this post was submitted on 05 Sep 2024
32 points (92.1% liked)

Selfhosted

40006 readers
781 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I've been playing around with self hosting for file sharing, backups, and a handful of other ideas I might one day get round to. I like the idea of a mesh VPN and being able to, for example, connect a travelling laptop to a 'host' laptop nearby, though my only public ip is a VPS in another country.

Of all the options I found, I liked the look of Nebula most. Fiddly in some places, but it's working nicely for me, and I appreciate some of the simplicity of design.

I'm wondering if people here have much experience of it, though? My biggest concern is over its future. With,

  1. The Defined Networking site focusing on making money off it, and
  2. The Android app doesn't allow full configuration (including the firewall, so I can't host a website from a phone) but - I heard - does if you use Defined Networking's paid service for configuration,

makes me worry they might be essentially trying to deprecate viable FOSS Nebula in favour of a paid or controlled service.

Any thoughts? Insight?

all 42 comments
sorted by: hot top controversial new old
[–] [email protected] 8 points 2 months ago (2 children)

I'm not sure what the point is? Here's my setup:

  1. wireguard VPN on my edge VPS
  2. lots of services behind my router that connect to that VPN
  3. router DNS to resolve my domains to my internal services when on my LAN

This gets me like 95% of the benefit of something like Nebula or Tailscale. When connecting to my internal services, I get LAN speeds if I'm on my LAN and WAN speeds if not. I initially started with Tailscale, but realized that I really didn't care about most of what it provided.

[–] [email protected] 8 points 2 months ago (3 children)

The benefits are obvious:

  • No port forwarding needed
  • Central Auth management
  • Easy integration of new devices

Not saying you should do it or that it is better overall, but ignoring those is not fair.

Personally i would never go for Tailscale since i give away the access control to my kingdom to a company. Exactly what i want to get away from through selfhosting.

[–] [email protected] 3 points 2 months ago (1 children)

Doesn't selfhosting headscale prevent the keys to the kingdom thing you're talking about?

[–] [email protected] 2 points 2 months ago (1 children)

Yes. But it removes some benefits. You again open some ports or use a VPS to host it. The benefit of not needing to have open ports on other servers and central auth and management still stands.

[–] [email protected] 1 points 2 months ago

Nebula you also need a VPS or something public for the coordination server ('lighthouse node'). Seems there's no way around that at the moment: at least one machine, of your own or another's, has to have a public IP so the other machines can learn how to connect to each other.

[–] [email protected] 2 points 2 months ago

Check out Net Bird

[–] [email protected] 1 points 2 months ago

Exactly. I tried Tailscale to get things off the ground, but it didn't do precisely what I wanted, so I abandoned it and built exactly what I needed, which for me was a VPN at the gateway that tunneled SSL traffic via HAProxy to my internal network.

If Nebula solves your problems, great! I find I don't need its features, and prefer to keep things relatively simple, which for me is a WireGuard VPN and a handful of containers to run my things. My setup is basically HAProxy -> Wireguard VPN -> Caddy (TLS termination; docker container) -> Docker container on internal network. HAProxy routes to the appropriate machine, and Caddy renews TLS certs and routes to the appropriate container. I could probably accomplish the same w/ Nebula, but I understand my setup a bit more than Nebula.

[–] [email protected] 1 points 2 months ago (1 children)

What's an edge vps? Is that some sort of distributed cdn-style vps? Or just a VPS at the 'edge' of your network?

Biggest points for me of having a mesh, not a central Wireguard hub, are,

  1. I have a VPS in one country, a 'host' laptop in a friend's house in another and a third laptop. I want the two laptops to connect directly to each other not bouncing all packets off the vps.
  2. For backups, ssh, etc, I'd like to be able to just call the VPN IP, whether two machines are on the same LAN or not. Nebula/etc makes that work; a centralised VPN would sometimes be sending packets pointlessly out on WAN and back.
[–] [email protected] 2 points 2 months ago

The latter, a VPS at the "edge" of my network. It doesn't run any services itself other than HAProxy, which just routes connections to services inside my network.

That use case makes a ton of sense.

I only have my VPS and internal devices, so using DNS names makes it trivial to always get the best route since the only options are within my LAN (simple router config) or over WAN. If it was any more complex, I'd probably do the same as you.

