if they know you transferred one gig or 10 gigs, then traffic still is traffic. So the bytes in a bit still go across and they can still measure it, but they can't quantify what it was. They just know that it was. Now, that type of service in this is where we'll get into the splits can be run both over OpenVPN and WireGuard. WireGuard is the newer of the two protocols for a talk about a little bit later, but OpenVPN is still very reasonable. WireGuard has the advantage of being simpler, which it is because when you don't have the cruft of years and years and years of development, OpenVPN has been around for a very long time. It supports really, really old protocols that you should never ever use, but they're still in the spec because, well, they added new protocols so it can be made completely secure using modern protocols and you can prevent downgrade attack by just not offering to negotiate any of the old protocols. But the fact that all those protocols are in there becomes a part where people look at it and go, wow, that's a lot. And this can be a bit of a challenge when you're looking at OpenVPN. It does lend itself to not necessarily being more complicated, just having more options adds to complexity. Either one of these, whether you're using it in PF sense or a lot of other different devices on Tangle, I've covered on my channel. They make it easy to set up and it's not difficult once you go through the wizard next to Nashor way through and the defaults that they choose are quite secure. They, by default, matter of fact, with some of the latest versions of firewalls, they've deprecated even more options for the older ciphers and things like that. There was more of them deprecated that are all off by default. So it's reasonably secure to say a modern firewall will use OpenVPN in a proper way, easy to set up. And let's get over to the WireGuard side. WireGuard uses a cipher. There's not an option. So that kind of eliminates the client problems that you run into of trying to connect this old client. Yeah, well, WireGuard only has a single cipher. That's it. It uses this. And there's not an option between one or the other. WireGuard also only works over UDP versus the OpenVPN can be over TCP or UDP. And there's also, out of scope of this particular talk today, the ability to take OpenVPN and use something to hide it to make it look like an HTTPS session. This actually came up the other day when someone was saying, hey, I was at my local grocery store and I have internet there. And I guess they have like a coffee shop or something there, but they block OpenVPN access. They won't let you VPN there. And someone asks, is that possible? I'm like, well, yes, because they can detect it's the way the protocol works, but where that gets even more challenging is if you look at and start taking apart protocols, OpenVPN because of the way it negotiates doesn't look anything like the way standard TLS, but you can wrap it in. There's a project who kind of obscure that in there, but WireGuard, I haven't really seen a project like that. WireGuard is UDP only, which may match if someone figured out a way to encapsulate it in something like a quick QIC protocol. But I don't know if we're there yet and I haven't really seen it. So OpenVPN can be used in a certain advanced way to maybe get around, especially some of the more basic systems, they literally just block things that are on port 443. So just by switching to TCP 443 and allowing, you can get OpenVPN to go bypass many of the different systems. So when you're talking about privacy oriented, I still favor OpenVPN, even though it's a little bit more complex, it may not be absolutely the fastest ciphers compared to WireGuard, but it's still secure, it's still solid, it still works. And even being a little bit slower, I mean, unless you're trying to get an inch to the most speed possible out of that connection, I don't think it's a big deal. I had this issue yesterday, believe it or not, where I was waiting for my turn at the dentist in the waiting room and I'm on my laptop. And one of the few times I try to connect to VPN because I'm usually home and waiting at a dentist office is really boring and it could not connect OpenVPN. And I just gave up on it because clearly, something was being blocked there. So I've seen that happen before and also at restaurants too. It's kind of rare, but it does happen. It's weird, like, why would you not want VPN? I get if they're trying to sell you something or monetize your traffic, but other than that, it's just kind of shady, I think, to block that. Yeah, there's two sides to that story, especially when you are overseas. They still don't have the common carrier rules in some overseas places that they do here in the US, where basically if you did something, used it for a bad purpose and you were on some Wi-Fi network, they don't hold that carrier responsible for what the guests do on that network. This is where the rules can be a little bit fuzzy, but in some countries, because there's not common protections, they just start blocking everything like, well, you're not gonna come in here and use a VPN and do bad things that trust back to us that we can lose our internet for. Because that's actually one of the rules someone had discussed was that they owned a coffee shop and they could get banned from having internet provided to them if someone was caught doing something, the government deemed illegal. And they said, well, this is a real problem for us because if we lose internet, this is, well, one of the attractions to coming here. So they just started blocking all the VPNs. That was their answer. Wow. Yeah, I feel like we could have a whole episode, maybe or maybe not on this podcast about all the laws and all the problems that are associated with that. But we could probably go down that rabbit hole, but we should probably not swing it back over there. Now, one of the other topics that I wanted to address in here is coming to DNS leaking, and that's often where the privacy VPN people come in. And when you're talking about VPNs like this, and whether or not you can route DNS, both WireGuard and OpenVPN can route DNS over it. There's ways to set your DNS, so all of that traffic gets pushed over there to avoid that traffic going out somewhere else. This is where when you do something like using a privacy VPN on your firewall, it can be a better way to do it because the firewall sees all the traffic. And so you can then filter what's coming into the firewall and create policies, look at state tables and create all our own rules to really finely grain control all the devices. And because it's happening at the firewall level, if you told the firewall, all traffic must route across these routes and you properly configure it, you kind of eliminate all those needs. So whether you wanna run DNS over it or whatever, because this is sometimes where there's been problems with implementation where you go, cool, most of my traffic's over there, but I'm contacting a local DNS server, I'm still using a DNS provided by my ISP. So now my ISP, they're like, oh, cool, you encrypted the transport layer traffic that I don't know where you're going, but all your DNS requests come here. So we actually know every website you looked up. So that can be a challenge. Now, back to the other side. What about just remote access VPN? We're gonna talk a little bit more about that as a topic because that's where there's a real common use, whether you're in business and you have remote employees that you want to remote into get to systems or you just are not at home, but you would like to have an encrypted tunnel between your device when it's outside of your network to inside of your network, whether you're traveling, whether you're using your phone, whatever those needs are, that's a really common use case. And that's where once again, controlling your own firewall and things like that, you're gonna, especially even PF sense, obviously I've talked a lot about it and same with untangle, they both offer wire guard and open VPN. So that's where your choices will get in is which one should I use, which one should I use for my employers and we'll dive into some of the use cases for that. And the first one I want to talk about is open VPN, which is probably the most popular and will continue to be, despite people arguing with me about it, because it's not my decision, it's just the way open VPN works, a really, really popular VPN for all the home users and for all the business users and for all the people that have radius authentication or any type of authentication tied into it or even active directory. This is something missing from wire guard. So let's start with open VPN having it. Open VPN does username password plus certificates. So you can set up certificates and the user password. Technically that is 2FA because then if they try to, someone tries to log in and they have the username of password, but they don't have certificates, they're not getting in. You can go a step further and wrap it in what they refer to is there's an extra TLS layer that can be wrapped on there as well. This, I believe I'm not mistaken, I didn't bring this note up, but it's there's an extra TLS layer to help even hide how you're authenticating. It's part of the HMAC part. I mentioned in one of my other videos for open VPN. So I'm not going to get too off topic on that, but there's a lot of different ways you can do it and you can then have per users. You can have a search server certificate and then you can create a per user certificate. So now you've got a main certificate that needs to be met to get onto the server. Then each user has a certificate and then on top of that, the user has a password that they has to go. So all of these things all chain together are all methodologies natively built into open VPN. Now where that user management and database installed is not inside of open VPN. That's why I mentioned like radius authentication. You can have open VPN tied to separate authentication such as active directory. I've seen, well, we have a client that's got it all tied to their Synology authentication. There's many different backend systems that open VPN can be the front end for. It has a username password manager. One of the other features it has is on top of all this TOTP. Yes, we can do a server certificate. We can do a user certificate. Then we can have the username password. Then we can do TOTP authentication for time base, one time password. So open VPN has so many different layers that you can put together that are all part of it. This is also why open VPN is so much bigger. Open VPN has all this functionality built in. So this makes it really popular use cases for things such as when you want to have remote workers and you want those remote workers to be able to come in with a really strong sense of when did they log in? Cause I have to have logs of when someone came in, when did they log out, how long were they connected for, how much data was traversed and all that