Hey everyone, I’m looking to set up a self-hosted VPN that allows me to access my local network from anywhere in the world using my Windows 10/11 and Android devices. My main goal is to transfer files regularly and manage my servers while keeping the number of open ports on the internet to a minimum.
Here are the criteria I’ve set for myself:
No client required for each device (to save storage space, performance, and battery life).
Decent bandwidth and strong VPN security (no PPTP).
Based on this information, I’d greatly appreciate any advice or recommendations you have.
Additional information: I’ve already spent 10 hours setting up an IKEv2 StrongSwan VPN with EAP authentication. While it works well, I’m not fully satisfied because I have to add a certificate to each of my devices to connect.
Considering this new criteria, what would be your suggestions? Thank you in advance!
You lost it there mate. But if you truly want a no client setup (and with it zero authentication) then just DMZ everything. It’s an incredibly stupid thing to do, but hey… you won’t need a client for that.
If you want absolute minimum number of open ports, check tailscale, zero open ports needed. People seem to love it. Have never used it before so grain of salt and all that jazz.
I just use a self hosted wireguard. 1 port per wireguard instance, stupid easy to manage using simple firewall rules, it just works.
I go on my linux laptop, type in this command and I’m up:
wg-quick up
There are windows clients which as far as I know, you just need to click the connect button but I don’t use windows so idk about that.
IPSEC-L2TP is built into everything. No clients required on Windows, Mac, Android, iOS, Linux, etc. Great Docker container for cutting through most of the difficulty here: https://hub.docker.com/r/hwdsl2/ipsec-vpn-server
Tailscale is by far the easiest, not selfhosted but headscale can be. The other best option is Wireguard.
You have to have a client for either option, and that’s the case with basically all the VPN options. Both clients are pretty lightweight and they won’t be affecting your battery life or performance in any noticeable way.
My advice although doesn’t suite your criteria’s is go with a zero trust solution like twingate. very helpful especially if you want to access more than one network.
WireGuard, or some love for headscale (open source tailscale).
In all honesty, go slow and learn what you’re doing first. Saying things like zero client, and save space doesn’t sound like you have a firm grasp of what you are doing or what’s at stake.
Btw, even though you open a port for wireguard no one knows… Wireguard doesn’t respond to unauthenticated calls, unlike other protocols.
Weird suggestion. Apache Guacamole with ADFS and multifactor integration along with CloudFlare tunnel. Ticks all your boxes, but does require some infrastructure build out.
Domain Controller
ADFS
PrivacyIDEA
Apache Guacamole
Cloudflare bastion
Windows or Linux workstation as Guacamole target
You could probably combine PrivacyIDEA, Guacamole, and Cloudflare onto a single box, but you’d still need four servers. MIGHT be able to squeeze it all into 16GB of RAM.
I have a client with a remote site and they wanted access, like you, from anywhere in the World. I could have installed Wireguard on a VM (they have Proxmox running on one of their PCs) but they also have a dynamic public IP, which complicated things.
Happily, Wireguard supports using a FQDN for its host address, so all I had to do was set up a DuckDNS domain and I could point Wireguard to it. This meant installing DuckDNS on the host as well.
In the end, the quickest and simplest solution was to just install an instance of Home Assistant on the host and use the Wireguard and DuckDNS addons within it. I nominated a port that was different from the default Wireguard port and forwarded it in their router. I had the whole thing up and running inside 20 minutes and the customer has the added bonus of being able to use Home Assistant to monitor other stuff.
Wireguard is the go and this is one way of implementing it.
SoftEther VPN is reliable and is easy to setup. I have it setup to use OpenVPN. I just drop a ovpn profile on any device I want to connect. SoftEther generates it for you and includes the certificates and stuff.
I use Tailscale with an exit node configured on my PFSense router. I connect my Windows laptop, and iOS phone at need. Works well for my needs and I don’t have to deal with opening ports with the exception of my Plex server.
I thought about doing a WireGuard VPN hosted on a small VPS to link my router to, but Tailscale was pretty much dead simple to setup for basic access to my home network. It’s even worked for connecting from Thailand while on vacation without having to do anything other than turn on ‘use exit node’ to push all my traffic out my home connection.
With VPN you have to use some client and I would vote for Wireguard too. If you don’t want to install these clients for simplicitly reasons on every device you could use a mobile router which is acting as a client to your VPN and provides your devices a secured Wifi connection.