this post was submitted on 07 Oct 2024
17 points (90.5% liked)

Selfhosted

40296 readers
185 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm re-setting up my HomeLab and one of the things I'm trying to learn about on this go-around is Zero Trust networking. To accomplish this I am planning on using NetBird's mesh overlay network. I would like all of my services to use the NetBird mesh network at all times, whether they are communicating within my homelab's LAN or I am accessing them from outside via the greater internet.

I have successfully set up the NetBird management interface on a Hetzner VPS, however the issue I run into is if I lose internet access at home, none of my services are able to function as they can no longer reach the management interface. However, if I self host the management interface in my homelab, I am unable to access it from outside my home LAN.

I've identified 2 solutions that could solve this:

  1. Self host the management interface and set up a Cloudflare tunnel to the management interface, which would allow access from outside my home network.

  2. Self host the management interface, then set up a wireguard proxy/tunnel on a VPS that forwards traffic to my management interface (Similar in my mind to option 1, but not relying on Cloudflare)

What are your thoughts? Any other ideas?

I appreciate your comments/criticisms!

you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world 5 points 1 month ago (4 children)

Okay, so two really big things:

  1. You're confused a bit on how network routing works. If you're building something that bridges multiple networks (local + VPN + VPS), you need to know about how to route things to different places. You're dealing with 3 networks at this point.

  2. You might be misunderstanding how "zero-trust" and local networking fit together. Right now you have some local machines at least, AND a router. You don't need all of your local machines to individually bridge a gap to your VPS, you want it the other way around.

If the majority of your machines are local, then make that your hub. Everything else should be a client. Adding all these individual nodes to routes in a mesh network makes absolutely no sense, and will definitely cause routing problems, if not something like ARP poisoning (we can't see your config).

Just make the remote machine clients to your local network and be done with it.

[–] tapdattl@lemmy.world 1 points 1 month ago* (last edited 1 month ago) (1 children)

Thanks for your response! I'm completely self-taught, so I'll go ahead and acknowledge knowledge gaps on my end, but how would putting all the nodes in a network cause routing problems or ARP poisoning?

I recognize that what I'm trying to accomplish is a bit overkill for the average home network, and a lot of my reasoning behind my design is purely for learning. My reasoning for putting everything on a mesh network is 2-fold:

  • Providing encrypted, secure, and mutually identified networking between all nodes
  • Creating a centralized source of truth and control -- NetBird runs its own DNS system behind the scenes, which allows all nodes to be addressed by name regardless of location, which interests me because it creates a single point of administration for ACLs, routing, etc. I'm also able to access any node I want across the mesh network as long as I'm connected to it.

I have successfully run this setup previously with the NetBird management console hosted in a VPS, however the issue I ran into was that if internet went down at home, I could no longer access my locally hosted services through the mesh network. I could still access them via IP, since I was on the same LAN, but that defeats my goal of centralized control, mDNS, and a central source of truth that I got via the mesh network.

I have also successfully ran this setup completely local, however I am unable to access it from outside my homelab. For my use case, I think having all components of the mesh network hosted within my homelab is the best design. However now I have to figure out the best way to allow external connections to my management interface. Thus my original question should I use a cloudflare tunnel to my management interface, set up a wireguard tunnel from an externally accessible VPS service pointed to my management interface, or something different?

[–] just_another_person@lemmy.world 1 points 1 month ago (2 children)

It's not about actually getting it to work, it's about having it work PROPERLY.

You have multiple routes to the same network right now it sounds like, and you're almost certainly routing local network traffic over NetBird instead of using local routes. Have you looked at your routing tables?

[–] unbroken2030@lemmy.world 3 points 1 month ago* (last edited 1 month ago)

That's one of the advantages for those interested in ZTN. In a somewhat similar way to IPv6, a local address/network isn't inherently trustworthy.

[–] tapdattl@lemmy.world 1 points 1 month ago

you're almost certainly routing local network traffic over NetBird instead of using local routes

That's precisely the functionality I want, though. Secure, encrypted, mutually identified traffic should be the only traffic in a zero trust network.

I'm simply trying to create an ingress point into this network for outside access.

load more comments (2 replies)