"Stop using VPN and instead embrace this corporate commercial solution where you depend on third party infastructure." should be the title of this video. Let's be hones, this is advertisement, for commercial product, there is nothing wrong with VPNs.

While I can appreciate the tech, for me, it seems like opting to use a third party service over a self managed VPN connection is just not better. It opens up another attack vector that you have no control over. You have to trust that the third party service, Twingate in this case, never makes a mistake. Hell, they don't even have to make a mistake, they just have to become a juicy enough target to be attacked by a good enough adversary and you become collateral damage. From a self hosting perspective one of the largest motivations to do it, aside from learning, was to stop depending on third party services because of how often they become compromised, or accidentally leak your data. VPN isn't a perfect solution of course, but routing all your access through a third party is not better, just different. I realize this is an advertisement but even still compared to your other sponsored videos this felt more like an empty marketing pitch than a video about cool technology.

I understand this is a sponsored video. I think the general audience will appreciate a follow up video comparing all the various solutions out there, such as zerotier, Tailscale, tinc, and why would you choose one over the other.

If twingate went completely open source with their client and control server, they would have an edge over something like tailscale. Twingate ACL's seem better than tailscale though. Tailscale at least keeps their client 100% open-source, which allows alternative control servers to be developed (such as headscale, which has contributions from tailscale developers who contributed on their own time).

I might be talking to a wall but whatever, and who asked? but... 4 out of the 5 latest videos have been just full video ads. I can't take any of the information provided at face value or serious in these case. especially since you try to educate in then. unsubbed for now. but I do appreciate the transparency.

I understand why people are upset about the title and throwing shade at VPNs. But, you clearly stated that this was a sponsored video at the beginning. Honestly, if your goal is to start a career in IT, this is exactly the kind of product to start getting familiar with in your homelab environment. There are ways to secure a VPN without 3rd party services, but this is so much more convenient and easy.

I wouldn't dream of using another third party to carry all my most sensitive traffic. Advanced access control is good, but not like that in my opinion.

So ZTNA is basically a VPN, but with all the hard work already done for you (dynamic dns, vpn server, firewall/nat rules) and the added ability to have security policies and policy enforcement. Authentication (strong password, certificates, 2FA) and authorization (firewall rules allow you to minimize what a VPN client has access to) are already there with VPN. ZTNA is something that sounds really nice for a corporate environment where users and resources are constantly changing. For a home lab or home network however, most users and services are pretty static, and having to trust and maintain the ZTNA service is just not worth it for me.

Non-opensource is such a big turnoff though..

It is ADs?

I’m fine with this being sponsored. I can easily digest this valuable information and decide for myself what to use. Thanks for the info. Some people don’t think you should be able to eat.

The whole goal to get more secure is to actually minimize the use of 3rd party solutions where you have no real control how your data is being handled or monitored. In this case a self-hosted VPN solution would be much more secure, even if it involves opening up a firewall port for it. You know better, Christian. This pure advertisement hurt your image more than you'd like.

I use tailscale combined with tailnet lock and headscale, everything local and secure enough!

Twingate Controller "provided on their servers" - no thank you.

Hi Chris, Good video en some good explanation. I’m not going to use it though, I don’t want vpn going through third party networks. Also reconsider your advertisements. Some videos ago you explained why not to use cloudflare tunneling, and here we are talking about vpn trough third party networks. Just advertise something you really stand for :-) Don’t get me wrong though, just a tip :-)

@christianlempa: I absolutely share your definition of Zero Trust (07:46), unfortunately most people don't really understand it, as you can see from many of the comments.

VPN is better. You're in control.

A properly configured VPN implementation will have VPN clients come into a "Grey Zone" subnet, and then firewalls between the Grey Zone, and the Internal resources. Firewalls are not just for the Edges of the network. At my day-job we have probably around 100 Firewalls throughout our Corporate Network. Also between the Corporate, and High Security networks have different brand Firewalls.

@christianlempa - Perhaps you can provide an overview of your infrastructure setup? Simply picking 'frontend' in your case doesn't give much info (i.e. is this a renamed docker_default, or other custom). Can this talk to the main network? What about VLANs? In addition, how different is this to Cloudflare solution you warned about previously?

Zerotrust is the way to go. VPNs provide no protection to your network once a bad actor gets on an end-user's system who is connected to your VPN. Ask me how I know 😞 Great video .. regardless if it is a sponsored video or not

The whole video has a watermark 'advertisement'. I'm skipping this one.

Hi Christian, for corporate environment and their employee user/devices this solution seems to provide nice features. But I see issues in other when service owner and user/device are not in such relation. I think you fall short to explain some details, from my point of view: - What about clients from coporation networks with equal high security structures? - Any user/client device needs to install the Twingate software as it seems to get access? - What are the requirements for the the clients at all? - Is a connection without the twingate agent possible? I am with you regarding the "least privilege principle" approach. And a session MFA authentication would allow me to verify the person, but to press a person to give up the freedom of device choice , I don´t see.

How does it compare to Teleport? Would like to see a video on these two: Teleport vs. Twingate.