[–] [email protected] 5 points 2 months ago (4 children)

I’m using Headscale for work and Tailscale for personal use. I tried to use Nebula but it’s not easy as Tailscale.

[–] [email protected] 4 points 2 months ago

Headscale server, open source, self hosted, with the open source tailscale clients are the way to go.

[–] [email protected] 1 points 2 months ago (1 children)

Netbird is easier to use although it is a little less developed

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

I took a quick look at the GitHub repo - selfhosted Netbird looks harder and more resource hungry, not easier! At least compared to Nebula.

[–] [email protected] 2 points 2 months ago (1 children)
[–] [email protected] 1 points 2 months ago
[–] [email protected] 1 points 2 months ago

Yep, I tried Tailscale at home... 3 weeks later I started using it at work, so insanely easy.

[–] [email protected] 1 points 2 months ago

Is Headscale easier than Nebula? I thought it looked like it might become much more work.

Nebula was mostly easy, but had a few hurdles I needed to learn.

  • Setting up systemd. I think I had to look that up and write a startup thing for it. I might have copied one from Syncthing or something! I don't remember right now.
  • firewalls confused me a couple of times
  • and I had to get the hang of the certificate system of course

I have mixed feelings about trying Defined Networking's managed config, but I imagine that would get round the learning curve of the config.

[–] [email protected] 4 points 2 months ago* (last edited 1 month ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
TCP Transmission Control Protocol, most often over IP
TLS Transport Layer Security, supersedes SSL
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

10 acronyms in this thread; the most compressed thread commented on today has 18 acronyms.

[Thread #951 for this sub, first seen 5th Sep 2024, 10:35] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 3 points 2 months ago (1 children)

I have been using Tailscale, connected it to my domain, I use Authentik for my OIDC/SSO Sign in and tied it that way for the MFA OIDC Login Tailscale let's you use. All I needed to do is setup a webfinger for it and once it verified my domain, I was able to give them my OIDC settings for them. Tailscale so far for me in the last year or so has been quite simple to use. Plus, being able to log into my admin console and any devices I enroll through Authentik's front end, has given me peace of mind knowing it's quite secure. (All of this on a Proxmox server BTW).

One may argue about self hosting Wireguard and I agree, it's quite easy to do if you use something like wg-easy which makes it simple to add phones to your network. My concern with it though was having to poke a hole into my firewall for the WG traffic to hit the server, once I got into Tailscale, it's made it easier and I don't have any open ports on the router now. I think this is primarily why the Jupiter Broadcasting guys push it so much on their podcasts, not to mention one of the hosts on his podcast is an employee for Tailscale as well, so that probably helps a bit.

As for funding for both Nebula, or Tailscale, they do cater to enterprise customers so you have the assurance that they do have to answer to them if they revoke a service or ruin it. :)

For Tailscale, it's just a matter of them allowing you to add 100 devices for free and it's simple command to install it on any client via the cli including Apple TV for example. For phones, I have Tailscale on my phone connected 24/7 to my exit node which is my Proxmox server which acts as one, and as a backup, my Raspberry Pi which acts as one as well. So, even if I'm on the road or away from home, I'm always on my home network (unless blocked by overzealous sysadmins on their public WiFi networks). There's not much to manage via the phone, but I like to think it's 'set and forget' really, once you have it all configured, it just runs in the background and they do not decrypt your traffic much less care what goes through it.

[–] [email protected] 1 points 2 months ago

Thank you, that's helpful. I'll look up Authentik.

[–] [email protected] 3 points 2 months ago (1 children)

If your not sure about Nebula, take a look at tinc. its a meshing VPN, simple to setup and even has an Android app

[–] [email protected] 1 points 2 months ago

Does Tinc have advantages over Nebula? I was under the impression that both Nebula and Tailscale improved on Tinc, albeit in different ways.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (2 children)

What made you choose Nebula over Tailscale? I'm running it through a self-hosted Headscale server and it's working well so far. I haven't looked into Nebula too much.

