best way to access home network from anywhere ?

njaimo

...noob here, and want to be able to access my home PC (behind pfSense) from anywhere (like while on vacation). Wondering what is the best option: OpenVPN, Wireguard, Tailscale, something else ? and how exactly does it work, as in what I would need to have with me while away -- do I need to take a laptop with dedicated VPN software installed ? or could I use an internet cafe ? I've never had the need to do this, so have never looked into it, until now...

the other

hey there,
you can go for any of your named solutions.
Tailscale somewhat differs from the rest, I have mo personal experience with it though.

openVPN is older and not as "fast" as wireguard. In both cases you need

1. a reachable external global IP address (v4 and / or v6) and a DynDNS service configured
2. a configured vpn server (opnVPN, wireguard, IPsec) on your pfsense machine
3. on your client (smartphone etc) openVPN client software / wireguard client software; IPsec VPN ist already default onbard
4. run a test
   done...
   VPN uses ports (as does every running service). As long as the admin of whatever foreign network (hotel, cafe, friend's wlan) allows those ports (openVPN uses 1194 UDP as default) it should work just fine.
   Here I have good old openVPN, when away and in need of visiting my homenetwork (or just wanting to use public WLANs more safely) I use that. It is the only way to reach devices in my homelab and is secured (hopefully) by 2fa with password and OTP. I use it....hmmm...about 3 times a year, so (as so many other stuff here) quite an overkill ;)

johnpoz

@njaimo while the typical vpn solution would be better option. You mention a internet cafe.. For access via something like that, and if this is something you only want/need while you're on vac.. You might just want say chrome remote desktop.

Doesn't matter if you behind a cgnat, nor if your IP changes ever 2 hours, etc..

Install it on your home pc, enable it while you are on vac - and then when you get back turn it off. This will allow you to access your home pc from anything a phone, tablet, etc. or even if you just stop into a internet cafe or use the public pc at your hotel for example.

https://remotedesktop.google.com/?pli=1

I normally turn it on before I leave on vac as a backup solution.

njaimo

@johnpoz @the-other Thank you for the bits ! I will try both, though it seems that for a quick vacation solution chrome desk may be the easy out... however I may also do the OpenVPN/Wireguar option, just to have it and learn.... Cheers!

johnpoz

@njaimo I have been using openvpn for years and years - and it is a rock solid solution. You can run multiple instances say on the default 1194 udp port.. And then just in case where your at doesn't allow that port outbound you could run another on say tcp 443 - since if where your at has internet - its pretty much a given that 443 tcp is allowed.

I also have tailscale setup - seems to be very solid solution as well.

With openvpn while yeah its prob best to have some sort of ddns pointing to your wan IP in case it changes. That is not really a requirement either - as long as you know what your public wan IP of pfsense is you could access. My IP being dhcp which could change, but mine doesn't normally - prob going on 2 years now if not longer with the same IP.

If your headed out for vac here soon - and you don't have time to setting up and testing normal vpn solutions - yeah the chrome remote desktop is something you can fire up in couple of minutes. And then just test on your phone via just a cell connection to make sure its working. Then when you get back you could play with setting up a more traditional vpn like openvpn.

JKnott

@johnpoz said in best way to access home network from anywhere ?:

I have been using openvpn for years and years - and it is a rock solid solution.

As have I and CIPE before that. I don't have to worry about DDNS, as my IPv4 address is almost static and the host name depends on my modem and router MAC addresses. I just use an alias so that the host name is shorter, but that's just for convenience. My IPv6 address is also really solid. I just use a AAAA record for it. I leave my VPN up all the time.

One caution, pick a local IPv4 subnet that's not likely to be used at the remote site. If they're the same, you will not be able to use the VPN. I ran into that years ago, when I did a lot of travelling with my work. I put my local LAN in the 172.16 range, as I have only seen that used elsewhere once.

I have also set up IPSec VPNs in my work and that might be better for business users.

njaimo

@johnpoz @JKnott thanks again for the comments and suggestions ! I'm on a tight timeline for leaving so probably will use the chrome option, however will definitely look into the better and more robust options when I get back. Good point on the network address, I've always wondered about my LAN being in the 192.168 range, but have always thought it would be a pain to change, as I have quite a few IOT devices with fixed IPs that I would have to edit (only on pfSense though, not on the devices themselves), one by one, to change the network address. I suppose I could create a backup XML file, then edit that to change the prefixes with a find/replace-all from 198.168 to something like you quite in the 172 range... one more bit to do... Cheers!

johnpoz

@njaimo the bad ones to use in 192.168 are .0 and .1 - those are the most common. I wouldn't expect you to run into issues if your not using those

I start at 192.168.2

If your iot devices have reservations for specific IPs - yeah its pretty simple to change over.. I have quite a few myself ;) but have never ran into an issue with wanting/needing to change them out.. But sure you could just edit the xml and load it back in for the reservations to a different ip scheme.

One suggest whenever changing an IP scheme for dhcp or reservations would be to lower the lease time to something very short.. Say 10 or 20 minutes.. So devices at most should have to wait 5 or 10 minutes to get the new Ip range.. Once they are all up on the new scheme you could alter the lease time back up.

You can set your new IP scheme to length you want, but you prob want to change it on active to short before you move to new scheme.. Mine is like 8 days ;) so if I just changed - some client might wait like 4 days or something before it gets new IP.

njaimo

@johnpoz ...good point on the lease time, I would have not thought of that, and wondered why things were not working... Cheers!!