I can not believe, that this is your opinion. You put a third party trojan in your network and explain it like the best thing ever. Did you watch this video yourself before publishing it? 😢

That's so nice!! Thank you for sharing. I don't understand the complaint about Ads videos once they still bring value to the public. Sincerely, people are focus on bad things only.

What's the diference with cloudflare Zero trust? You have a video about the security issue of this service. Thanks for your videos.

Thanks for the demo and info, have a great day

Thanks for info. Pretty cool concept.

Hi Christian, even if you can't host it yourself, it offers some very good and important approaches towards Zero Trust! Used correctly (at least 2 docker containers - as lxc and distributed across 2 of 3 Proxmox nodes, in a DMZ with dedicated firewall rules towards LAN networks and the Internet) this is a really good and secure solution for accessing services in your own area access homelab. Thank you for your time and this video 🙂

I am only 4:26 into the video, but I am going to assume this is like Hamachi, Zerotier, and TailScale. While there are certain situations where I have used all 3 previously mentioned, and still use TailScale, those services are not replacements for dedicated site-to-site business VPNs.

twingate client works behind CGNAT without using static IP from sim-provider?😮

Tailscale vs Twingate. What should I use in 2023?

At home I use the Sophos Firewall's openVPN server. I like to think that because it's enterprise-level that it is secure. If you use a long random password, keep the opvn import file safe, and ditch the auto-created firewall rule at the top that allows the VPN users to access everything, you can create a rule that only allows the VPN users to access only hosts/IPs on your network that you allow. This is how it has been done for years. In the video he states that VPN is not secure. Did something drastically change that makes it not secure anymore or this belief just fear mongering by these cloud providers?

Im reallly confused ..... Is this a sponsored video?!? If yes, why doesnt it say so? I only says Advertisment, but thats to vague. Can we be a little more transparent with the viewership?

sure, rely on a third party to route your traffic can you elaborate why vpn is not secure? this looks like advertising

chris very good video thanks! i have a question i have a cgnat and i have my wordpress landing pages and many of my services exposed on the internet and for that i use a vps in linode with a wireguard and a nginx so; with this twingate i could expose my landing pages and services without using the vps nor wireguar nor nginx anymore?

This is an ads channel now 😂

Hi Chris, can Twingate be implemented onto pfsense firewall network? Thank you.

i pass think my selfhosted vpn is pretty safe

Seams awsome, but sadly like so many other services the client for Linux is something that seams to have been put together by an intern during a 30 minute break. It's always the same. Either a Linux client is missing or it may as well be. VPN may be an old way of doing this, but at least it has wide and tested platform support.

@ALL: Self-hosting is a trend on a private level. Companies are now moving more than ever to the cloud and are therefore dependent on other companies (see Microsoft). Personally, I'm also a fan of hosting as many services as possible myself, but solutions like those from TG or CF are no less secure - on the contrary. The “big” companies in particular are in the spotlight and can least afford security breaches or poorly programmed security solutions. As far as these approaches are concerned, I believe that this solution is currently at the forefront when it comes to security and integrity.

The main issue for me here is the words "Stop using VPN" in this ad supported video. Do you really believe that? You make viewers doubt if your advice is sincere or not. Which will hurt all of your other videos as well. No it is not better/more secure than a self hosted open source VPN, just different.

Nice video😊

It would be good if there is a demo show how to set up a DNS name, instead of ip address.

Great and thanks.

What is the benefit of Twingate vs Tailsclae or Perimeter81 which using WireGuard Connection?

What is the proper ways to secure tokens in the production? How do you not store them in clear text? I mean in the compose we can use environment variables defined in the .env file, but again, variables in .env are stored in clear text. Security in this way is acheaved by who exactly can read .env file. What is better solution? How to encrypt them and decrypt on the fly? You have to put description key somewhere. Thank you for all the help and hints I'll receive on this question.

I have a different opinion regarding vpn not secure, especialIy in what u said about ‘client is trusted as part of intranet’. I think vpn is only as secure as how we secure our vpn servers. We should always expect many outside traffic coming from the vpn server, and configure our firewall accordingly. Most of all, aside from network provider, all my data and authentication are transmitted through my own servers. Don’t get me wrong, I love this zero trust concept, and I am using cloudflare tunnel, which I think exactly the same as what twingate doing, maybe, cmiiw. Which is my daily alternative to my vpn. And in terms of speed, I didn’t notice any differences, definitely depending on usage, whether to ssh or stream jellyfin. So which one you like, controlling access via your own firewall, or zero trust provider’s controller or dashboard or whatever.

With a VPN the client does not get access to all internal resources. You can configure so only a subnet or specific servers are accessible!

My main problem with this product is that their android/iOS apps suck. I'll have to sign in every time I disconnect. With tailscale, it is a click away to toggle on/off. Very annoying!

im curious how you come to the conclusion that "VPN is no longer secure"

It sounds like this is a tool used for correcting issues caused only by verrrrryyyy poorly deployed VPNs and poorly configured firewalls... too much reliance on external servers, closed source, etc...'zero trust' just means 'trust us/our servers with all your data throughput' in this case. same issue with tailscale

Can you recommend a more zero configuration solution like twingate for normal people like myself who don't understand all the programming/Linux/docker garbage please?