information will be gathered. And then you can even go a step further and put it into what the referral is like an accounting system that can be tied to it to say, all right, user logged in, pulled this much data. I completely validated who this user is. Obviously, like I said, all this does add a lot of complexity, but it's something important. So if I wanted to go through and look at, you know, what time any of my users logged into anywhere or if my end of my clients do, that's something we have very clear logs on. It works great and open VPN once again, supports split tunnel, full tunnel. And it's just a great way to handle all of this. It's one of the reasons it's so popular. Now onto the WireGuard. WireGuard is a great VPN protocol. It is very similar to the way IP sec works. It's an excellent site to site protocol. It requires only a single port to be open. And just like open VPN, single port usage. So you can set it up to whatever port you want default for open VPN is 1194. I believe it's 51, 820 is the WireGuard port, but WireGuard is restricted to only being UDP back to open VPN where you can actually have UDP or TCP. Most of the time you always want UDP because you're encapsulating TCP traffic. So you don't want that double layer plus you get the extra handshakes with TCP. That's one of the reasons they kind of threw it out. There's not many use cases where I'd say or recommend unless you for some reason UDP just won't work for some weird scenario and edge case you have. Pretty much UDP is always what you want these protocols for the most efficient way to do it to be set up. And frequently I see in the comments people asking about performance tuning. One of the performance tunings I helped people with was I'm scratching my head going, why did you guys choose TCP? I thought it was more secure as usually the answer. No, UDP is perfectly secure. All the security happens that all the different form mentioned layers like 2FA, user password authentication with TLS keys and a series of certificates. That's where your authentication is. It's not in the UDP versus TCP. Now, WireGuard does not have a user manager. This is where people sometimes don't understand and are going, well, how do I add in one of the first comments that popped up when I did a recent WireGuard video with PF Sense was, hey, what happened to the 2FA or user name and password manager? And I'm like, no, there's not one that doesn't exist. WireGuard is a protocol. WireGuard is very similar to IPsec. It is made to connect two sites together or a device back to your site and it works beautifully for that. But everything else is kind of on you from there. If you connect someone to your network with WireGuard, they're only taking care of the transport layer to get them connected. They are taking care of it in a way that works directly in a kernel inside of Linux. It's been actually natively in the kernel for a little while now. I forget when it got introduced. But it's a really well-written protocol. It is infamously known to have been complimented by Linus Torvalds himself who pretty much, Jay, when was the last time he paid a compliment to a piece of code that you can recall in recent history? Never. Okay. I thought there might be one that I've experienced in the last 20 years. There probably was, but I don't remember it now. Yeah. It's pretty much, it was a few times that even he had commented that the code was well-written. And WireGuard was born out of the background of people using it in the hacking space, it was written by some, man, I wish his name was on a tip of my tongue right now. Someone will say it in the comments who wrote WireGuard. It's well-documented, it's an open protocol. It's really, really nice as far as the way and the concepts that it works on. One of those concepts is, and you can do this with OpenVPN as well. One side can be public and one side can be triple quadruple-natted. It doesn't matter because they're both working at Singapore. But where WireGuard starts to differ a little bit from that is WireGuard can actually have the handshake going both ways very easily because there's not the same concept in WireGuard of client server like there is. They're all referred to as peers. And you can set it up so either side can initiate the connection. So if you have two firewalls and both of them are public-facing, the WireGuard protocol can be set up on these where they can both talk to each other and both be the initiators of the connection. And the concept of being the initiator is because WireGuard is a very, very quiet protocol. When you turn on the WireGuard and you established a tunneling, you've defined the peers and you want the data to traverse, the data will traverse. When you're not sending a ping, you're not sending a packet and the default option to turn on Keep Alive is off, there's no Keep Alive for WireGuard. It actually will let the tunnel just time out and that's perfectly fine because the moment I ask for a resource that's on the other side of WireGuard, it says, here's my routing tables and all the data is over here but this one route does go over WireGuard. So the WireGuard will go, you're not asking for data, we're not sending any data. But the moment you initiate it, it handshakes immediately. I wanna say you can't even tell if you went to ping something, you may notice the very first ping has a slight initial pause and then immediately starts responding. This is where WireGuard will automatically, Jason Donfield, I see his name in there, that is who is the WireGuard creator but it will immediately rebuild the tunnels on the fly as soon as possible with quite a lot of speed being as it's in a kernel module for both now BSD and in the Linux world. So these firewalls, most of them being Linux or BSD based will immediately spin up this tunnel, have it created, and it works really fast in the data traverses. And then when you stop asking for data, it just kind of goes to sleep on you which is perfectly fine because it doesn't need to have like a longer negotiation. The downsides of this, other than the negotiation and the handshake, it'll say peer such and such handshaked, there's your WireGuard log, there's no user management, there's no tracking when people logged in and out. This makes it a lot less ideal natively by itself as a protocol for using user VPN. This is one of the concepts that people go, well, open VPN, I want to have all my user management moved over to WireGuard because I heard it's faster. Common request we get. And you just go, oh no, it doesn't do any of that. That's where they've kind of left it. Jason Donfield put the protocol together, documented it really well, great website, they've got a client for your phone, whether you're on Android, whether you're on iPhone, they've got plenty of Linux client support natively into pretty much every major repo and the Windows tool for it is great. Actually, I really liked the WireGuard tool in Windows. It just, everything is really well put together and even got a QR generator that part of the standard. So when you set it up on your phone, you can actually, and I demoed this because it's built into Untangle, for example, you can scan the WireGuard QR code with the WireGuard app and it just sets it up for you. You don't even have to copy anything over. It just goes, oh, here's all your stuff, here's your settings, here you go. And everything's just done. All that's great, but they honestly, when it comes to the user side, have left it to third parties. Probably the most famous third party implementation of WireGuard, which is some combination of VPN and overlay network, but I have dove into it before us as a pretty neat tool is a tail scale. It does have management of devices, not really users, but it does use the WireGuard protocol while at the same time having some type of control over a control plane that manages it, puts that extra framework on top of WireGuard. Like you said, WireGuard is a really good site to site protocol, but it's not as good for being a system by which you're gonna have user management and things like that. Does that make sense, Jay? So far, so good. Yeah, this is a, so just for the audience knows, I've been using OpenVPN for quite a while now, but I'm not a daily user of OpenVPN because my office is at home, I'm usually home. The only time I need to log in as if I forgot something or just wanna log in real quick, but I was thinking about checking out WireGuard. So as I was telling Tom, I'm gonna be the kid in the back asking questions basically because this is all new to me. So, so far, so good. Yeah, it's kind of, because there's so much excitement in the tech community around certain protocols, I think that's where the questions come at. I try, as I'm trying to address as many of them as I can in this particular series, just to make sure people have a clear understanding of when to use which protocol. I mean, even right now, we're still using at my office the OpenVPN, that's how my staff gets into things. It's just easier to track because I know who's logging in, where, and I can watch for anomalous logins at odd hours, for example, and it's easy to track and log. It's just, it's not as quite as clear, but for site to site. Oh, WireGuard is a beautiful thing to set up in your firewall for site to site. It's a relatively easy protocol to set up. It's a relatively simplistic system to say, I need this firewall to talk to this firewall, and then we dive into the routing functions. And most of the time when you're doing your routing between two sites, now there's a couple of different ways of doing it, but I'm gonna say I'm seeing more people move away from the full tunnel routing, where they take any remote site tunnel, 100% of the traffic from that remote site back over to the main site. You can absolutely do that, WireGuard, where you run into many problems with it is, well, you have to employees are listening to Spotify or whatever music app or watching YouTube, and once you start tunneling all that traffic over there, now you have a problem. But this is where most firewalls can kind of help mitigate that, and we refer to it as policy routing, where you say, what are the company resources that need to be accessed over there? And split tunnel is driven by policy routing. So split tunnel means the tunnel can say, all right, all your YouTube traffic goes to the internet. We don't care about running it over to VPN, but all of your traffic that, to access the enterprise applications that live on the company network, yeah, that has to be done over this, and therefore when you're asking for these resources, these routes split the traffic and say this goes over the WireGuard or this goes over the normal internet traffic. Hopefully that clears up the difference when you hear the split tunnel and policy routing where it's thrown around a lot when we're talking about this. Yeah, and another thing that I like about split tunnel, which is probably going to impact enterprise more than a homelab, but dealing with system administration, you always have that person that is complaining that they hate the VPN, and they just hate the VPN because they don't want to connect anything with something actually wrong with it. And they'll say something like, yeah, I was looking up an article on CNN and it took so long to load and then I've respond, yeah, but CNN doesn't go through the VPN. So by you telling me that, that means the VPN is not your problem. Yeah. It really narrows down the troubleshooting scope a lot. It's more than just getting your Spotify or your people's Spotify traffic off your company's network. It really helps troubleshooting too. Yes. It gets complicated really quickly, obviously, but some of the good reasons though, even if you're a homelab person and you have a bunch of things set up, you follow along with this show and you've got all your homelab projects, but you're wise enough not to expose them publicly on the internet. That does mean things like NextCloud. Matter of fact, like HA proxy. I love HA proxy, but I've covered this in my videos before. We don't have this in Jay's the same way. He's got reverse proxy set up, but he doesn't have them public-facing. We want all that still internal to the network, but then sometimes I'm not there or I want to work from home. And if I'm working from home, you can still use OpenVPN or WireGuard to facilitate those things and all those other functionalities still work. All your reverse proxy works and everything else because it drops you into the network. Now, one thing interesting and this is something that is a little confusing to people, but there's an intermediary network with both WireGuard and with OpenVPN that has to be created. I recently did a video on WireGuard and I made sure I was clear because this is another troubleshooting tip people run into. The intermediary networks that are created, it's not like I'm dropping, let's say I'm on the 192.168.100 range. I'm not just grabbing another IP in the 100 range when I'm remote and remoting in and becoming that IP address. Both OpenVPN and WireGuard use an intermediary network to traverse. This can be a little bit of a confusion because you have to make sure, and this is where sometimes the firewall companies will allow you to make mistakes, your intermediary networks are the negotiated pools of IPs that are available for the connection. And part of your planning is going, all right, what's that intermediary pool gonna be? I usually recommend choosing a completely different otoscope range like if you're on the 192 network make your intermediary network like a 172 network or a 10.network. The advantage of this is one, you'll understand where the VPNs are. Two, you'll understand when you see connections going around your local network, you'll understand where they're coming from because if anyone has a 172 address and everything else is 192, ah, they're one of my remote users, I can identify them right away. These intermediary networks that handle the traversal of traffic also can't overlap with anything on any end or you can have a bunch of conflicts. Now, the way routing works, you technically, as someone may point out who's being pedantic, yes, you can have certain overlapping networks because the policies under routes, they will go to different priority levels, gateway weights and things like that. But ideally, if you wanna have the least amount of problems, don't develop these networks as overlaps. That is just going to be the big problem solver you have is not having any overlaps when you develop these intermediary networks inside of there. It makes a really nice way to do it. Now, for the home user, for the HomeLab user, I'm gonna say WireGuard is also a really nice thing because one, you're probably not managing 20 different people. It's probably just you, the project maintainer of your HomeLab, you, the chief sysadmin and chief operating officer of your HomeLab. You're the one who's gonna be accessing it so you don't really have too many things and you're going, you know what? I want my phone to be absolutely easy. Leave it on, access when I'm here, I want it to access things. I'm gonna say WireGuard is gonna be one of the easy ways to go with that. Or if you aren't Linux person and you are Windows person too, I still give the same answer because I gotta admit the WireGuard client for Windows is just nice. They did a great job of it. Even to go a step further to say they did a good job if you set this up on like your Windows laptop, every time you reboot it, WireGuard the app for Windows will reboot and remain in the same state it was when you rebooted the computer. So if you had your WireGuard tunnels up on your computer and you rebooted, WireGuard goes, hey, you had them up, you just decided to reboot because well, Windows and maybe Windows decided to reboot and WireGuard can come up every time. It also has a one-click option for kill all connections that aren't going over tunnel. They've just made that easy. Absolutely, you can do this in Linux. The Linux is more command line driven. The tricky part in Linux and I haven't really because I haven't had a use case for it. When I'm using in Linux, there is a way to make it persist across reboots. It just doesn't buy default. You have to bring the tunnel up. The easiest way is you can put it in the script on startup to go ahead and bring the tunnels up each time, but there's not really a good UI for it. You're still sitting up on a Linux side. But then again, like me and Jay were discussing how simplistic