@RAM_845 Hahah. I comment on people I like to support. Especially if I talk with them outside of KZbin.

😆

🤭

@RAM_845 hahah nooo. Though I am also in Disbelief that I have known him for almost 5 years.

As a long time user of Jeff Geerling VPN, I can say, stop all the downloading

“Ok so he’ll copy and open it on something else…oh never mind.” That caught me off guard that even works.

Has anyone already decoded it? 😅

@@stefanmisch5272 it's a Wireguard tunnel config file but the endpoint is spoofed of course and unusable

It basically comes with wireguard server out of the box

The qr code is not really a useful thing .. would make sense just getting the token

Tailscale have been working wonders for me, is technically an overlay network but is using wireguard under the hood, they have clients for Truenas (using the truecharts repo), OpenWRT, PFsense and even there are some experimental clients for RouterOS (mikrotik). I'm limited by my 10mbps upload speed but the overhead is not so much so I can stream 1080p content without transcoding.

WireGuard does not take advantage of AES-NI.

Wireguard does not uses AES, but ChaCha, a cipher that works faster on this machine. It uses ARX instructions.

This. Relatively easy to setup, you can host servers literally anywhere* as long as there is internet and it's super flexible. Just remember to have the clients keep their connection alive so the VPS is allowed to talk back to them.

What if I have a corporate network with public static IP and I want to establish a VPN between that and the LAN network of a 4G broadband router behind CGNAT. I need to access an IP camera in that 4G router's LAN

Or just use IPv6

@@Batwam0 yes indeed, if you have a fixed IP address you will not need to modify whatever the parameter in your router!

Tailscale's great, but as Jeff's clearly wanting to do this without any third-party cloud help -- other than his ISP, his DNS provider, his VPS provider, etc. -- it's fine. After all, Tailscale is built on Wireguard, and is really a cloud service to make configuration and discovery easier. I have both. I use Tailscale most of the time, but Wireguard is also there just-in-case.

@@tomgidden absolutely ! Thank you for this precision ☺️

@@Batwam0 That's correct. No port forwarding with Tailscale.

Possibly. Since I only used it once and don't run it right now I'd need to do a bit more work for that. Might do either that or Cloudflare Tunnel.

I'm sure someone like Jeff owns his own domain. If he hosts the primary NS himself, it's easy as pie. If it's hosted by Google Domains, also easy as pie.

@@sophiophile well, not easy as pie exactly, self-hosted, you would need to set up some way to actually update that, which would probably mean setting up stuff like TSIG keys and whatever, and then using those keys on the machine updating the records, and such...but yeah, it's not that hard either, and most dns hosting services do indeed have pretty easy APIs

@@sophiophile he said in the video that he uses a vps to send the IP to it, and then manually change it in the DNS records of his domain. Also, I don’t know why are you telling this to me. I just shared an option that I think it’s quite good, like many others shared their own options.

@@lidbergtech neither cloudflare nor zerotier can be self-hosted, lol but sure, it's easy to use one of the many ways to get the job done, if you don't care about that and do note we were talking about "If he hosts the primary NS himself", not "how can it possibly be done"

I use Google Domain + DDNS on my Edgerouter, now same thing on my OPNSense box. Pretty much plug and play

I was thinking this exact same thing. Took the time to make sure and blur all of the important text, but exposed the entire connection profile with a QR code?

Ah true. So not a bulletproof method!

Indeed, but if you know enough to put a 3rd party router in, you likely already know enough to figure that out...or setup the VPN on your router and eliminate the need for a separate VPN server. Of course, router VPN servers tend to be a bit slower due to low end SoCs, but if you are already on a woefully asymmetrical ISP (I really hate DOCSIS for this), this won't likely matter much and will be similar to your upload speeds, anyway. Still a great video for the average not-as-techie power user! 😎

@@thewebmachine How difficult is this to set up? Does it depend on the router I'm using?

Nice! I have Wireguard in my Asus RT-AX56U Router as well but not sure how to set it up, can you point me to a guide thanks!

IPv6 support globally still sucks. Yeah if it works it's great, but it's better to just always assume you're not going to have IPv6, especially when traveling abroad. Been waiting 20 years for IPv6 to go mainstream, reckon I'll be waiting another 20 lol You could implement both an IPv4 and an IPv6 VPN, but I always just target the lowest common denominator to accomplish what I need.

IPv6 works fine for me to deal with CGNAT. Some WiFis don’t provide IPv6 but at least over 4G it always works, so it’s fine for smaller tasks like checking HomeAssistant while travelling

@@BrianCroweAcolyte Yes. My home VPN will use IPv6 for the tunnel if it's supported and will pass both IPv4 and IPv6 through the tunnel, but it seems to be extremely rare that IPv6 is supported in public places that I connect from. A lot of people regard IPv6 as an extra complication causing extra attack surface with no real benefit, and while I have some sympathy with that view, I do like to have IPv6 on my own networks when possible.

@@davidberschauer1330 Here in the UK, I've literally never ever come across a 4G connection with IPv6. Though, I have seen some things that hint that maybe one of our networks is slowly working towards allowing IPv6.

YMMV, but I've found, in the states, that IPv6 is available and works in most places that i am, with the exception of retail wifi (most specifically a local chain of coffee shops that i frequent). My mobile provider (T-Mobile) def has working IPv6...in fact, their network is v6 *only* with an adaptation layer on top of it to make v4 work. I use v6-only for my personal setups almost completely because it ends up being *easier* to work with.