But why would you choose to use this service in the first place? I don’t get what it solves or even offers that isn’t there already, but with a proven track record.

The 2 device limit put me off this for the home lab.

Hey, there's a video on my 24 min AD, what's up with that?

So this is really to hide from ISP but to access remote devices securely? I couldn't access sites from my mobile phone I blocked in my ISP's network but I could on desktop. What gives?

Why not use zerotier,,,,,,,,,,,,,,, if not using wireguard ???

Yea its a dislike from me. A bit disappointed too.

what about exit points? can twingate help me avoid geoblockings that Tailscale solves?

We understand that ads are okay but please keep the good work on home lab / open source / learning / diy / fun. I have the feeling that this channel is drifting. Hope I am wrong.. and sorry if this was rude to say..

It is secure alternative to VPNs. These days I am looking for VPNs that are undetectable by websites. I am trying to earn from microtasks but that is region specific and VPNs don't work. Can you suggest a solution?

If it's not free and open-source, then it's a waste of everyone's time. I'm happy to pay for bandwidth and hardware, but I will never trust a company with protecting my data.

I did this deployment for about 5-6m ago. Working perfect for me.

all the issues highlighted with vpn in this video are quite easy to address.

This is within some of the worst videos on this channel. Explaining that using a third party server is more secure than your own VPN. Come on. It took me a few minutes to recognize that this whole video is an ad. This happened a few times now with these videos. I'll give you a last chance because mostly I like your channel, but if this is the way it'll be going in the future then I'm gone.

Make video on elastic search deployment on kubernetes

Hi Christian, This is unrelated with the video, but as I know you self-host docker applications in your homelab, I would like to know how you deal with sqlite and multiple replicas. I followed your video about storage in Kubernetes and I am having issues with the database. Thanks.

So is it just another Tailscale/Headscale?

Bro, you lost me at minute 15:50... Where did the linux come in ? Im on gaddam windows. Also what is vs code? Is It compatible with windows?

‘Zero trust’ is marketing BS. It is simply implementing least privilege and re authentication after a period of time. This has been a common and valuable security strategy for a very long time.

Has anyone tried to use the alias instead of the IP? I can't get it to work and I can't understand why.

not a good way to sponsor! I liked the clouflare tunneling considerations and the basic criticism that should permeate everything in IT. So the balance about risk/benefit should be our thought, not the title of your video! You should never say stop using vpn. Openvpn is a 21year old protocol full audited with with also hardened versions and widely used worldwide. Is just secure as should be. So, talk about the main point. What is more zero trusted? A self hosted opensource service with user in full control, or a corporate service with closed source software running inside your house? you cannot deleted this comment.

Hey Christian, what is better in your opinion: Twingate or Tailscale?

I know it's a sponsored video so I won't complain, but no way I would use something like that.

Skynet was the name of my wifi since I was living with my parents. 🤣

anyone can use custom dns - pihole as DNS filter? I tried that is not work. going back tailscale

this is good stuff. i’m interested in implementing this in my homelab environment. do you know what the upload limitations are for the free version? i want to use this as a proxy to my nextcloud instance.

"Client is trusted as part of the internal network" No they are not Plenty of classic VPNs have rules to allow specific users or user groups access to only the IPs and ports you specify, AND can enforce rules like active firewalls, valid device certificates etc. The whole Zero Trust bs is confusing because it talks about classic VPN in a way that is often simply not true.

Yeah, no thank you. I roll my own solution that i have full control over. Outsourcing your security is not my thing, but nice that you get some ad money

I would have not promoted this. Thanks for the efforts!

Not sure why all the negativity. This video is great and Twingate is awesome

Great video :)

Cloud shall NOT touch my data.

Maybe test netmaker or netbird

so basically its worst zerotiier/tailscale

Please go read Project Zero Trust by George Finney.

Yes, give a company access to your LAN. What could go wrong.

I would *never* ditch VPNs for important services on my server. Corporations can beg me for my money some more. Thanks, but no thanks.

Wir nutzen Zscaler. Aus Anwender Sicht, welcher produktiv arbeiten soll, ziemlich lästig und kontraproduktiv…. 👎🏻

We are so worried about security and so bored managing VPN... So, we are outsourcing whole corporate entrance gates to some ... company because ... it's based in US 😂 Please get back that old level of quality to your videos. I'm really missing it.

PAYWALL....So I Zero Trust IT...

My question is: as the admin to all the internal services, I would need access to virtually everything. So with a giant winner-takes all account, how are these more secure from an account hijack? Assuming the bad actor meets the basic security requirements and gained access to my account managing my homelab, how am I safer?

Dont mind the ads because he is showing us tools that can be used in IT/homelab. It would be different if he was showing something unrelated.

Headscale, folks.

Unless im missing something or this was baked in after the fact....it clealry days "Advertisement" top right 🤷‍♂️🤷‍♂️🤷‍♂️

I dont get it :/ is the data between the connector and client encrypted? how will the firewall work with encrypted data?

Oh, looks just like Tailscale. A fork?

i think it look like tailscale

Get shrekt rekt wreckt