[–] [email protected] 3 points 2 months ago (1 children)

the core bits of nebula are all open source. With tailscale, there is headscale, but that is made by a tailscale employee and it feels ripe for a rug pull whenever tailscale feels like it. with nebula, the lighthouse and user clients are open, so there is far less chance of that.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

I see. That is a valid concern. Though it feels unfair to say that headscale is 'made by a tailscale employee'. From what I understand, one of the main contributors of headscale was hired by tailscale, though he is not the only maintainer and does not own the repo from what I can tell. Still, Tailscale could decide to cede all support of headscale and that would likely hurt the project a lot. In the same way however nebula could decide to switch to proprietary licenses and discontinue their open source offerings.

[–] [email protected] 2 points 2 months ago

In the same way however nebula could decide to switch to proprietary licenses and discontinue their open source offerings.

Sure but you'd still have whatever the last commit was to nebula under the MIT license. It can be forked etc etc.

I am sure headscale is great, but its a side project and if so inclined (not saying they are, tailscale seem quite generous), they could kill it a lot faster than Defined Networking could kill nebula. But its all a gamble.

[–] [email protected] 1 points 2 months ago
  1. Biggest thing was actually the sign up options. What if I don't want my machines calling to Google or Microsoft to get access to Tailscale? I need to look up the other OIDC providers but don't know much about that yet.
  2. Then the fact of Nebula being fully open source and fully on my machines. (Though that's a little undercut by the Android problem being solved only by their managed service).
  3. Headscale gave me an impression of being more complicated to set up and maintain. Haven't tried it yet, that was just my feel when I chose which one to try.
  4. More recently, I saw Nebula's interesting post on performance benchmarks. At high throughout Tailscale can be better for CPU but heavier on memory. Hopefully at my sort of very low throughout it's small on memory but if I'm squeezing a client into a cheap vps alongside nextcloud and other things, memory use is more concerning to me than CPU... I wonder how much memory Tailscale uses when not doing much.
[–] [email protected] 2 points 2 months ago (2 children)

I think nebula is really cool and am heavily considering it in production.

Having a paid-for service that makes things easier is a good way to keep money going into the project, I think. And it feels a lot safer in terms of rug pull than tailscale/headscale. The android apps not being in fdroid and have some other limitations sucks... but I feel like those are easier to solve than some other issues that could be there.

If you want tailscale, but not tailscale, check out netbird. You can self host the auth server and it isn't some side project, the whole auth server is open.

[–] [email protected] 2 points 2 months ago (1 children)

I agree having a paid service, or some viable finance model, is a good sign for longevity ...that said Nebula is what Slack use themselves so publicly or privately it's going to be kept developed!

Just the fact the Android client is only properly configurable if you use their managed config service, made me worry a bit. Even though Tailscale you're signing up for more eggs in their basket (unless you use Headscale), it felt like at least you start out on that basis, you aren't pushed into it unexpectedly.

I do like that both projects talk politely about each other. That feels like a good sign for both!

I'll check out Netbird, thank you.

[–] [email protected] 2 points 2 months ago

Honestly any of the three of nebula, tailscale, netbird, or even vanilla wireguard are all great choices and you can't really go wrong.

It wasn't that long ago when it was openVPN or nothing ;_;

[–] [email protected] 1 points 2 months ago

Wow, self-hosting Netbird is a lot more involved than Nebula, and needing a lot more resources!

[–] [email protected] 2 points 2 months ago (2 children)

I'm interested in Tinc but there isn't a lot of documentation

[–] [email protected] 1 points 2 months ago (1 children)

Tinc has weird limitations and Wireguard completely obsoletes it. There's zero reasons to ever consider using Tinc when Wireguard exists.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

Can Wireguard to NAT traversal? Let's say I have a publicly facing server A and then two devices B and C behind two separate nats. Can B reach C directly via hole punching by A?

[–] [email protected] 1 points 1 month ago

No, I don't think so.

[–] [email protected] 1 points 2 months ago

I don't know a lot about Tinc, but it looked to me like both Nebula (directly inspired by Tinc) and Tailscale solve problems Tinc has, and improve on its excellent but older design.

[–] [email protected] 0 points 2 months ago (1 children)

It uses UDP so I have my doubts

[–] [email protected] 0 points 2 months ago (1 children)

Isn't that the same with all of them? Using UDP so they can tunnel between machines that are both behind NAT?

[–] [email protected] 1 points 2 months ago (1 children)

Wouldn't you want at least some TCP?

[–] [email protected] 1 points 2 months ago

They pass TCP over UDP.