it is to set up a WireGuard tunnel. And it's probably why there's not a lot of front end development work going in for it versus open VPN completely natively has. There's even in Ubuntu based distros, including Pop OS, you can export out of PF Sense, for example, the open VPN config. It just hit import and it populates it for you. And there is a part of the network manager UI, open VPN is all just in there. I've not seen anything. I've seen some projects or a third party. I know people are working on, but I haven't seen anything going into the mainstream. I also don't see a ton of people requesting it. So I don't know where we're at in a Linux world. In terms of that, I don't feel as though we're going that way because most of the people who are hardcore Linux people, I don't think they're pushing for it. Once I showed Jay how easy it was with WireGuard, he goes, oh, that's it. Yeah, and I hate to say this and I know this is going to start some controversy, but it's almost like, okay, how long until system D implements WireGuard? That's another story for another day though. Yeah. But either one of these VPNs that you choose are going to work for any of these needs for remote access, for privacy. As we said in the beginning, the privacy oriented VPNs, we're starting to see an acceleration on WireGuard. MOLVAD, I think is probably one of the ones, does not endorsement of MOLVAD. I'm just pointing out the fact that they offer WireGuard. I think they were among the first to do it, but a lot of other ones have started jumping into it. I know we're going to see on that particular market a big jump because it's a win-win situation for all parties involved. Open VPN, if it has more compute time, compute time in the cloud has an expense attached to it. Bandwidth has a expense attached to it. If I can somehow reduce my compute time and reduce some of the overhead and bandwidth required, that's a win. Well, WireGuard will win in that particular circumstance. And for a privacy VPN, companies like MOLVAD, because I have played with just, I wanted to see how they implemented WireGuard, they basically just set you up a key and you drop that key with your peer setup and done, it works. It's pretty straightforward and then you're using it. Now, some of these privacy oriented VPN companies are writing tools, I believe PIA, internet has a option. They're one of the ones I have an affiliate link for and I think the way I describe that affiliate link is, I'm not endorsing them, but if you want to use them, well, if you insist on using them, hey, why not pay me for the affiliate link? So you can call me out on that for having it, but up front this can be, I'm not endorsing them, but if you insist on signing up, please use my offer code. But it's actually very little because the sponsorship sort of money is at, not the affiliate codes, by the way. Back to the topic though, a lot of them do have their own front ends for putting that on there. And like I said, they're pushing more wire guard because it's a win for them. It's gonna require less CPU overhead. It does traverse the traffic a little bit faster. So if you're looking for the optimal speed, and of course that makes the VPN companies overall happiness as well. So it's a good protocol to use in there because someone was asking me like, which one should I use? Cause I can, there's these two options with my privacy VPN provider. And I'm like, whichever one you want from a security standpoint, it's the, there's not any known flaws right now in open VPN, there's not any known flaws in wire guard. So both of them are secure. Now, one more side note to that, that is a question that comes up a couple of times. I don't have a solid answer to other than if we break the math and cryptography, it's all time to be back to farming or something. But someone asked because there's only a single protocol with the wire guard. If they found the flaw in that protocol, what would happen? I mentioned a bunch of updates push that we saw that is a realistic answer, but you're right, there's multiple protocols. And if you found a problem in open VPN, could you just switch to a different one? Yeah, if we knew, and matter of fact, that's actually part of with the age of the VPN, something we have done over the years when it comes to security, as the, we just know, oh yeah, blowfish, that's not a good secure protocol anymore. So it's now deprecated. Can you force it into using and recompile it back in? Sure, why not? It existed in the early days of VPN. So did, what was it, desks and triple desks and some of those really old ciphers, all that stuff's all deprecated now, but that's actually how the progress works. Will there be a time when the wire guard protocol, the math we use, which is not invented by a wire guard, it's just, they just chose a well-known trusted cipher. If that cipher becomes obsolete because of some advances in computing, doesn't mean you throw your protocol, it'll probably get re-engineered to have a new one in there. I think we're a little ways away from it because as cryptography has gotten better and we've gotten smarter on it, if you wanna dive down the rabbit hole of cryptography, look up a quantum proof crypto and where we're going with that. So there's, that's a whole nother topic and I need someone with a really good cryptography background to really address it. And that is, I understand that I should not build my own crypto. That's how smart I am about crypto. I'm not gonna be the one to build a new cryptography