Mesh VPN on Debian (Was Re: Current best practices for system configuration management?)
Hi,
On Sat, Apr 20, 2024 at 04:40:24PM -0700, Mike Castle wrote:
> Like Alex, one of my physical machines is a laptop that is not always
> on the home network. Though I'm usually connected to *something*.
> I'm still debating whether to bother with a VPN or trying something
> like a tailnet.
For mesh VPN I really like Yggdrasil (packaged in Debian, but widely
available).
It does quite a lot of the things that people use Tailscale for, but
has the advantages of:
- Completely FOSS
- No need to contact a central authority - your nodes all
self-organise
- Thus no limit on how many nodes you can have for free (though
Tailscale's limit is very generous)
Like Tailscale it will detect other instances of itself on your LAN
so local traffic remains local (avoid a VPN hairpin) while you still
use the same Yggdrasil IP addresses to talk to things.
Downsides compared to Tailscale are things like:
- Not as polished a product so no hand-holding; you need to read the
docs
- Not available on as many platforms.
It is a single static Go binary so it's not hard to deploy if you
can compile it, but I don't know what the story is on things like
mobile platforms, whereas there's Tailscale apps for everything.
- I don't have personal experience but possibly it's more energy
intensive than Tailscale which would matter a lot on mobile
devices
There is a good introduction and comparison with some other
solutions here:
https://www.complete.org/easily-accessing-all-your-stuff-with-a-zero-trust-mesh-vpn/
I still wouldn't want to automated a config push/pull to a laptop
over a mesh VPN I think, but others have mentioned that you can do
Ansible in a pull mode.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: