"Stop using VPN and instead embrace this corporate commercial solution where you depend on third party infastructure." should be the title of this video. Let's be hones, this is advertisement, for commercial product, there is nothing wrong with VPNs.

While I can appreciate the tech, for me, it seems like opting to use a third party service over a self managed VPN connection is just not better. It opens up another attack vector that you have no control over. You have to trust that the third party service, Twingate in this case, never makes a mistake. Hell, they don't even have to make a mistake, they just have to become a juicy enough target to be attacked by a good enough adversary and you become collateral damage. From a self hosting perspective one of the largest motivations to do it, aside from learning, was to stop depending on third party services because of how often they become compromised, or accidentally leak your data. VPN isn't a perfect solution of course, but routing all your access through a third party is not better, just different. I realize this is an advertisement but even still compared to your other sponsored videos this felt more like an empty marketing pitch than a video about cool technology.

I understand this is a sponsored video. I think the general audience will appreciate a follow up video comparing all the various solutions out there, such as zerotier, Tailscale, tinc, and why would you choose one over the other.

I might be talking to a wall but whatever, and who asked? but... 4 out of the 5 latest videos have been just full video ads. I can't take any of the information provided at face value or serious in these case. especially since you try to educate in then. unsubbed for now. but I do appreciate the transparency.

The whole goal to get more secure is to actually minimize the use of 3rd party solutions where you have no real control how your data is being handled or monitored. In this case a self-hosted VPN solution would be much more secure, even if it involves opening up a firewall port for it. You know better, Christian. This pure advertisement hurt your image more than you'd like.

Non-opensource is such a big turnoff though..

It is ADs?

VPN is better. You're in control.

I wouldn't dream of using another third party to carry all my most sensitive traffic. Advanced access control is good, but not like that in my opinion.

I understand why people are upset about the title and throwing shade at VPNs. But, you clearly stated that this was a sponsored video at the beginning. Honestly, if your goal is to start a career in IT, this is exactly the kind of product to start getting familiar with in your homelab environment. There are ways to secure a VPN without 3rd party services, but this is so much more convenient and easy.

If twingate went completely open source with their client and control server, they would have an edge over something like tailscale. Twingate ACL's seem better than tailscale though. Tailscale at least keeps their client 100% open-source, which allows alternative control servers to be developed (such as headscale, which has contributions from tailscale developers who contributed on their own time).

Twingate Controller "provided on their servers" - no thank you.

I’m fine with this being sponsored. I can easily digest this valuable information and decide for myself what to use. Thanks for the info. Some people don’t think you should be able to eat.

I can not believe, that this is your opinion. You put a third party trojan in your network and explain it like the best thing ever. Did you watch this video yourself before publishing it? 😢

So ZTNA is basically a VPN, but with all the hard work already done for you (dynamic dns, vpn server, firewall/nat rules) and the added ability to have security policies and policy enforcement. Authentication (strong password, certificates, 2FA) and authorization (firewall rules allow you to minimize what a VPN client has access to) are already there with VPN. ZTNA is something that sounds really nice for a corporate environment where users and resources are constantly changing. For a home lab or home network however, most users and services are pretty static, and having to trust and maintain the ZTNA service is just not worth it for me.

I use tailscale combined with tailnet lock and headscale, everything local and secure enough!

The main issue for me here is the words "Stop using VPN" in this ad supported video. Do you really believe that? You make viewers doubt if your advice is sincere or not. Which will hurt all of your other videos as well. No it is not better/more secure than a self hosted open source VPN, just different.

The whole video has a watermark 'advertisement'. I'm skipping this one.

Hi Chris, Good video en some good explanation. I’m not going to use it though, I don’t want vpn going through third party networks. Also reconsider your advertisements. Some videos ago you explained why not to use cloudflare tunneling, and here we are talking about vpn trough third party networks. Just advertise something you really stand for :-) Don’t get me wrong though, just a tip :-)

Yea its a dislike from me. A bit disappointed too.

@christianlempa: I absolutely share your definition of Zero Trust (07:46), unfortunately most people don't really understand it, as you can see from many of the comments.

A properly configured VPN implementation will have VPN clients come into a "Grey Zone" subnet, and then firewalls between the Grey Zone, and the Internal resources. Firewalls are not just for the Edges of the network. At my day-job we have probably around 100 Firewalls throughout our Corporate Network. Also between the Corporate, and High Security networks have different brand Firewalls.

sure, rely on a third party to route your traffic can you elaborate why vpn is not secure? this looks like advertising

Im reallly confused ..... Is this a sponsored video?!? If yes, why doesnt it say so? I only says Advertisment, but thats to vague. Can we be a little more transparent with the viewership?