Hahaha

I almost did but didn't have time today :(

Honestly networking is full of voodoo magic and crazy things! It's too easy for someone to mess things up for me to officially recommend it. But breaking things is often the best way to learn.

Didn't even have to do it once for this project though ;)

Mikrotik RouterOS v7 has Wireguard and ZeroTier support built in.

Boom! Thanks for posting the link, saved me the hassle while I'm flying home from UK

It is difficult but getting easier. I've heard many more people getting them (follow rpilocator).

BTW: excellent video as always. Thank you Jeff 👍🏻

Both are great ways to do it-I've been working on dropping that AX86U in favor of a box running OPNsense though... we'll see.

While it's not recommended the IP will change on a regular basis. Dynamic DNS changes it's referenced IP when your ISP gives you a new IP. Hence sharing a throwaway IP is not nearly as dangerous as sharing the dynamic DNS registry name.

Heh, yeah I watched through like 4 times to make sure I don't drop my IP again.

But then the router's pulling more jobs than I like to run on a small arm CPU at once. But definitely an option!

Tutorial-based content is always tricky like that! But I also have a blog post on my website which is a little more digestible.

Lazy and sometimes a bit slower, but it can work!

I love hearing everyone say how easy it was and I spent hours trying to get it to work... turns out I have cg-nat...

See my blog post on jeffgeerling.com for written form.

If we had decided as a society that IPv6 was something we would actually try to implement everywhere none of this would be a problem. But we didn't do that.

True, true.

Good question: not this one :( Too much going on to make it

Dangit, one day too late!

That was my trouble with OpenVPN - and which is why I decided to flip over to Wireguard. The app worked a little more seamlessly (didn't have any weird issues).

@@JeffGeerling Well my VPN logs show an error regarding a missing HMAC that suggests a problem with a key definition in the exported profile, so I'm hoping I just missed some detail in the profile definition. And I'm in EXACTLY the same boat you are with asymmetric cable Internet (I'm stuck with awful Cox), 1 Gbps down but 40 Mbps up 😡

Nice!

Yeah, I'm just lazy really. Name.com has an API but I can't be bothered to get it integrated.

@@JeffGeerling the best excuse for not doing something haha

Heh, true.

Good question! Even the Pi 1 could handle like 20 Mbps of traffic. The Pi 3 or 3+ is good enough for probably 50-80 Mbps.

That can actually happen under certain network conditions, like if you have a router behind another one, or if you're checking from a Docker container or elsewhere with more than a direct connection through to the main ISP router.

I read your comment just as that part of the video came on. lol

Don't worry, visit vpn.please-dont-ddos-me.com

Yeahh I tried to scan the qr code and it works with this domain name 😂😂😂.

You got the coolest domain name...

​@@JeffGeerlingy no SSL? 😅

Hope so! Heh.

I did! I'll have a video on that soon.

Me: so jeff geerling made a video about self-hosted vpns and how to set it up. if i comment "well, fun fact, setting up a self hosted vpn with either wireguard(with some scripts ofc) or tailscale takes less than duration of this video.", will this go across as a mean comment to him? (like this video is too long dont watch it etc although i dont mean to) ChatGPT: It's possible that your comment could come across as mean-spirited, especially if Jeff Geerling put a lot of effort into creating the video and you're suggesting that it's not worth watching. However, if you phrase your comment in a respectful way and acknowledge the effort he put in, it should be fine. For example, you could say something like, "Thanks for making this video, Jeff! Just wanted to add that for anyone who's short on time, setting up a self-hosted VPN with Wireguard or Tailscale can be done in less time. But I appreciate the effort you put into explaining this process." This way, you're sharing your knowledge while still acknowledging the value of Jeff's video.

@@pcislocked tbh, tailscale is not really self-hosted, and stuff like headscale, which is a self-hosted version of tailscale, can be a bit annoying to set up, and not easy... instead, I'd use something like Yggdrasil Network, myself (or even stuff like tor or i2p, using them for legitimate purposes helps out everyone, and you can also set things up that only specific routers are even allowed to connect to your server)

@@jan_harald yeah tailscale is not technically fully self hosted in terms of management etc, but if your exit node is exposed to the internet, the connection is direct to the server. stuff like i2p is a bit too much for a normie like me xd

​@@pcislocked I've been using Tailscale for a few years now, and it is fantastic, but I've had recurring problems with it failing to work without intervention after updates to either itself or Windows. Sometimes it seems to stop working for no reason at all. I've resorted to installing a secondary remote access program for the times when I need to remotely make Tailscale work again.

@@zoopercoolguy I've used Tailscale for several months but have never experienced the problem that you have. I'll tuck that away in case I do though and know that the issue is not unique. Thanks JB.

Good question! I... would refer you to PiVPN's documentation.

You should still be able to use that somehow, but you will only be able to connect from places where you can also make an IPv6 connection.

before someone comments he said you can use a vps..... no whole point is to be low powered its a waste of resources to use a dedicated desktop or laptop to be on 24/7...

I also mentioned using a Mini PC too ;)

​@@JeffGeerlingstill to many watts compared to a pi my brother ;)

Still working on it, have already learned a lot!