standard. That's- Yeah, don't do that. One thing I wonder about WireGuard, since they don't develop the client side of things or the like a UI or anything like that for the connection side, when someone does that or maybe one gets popular and if there's a security problem with the client that has nothing to do with WireGuard, given the way that IT is, I almost wonder if maybe WireGuard will lose some reputation due to a problem that is outside of their control. I almost thought that the PF sense debacle would have maybe started that happening, but I just hope that it doesn't fall a victim to bad reputation for a problem that's, well, not their problem. Yeah, and this is, well, this is where things get a little bit weird because I'm trying to remember the name of the vendor, not that it's super relevant, but they use open VPN under the hood, but they branded themselves. And this has been a problem and we're talking to all the major VPN company, VPN for business providers like Cisco and Palo Alto, Palo Alto just had one recently, but a lot of these companies didn't, are taking and re-engineering protocols. They put their apps on it, but in the flaws they found were all in their implementation of those apps. I believe Sonic, all those ones there. So I think that happens a lot. I don't think there's as much outrage directed towards it because people realize it's not a flaw in the protocol. It's always a flaw by that company and their flawed implementation of it. That's one of the things I actually got to say for companies in PF Sense being among them, PF Sense went straight up open VPN. They did not put it and call it PF Sense open VPN. It's our branded PF Sense VPN, PF VPN. It's this weird app that we developed that we're not telling you all the secret sauce in between. Nope, they pretty much raw use open VPN, which is great. That's a solid answer because even the client, you can download the open VPN client, not a client special to PF Sense in order to implement it. Obviously, when they export it and I'm using it in Linux, I'm not using any special client. I'm downloading the OVPN file from PF Sense. I'm importing it into my Linux machine and it works. It's one of those. I like it when companies choose to do that. I wish more of them would, but some of them, they like to have their own branding on it and then the next person goes, all right, marketing got our branding on it. Let's the B team engineers that don't do ciphers very well, let's let them add more to it because it wouldn't be cool if it was flashier and have more potential security flaws coded into it. Sure. Yeah, why not? What's worse that can happen? Yeah, so that's where a lot of the problems come in is that branding. I don't think it's gonna be where we hit the outrage on it, I could be wronged or maybe it'll taint the brand a little bit. The only thing with WireGuard is it is from them. The Windows tool is from them. So for using it, but when you're setting up something like MoVad or PIA internet VPN, they all have their own utilities you can run on there. Yep. I've got a myth, they make it easy. I mean, I definitely, I still use PIA if I need to get around certain region locking, people tell me not to trust them, but I say why would I, I don't trust any of them. That's my opinion on all of them. I thought PIA was reasonable enough. And one of the things for what it's worth with PIA, I know they currently got bought by Cape Technologies, dive into that controversy and pull your hair out because there's obviously consolidation in a market because there's so much money in that market. Back to the topic, one thing about PIA is the people did do something I thought was nice. They donated a lot of money for a really rigorous code audit of the OpenVPN protocol, which I thought was awesome. So OpenVPN actually has gone through in recent times a really, really solid code review, not once, but twice, because who is the other person? Steve Gibson mentioned a lot. He works at another, Matthew Green over, I think the university he's at, but he's also a cryptographer. He is someone who understands cryptography and they went through a code audit as well. So OpenVPN has been audited from two directions. And by the way, WireGuard's been audited too. That was one of the early days of OpenVPN WireGuard. Everyone wanted me to do videos on it. I'm like, it hasn't even code reviewed yet. Not that I'm seeing there's a problem in it, but VPNs, I mean, if you want me to have something that exposes you to the entirety of my internal network, I wanna make sure it's gone through code review. And both of these protocols have gone through code review. They've gone through rigorous review, rigorous amounts of testing, whether prompted or unprompted by third-party, third-party threat actors, trust me, they're poking away at it hard and it's proven to be a pretty solid protocol. Yep. Yeah. Just know if you want, some feedback on this would be if you guys want us to do a video on overlay networks. The three that I'm aware of that are really popular is going to be WireGuard, not where I'm sorry, not WireGuard, TailScale, which uses WireGuard, ZeroTier, which has its own protocol, and Nebula, which is really for the super nerds out there. I've done a video on each of these in tutorials and I have a dedicated video called Overlay Networks. If you're not even sure what an overlay network is, but it's another way to handle connectivity and also solves problems because well, both VPN and WireGuard both need, if you're going to have