Zerotrust is the way to go. VPNs provide no protection to your network once a bad actor gets on an end-user's system who is connected to your VPN. Ask me how I know 😞 Great video .. regardless if it is a sponsored video or not

We understand that ads are okay but please keep the good work on home lab / open source / learning / diy / fun. I have the feeling that this channel is drifting. Hope I am wrong.. and sorry if this was rude to say..

i pass think my selfhosted vpn is pretty safe

This is an ads channel now 😂

@christianlempa - Perhaps you can provide an overview of your infrastructure setup? Simply picking 'frontend' in your case doesn't give much info (i.e. is this a renamed docker_default, or other custom). Can this talk to the main network? What about VLANs? In addition, how different is this to Cloudflare solution you warned about previously?

This is within some of the worst videos on this channel. Explaining that using a third party server is more secure than your own VPN. Come on. It took me a few minutes to recognize that this whole video is an ad. This happened a few times now with these videos. I'll give you a last chance because mostly I like your channel, but if this is the way it'll be going in the future then I'm gone.

That's so nice!! Thank you for sharing. I don't understand the complaint about Ads videos once they still bring value to the public. Sincerely, people are focus on bad things only.

Seams awsome, but sadly like so many other services the client for Linux is something that seams to have been put together by an intern during a 30 minute break. It's always the same. Either a Linux client is missing or it may as well be. VPN may be an old way of doing this, but at least it has wide and tested platform support.

At home I use the Sophos Firewall's openVPN server. I like to think that because it's enterprise-level that it is secure. If you use a long random password, keep the opvn import file safe, and ditch the auto-created firewall rule at the top that allows the VPN users to access everything, you can create a rule that only allows the VPN users to access only hosts/IPs on your network that you allow. This is how it has been done for years. In the video he states that VPN is not secure. Did something drastically change that makes it not secure anymore or this belief just fear mongering by these cloud providers?

not a good way to sponsor! I liked the clouflare tunneling considerations and the basic criticism that should permeate everything in IT. So the balance about risk/benefit should be our thought, not the title of your video! You should never say stop using vpn. Openvpn is a 21year old protocol full audited with with also hardened versions and widely used worldwide. Is just secure as should be. So, talk about the main point. What is more zero trusted? A self hosted opensource service with user in full control, or a corporate service with closed source software running inside your house? you cannot deleted this comment.

With a VPN the client does not get access to all internal resources. You can configure so only a subnet or specific servers are accessible!

If it's not free and open-source, then it's a waste of everyone's time. I'm happy to pay for bandwidth and hardware, but I will never trust a company with protecting my data.

It sounds like this is a tool used for correcting issues caused only by verrrrryyyy poorly deployed VPNs and poorly configured firewalls... too much reliance on external servers, closed source, etc...'zero trust' just means 'trust us/our servers with all your data throughput' in this case. same issue with tailscale

So this is really to hide from ISP but to access remote devices securely? I couldn't access sites from my mobile phone I blocked in my ISP's network but I could on desktop. What gives?

Thanks for info. Pretty cool concept.

@ALL: Self-hosting is a trend on a private level. Companies are now moving more than ever to the cloud and are therefore dependent on other companies (see Microsoft). Personally, I'm also a fan of hosting as many services as possible myself, but solutions like those from TG or CF are no less secure - on the contrary. The “big” companies in particular are in the spotlight and can least afford security breaches or poorly programmed security solutions. As far as these approaches are concerned, I believe that this solution is currently at the forefront when it comes to security and integrity.

What's the diference with cloudflare Zero trust? You have a video about the security issue of this service. Thanks for your videos.

My main problem with this product is that their android/iOS apps suck. I'll have to sign in every time I disconnect. With tailscale, it is a click away to toggle on/off. Very annoying!

Hi Christian, even if you can't host it yourself, it offers some very good and important approaches towards Zero Trust! Used correctly (at least 2 docker containers - as lxc and distributed across 2 of 3 Proxmox nodes, in a DMZ with dedicated firewall rules towards LAN networks and the Internet) this is a really good and secure solution for accessing services in your own area access homelab. Thank you for your time and this video 🙂

Can you recommend a more zero configuration solution like twingate for normal people like myself who don't understand all the programming/Linux/docker garbage please?

Hi Chris, can Twingate be implemented onto pfsense firewall network? Thank you.

Tailscale vs Twingate. What should I use in 2023?

What is the benefit of Twingate vs Tailsclae or Perimeter81 which using WireGuard Connection?

I have a different opinion regarding vpn not secure, especialIy in what u said about ‘client is trusted as part of intranet’. I think vpn is only as secure as how we secure our vpn servers. We should always expect many outside traffic coming from the vpn server, and configure our firewall accordingly. Most of all, aside from network provider, all my data and authentication are transmitted through my own servers. Don’t get me wrong, I love this zero trust concept, and I am using cloudflare tunnel, which I think exactly the same as what twingate doing, maybe, cmiiw. Which is my daily alternative to my vpn. And in terms of speed, I didn’t notice any differences, definitely depending on usage, whether to ssh or stream jellyfin. So which one you like, controlling access via your own firewall, or zero trust provider’s controller or dashboard or whatever.

Thanks for the demo and info, have a great day

all the issues highlighted with vpn in this video are quite easy to address.

Nice video😊

The 2 device limit put me off this for the home lab.

‘Zero trust’ is marketing BS. It is simply implementing least privilege and re authentication after a period of time. This has been a common and valuable security strategy for a very long time.

But why would you choose to use this service in the first place? I don’t get what it solves or even offers that isn’t there already, but with a proven track record.

Make video on elastic search deployment on kubernetes

Yeah, this is just simply a bad video. Instead of bashing VPN's, you should advertise it as a cool alternative. This should avoid most controversy that you're seeing now in the comments.

I did this deployment for about 5-6m ago. Working perfect for me.

Has anyone tried to use the alias instead of the IP? I can't get it to work and I can't understand why.

Hey, there's a video on my 24 min AD, what's up with that?

Cloud shall NOT touch my data.

anyone can use custom dns - pihole as DNS filter? I tried that is not work. going back tailscale

Skynet was the name of my wifi since I was living with my parents. 🤣

I know it's a sponsored video so I won't complain, but no way I would use something like that.

so basically its worst zerotiier/tailscale

So is it just another Tailscale/Headscale?

It is secure alternative to VPNs. These days I am looking for VPNs that are undetectable by websites. I am trying to earn from microtasks but that is region specific and VPNs don't work. Can you suggest a solution?

I would *never* ditch VPNs for important services on my server. Corporations can beg me for my money some more. Thanks, but no thanks.

Yeah, no thank you. I roll my own solution that i have full control over. Outsourcing your security is not my thing, but nice that you get some ad money

Hi Christian, This is unrelated with the video, but as I know you self-host docker applications in your homelab, I would like to know how you deal with sqlite and multiple replicas. I followed your video about storage in Kubernetes and I am having issues with the database. Thanks.

Great and thanks.

Unless im missing something or this was baked in after the fact....it clealry days "Advertisement" top right 🤷‍♂️🤷‍♂️🤷‍♂️

PAYWALL....So I Zero Trust IT...

Wir nutzen Zscaler. Aus Anwender Sicht, welcher produktiv arbeiten soll, ziemlich lästig und kontraproduktiv…. 👎🏻

i think it look like tailscale

We are so worried about security and so bored managing VPN... So, we are outsourcing whole corporate entrance gates to some ... company because ... it's based in US 😂 Please get back that old level of quality to your videos. I'm really missing it.

Maybe test netmaker or netbird

Headscale, folks.

Please go read Project Zero Trust by George Finney.

What is the proper ways to secure tokens in the production? How do you not store them in clear text? I mean in the compose we can use environment variables defined in the .env file, but again, variables in .env are stored in clear text. Security in this way is acheaved by who exactly can read .env file. What is better solution? How to encrypt them and decrypt on the fly? You have to put description key somewhere. Thank you for all the help and hints I'll receive on this question.

Oh, looks just like Tailscale. A fork?

Yes, give a company access to your LAN. What could go wrong.

im curious how you come to the conclusion that "VPN is no longer secure"

I dont get it :/ is the data between the connector and client encrypted? how will the firewall work with encrypted data?

My question is: as the admin to all the internal services, I would need access to virtually everything. So with a giant winner-takes all account, how are these more secure from an account hijack? Assuming the bad actor meets the basic security requirements and gained access to my account managing my homelab, how am I safer?

I would have not promoted this. Thanks for the efforts!

What a shame!

Dont mind the ads because he is showing us tools that can be used in IT/homelab. It would be different if he was showing something unrelated.

Not sure why all the negativity. This video is great and Twingate is awesome

This is just a tunnel....

Great video :)

Mr Lempa, this is bad and you know it...

dude, you've, pretty much, said that they are trustworthy because their website says they are trustworthy...

Start Zero Trust by Trusting a new Company to do my job for me sounds a bit counterintuitiv. 😂

This is part of subscription hell. The fact that it's an American company, makes it even worse.

Sorry but this twingate ad annoys me hard.

Yikes

this is good stuff. i’m interested in implementing this in my homelab environment. do you know what the upload limitations are for the free version? i want to use this as a proxy to my nextcloud instance.

Unsubscribed

I'm going to give Christian the benefit of the doubt on this advertising video. The vast majority of his content is engaging and helpful. This one is an anomaly, as its clearly not a balanced perspective on this tech. Its just a paid ad. I look forward to future, unbiased content.

How is this "Zero Trust" when the big gaping security hole is that you have to trust Twingate? Security has to be open source. Access cannot be controlled by an entity interested monetary gain. This is my litmus test. Twingate fails.