remote access to your home, you got to have public access somewhere. And if you're double-naded, these are just aggravating you. This whole episode probably aggravated you going, but I'm double-naded and I have no way to publicly expose my IP address to make any of these things you talked about work. That's for overlay networks that kind of helps solve that connectivity problem for remote devices. So yeah, let us know if you want us to dive in there. So that's a fun topic. I see someone mentioned that, yes. Nebula, I'm actually friends with Ryan Huber, who's the CEO, I believe his title is CEO. He's one of the co-founders of Nebula anyways. He's a fun person to talk to, look at some of his Tesla videos for a laugh. And but the network is actually used by Slack. It's a Nebula is really well proven. Nebula of the ones out there is going to be the harder one to use in terms of setup. It's just a lot more in depth, but it's really targeted as a DevOps tool, not a ease of use tool. It's made to automatically deploy using a certificate system, a management overlay network at scale as in the scale of Slack. They actually invented it to solve a problem, which was how do we manage all Slack servers globally across one management plane? And how do we spin up servers dynamically and automatically deploy them in a secure manner without having to deal with a bunch of key authentication problems? It's a clever way they solved it. So yeah, it's very, very interesting, very cool system though. All right, I'm looking at the comments. Is there anything I missed? Is there some gaping hole in this? I think I covered it all didn't I Jay? I think so, I learned a lot myself. And also I want to mention, please click the feedback button on our website. We, you know, I looked at it the other day and we didn't have a single new question. Since the last time I looked, I think a week prior. So we like to do Q and A episodes. I'm not saying next one will be that, but I think we'd like to do that at some point. So leave us your feedback. Yeah, we like hearing from people and it does help drive the show. Don't worry me and Jay are not out of content. There'll still be an episode 37. If zero of you click any of that feedback, but if you do, you may even have some influence on what our next episode is. So that's definitely, yeah. We do like covering it. Our goal is always engage with the community, help people understand topics, help further, they're diving into homelab and hopefully not cause any troubles at home for how much you spend on all this stuff. Yeah, that's so true. It did break any budget. Yeah, and the thing is too though, if any of you guys have a question, if you're struggling with something in homelab, I guarantee you other people are struggling with that thing too. So if there's anything we can explain that you're gray about, let us know. We have like a bunch of show topics queued up for future episodes. But yeah, if you have anything that's bothering you that you really wanna get fixed, but you can't figure it out, maybe we might know the answer. Yep, I just see a quick question I will answer. It says, Tom and Jay, do you plan to invite someone from XO on the homelab? Not at the moment. I may do my own interview with them. Me and Oliver Lambert from the Xenorgusher team, we chat from time to time. He does plan whenever the world changes to where it's easier to travel, to come on and hang out over here. And he actually liked to visit me here in Detroit. I told him, hey, we actually got a short discussion. I said, did you know, because he's from France, I said, did you know Detroit was a French city? And we sell a lot of, we don't have much French food, but we got a lot of French names here. So nonetheless, at some point, I might just do an interview with them. Xenorgusher people have been hard at work. So for those of you who are following my tweets there today, there's more announcements. And I already compiled the new version it was playing with it, get ready for a video. So, yes. On time. Oh, on our list here too, the last piece of a rada for you who are still listening is going to be me and Jay, both have planned episodes. One, Jay's going to cover Proxmox and their backup system specifically. And I'm going to cover Xenorgusher and their backup system, which is great timing because that was the recent announcement was they finally finished the S3 implementation. Finished it, I haven't tested it. So I'll test it and I'll bring that knowledge back to the Home Lab show and along with some videos on my channel. So. That's awesome. The Proxmox backup server video is 100% complete just waiting on the thumbnail and a reveal date. So you guys will be seeing that very, very soon. Awesome. Yeah, once we have the videos released because one of the things we do on the Home Lab so we'll reference something but we often love to tell you about a video we have on it that goes a more visual explainer. That's why we don't do anything visual. This is a podcast, but we do try to reference it. So that way for people want to dive into a topic they can listen to us to explain it then dive into the details or just skip around in a video to the part that's relevant to them and get your learning on. All right, thank you very much. Thank you everyone for joining us all 116. Go ahead and hit that like button for those of you watching live before you leave. Let's the YouTube algorithm know that this is a cool show and other people should be listening to it. All right, thanks. Thank you guys.