Which is Better: Overlay Networks or Traditional VPN?

Рет қаралды 98,463

Күн бұрын

lawrence.video/pfsense
pfsense TailScale
• How to Setup The Tails...
Headscale Tutorial
• Tutorial: Using Tailsc...
Nebula Tutorial
• Nebula, the open sourc...
How NAT Traversak Works
tailscale.com/blog/how-nat-tr...
How NAT Tailscale Works
tailscale.com/blog/how-tailsc...
My Cloudflare Tunnels Video
• Using Cloudflare Tunne...
Crosstalk Solutions Cloudflar VIdeo
• You Need to Learn This...
DBTech Cloudflare
• Cloudflare Tunnels: Ge...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Time Stamps ⏱️
00:00 Overlay VPN Tailscale Headscale ZeroTier Nebula
01:48 Traditional VPN
03:29 How Overlay VPNs work
06:30 pfsense with TailScale
07:31 Headscale
07:57 Overlay Security
08:36 Cloudflare Tunnels
#VPN #firewall #networking

Пікірлер: 158

@olivierlambert4101 Жыл бұрын

I really like the fact you are always thinking about the risks on relying on 3rd party/big cloud players, I also share that vision which is not common enough sadly. Kudos for getting entirely the initial meaning/purpose of Internet, which is not meant to be centralized to a handful big entities.

@LAWRENCESYSTEMS Жыл бұрын

Thank you

@woswasdenni1914 8 ай бұрын

one of those risks peopel never think about is no support whatsoever. these entities are now so big that you rely on the pure hope it will be fixed if its broken. just spend 3 nights with microsoft highest tier support until i got someone to fix a trivial license issue on microsofts end that blocked all exchange services for the entire tennant with several hundred user

@nonkelsue Жыл бұрын

Very informative! Love to see how someone like you is on top of all this and keeps us informed of what is out there, the advantages and disadvantages, the pro's and con's, the pitfalls etc.. This allows us to make an informed choice. Thanks Tom for your time and effort in producing videos like this. Truly appreciated!

@speedup070605 Жыл бұрын

Thank you for this video. Love watching this because it explains the difference/similarity between vpn and overlay. Again thank you for the layman's term explanation.

@aliaghil1 Жыл бұрын

Great video as always, defenatly that's not a VPN killer, I would never rely on a third party for access into my own network.

@MonsieurHolmes 7 күн бұрын

Then install your own coordination server with Headscale :)

@dougp1856 Жыл бұрын

Thanks for this video, answered a question I had about the differences between VPN's and Cloud Flare Tunnel

@Ghost_n_Denver Жыл бұрын

Long time subcriber here... Love your content! Looked at Cloudflare Tunnels. They are cool, but I really didnt like being dependent on their network to access my network. Plus, i kind felt like i was giving them access to view my private network if they wanted to. 😅 Anyway, keep up the good work, sir. Your opinion and POV are valuable to us all.

@Weirlive Жыл бұрын

happy to see a video on this topic esp after the recent Network Chuck video

@jensplsnkwn8152 Жыл бұрын

I am always enthusiastic about your videos because they briefly describe the most important contexts. I have heard about the new technique and unfortunately have not yet understood what the advantages are supposed to be. It just looks like a legal man in the middle attack.

@lordgarth1 Жыл бұрын

Used to use hamachi until it was bought out but tailscale is now my go to. It just works and works well.

@andrewjohnston359 Жыл бұрын

About 7 or 8 years ago I worked around the issue of having simple to setup VPN access or clients behind CG-NAT/dynamic ip addresses by implementing pritunl on my own AWS server. This works as an oVPN/Wireguard broker, and all the connections from routers/servers etc are coming from behind the firewall meaning no need for a static ip and works behind NAT. The other great thing is it has a centralised portal to manage all connections, organisations, and client certs/configs + monitoring the connections + it's open source and self hosted. Pritunl is barely (ever?) mentioned in all of LS vpn videos but in my opinion is one of the best pieces of software out there for this kind of thing. I will concede it does tunnel any traffic destined for the remote network through the server (it obviously supports split DNS/public routes through local gateway etc) - but that has never really cause nay issues for our clients in terms of speed or latency. The other plus is they have a wizard for edgerouters which makes the setup for our techs a couple of clicks - and likewise for our customers, they can deploy the software client/profile and cert themselves with a couple of clicks.

@BrianPhillipsSKS Жыл бұрын

I use Wireguard for security and not relying on a third party. It was strange that as soon as Tailscale popped up it seemed like a huge number of homelab enthusiasts jumped in the bandwagon. Especially people that generally highly regard security and self hosting

@bivensrk Жыл бұрын

So, you're saying that Tailscale != security?

@tehsimo 9 ай бұрын

we're fed up dealing with annoying VPN configuration UIs in hardware

@HSF-ec2bp 9 ай бұрын

@@bivensrk Tailscale/Headscale != actually functional OpenVPN/Wireguard, few lines in iptables, can actually be controlled with firewalls and security . Tailscale, its routing rules interfere with every well known security solution in existance. No, I'm not migrating my perfectly functioning iptable rules to deal with Tailscale lack of motivation to either use kernel wireguard or using the TUN/TAP driver to supplement the user-land Wireguard. Other solutions could deal with this - NetMaker, Firezone, etc. - why not Tailscale?

@nicholastoo858 7 ай бұрын

I also don’t know why introduce 3rd parties

@tobiaskleimann6361 Жыл бұрын

I use tailscale since some month ago for connect two synology storage systems with hyperbackup. Not the fastest way, but works really nice for me. I can place my offsite backup where ever I want without care about vpn connection or forwarding ports.

@heshamkhalil2215 Жыл бұрын

As always objective & unbiased . thanks

@PowerUsr1 Жыл бұрын

One of the biggest issues i find with mesh vpn tech from Tailscale or ZT is access rules. I’m a bit more familiar with TS but controlling what client can access just sucks using TS access rules. Documentation isn’t great and writing it out in JSON is impractical if you are an unfamiliar engineer. So then you’re left with permit any any rules. The tech is great but access controls suck. At this point legacy VPNs are just better supported when it comes to access controls

@chrisumali9841 Жыл бұрын

Thanks for the demo and info, have a great day

@droknron Жыл бұрын

I've been using ZeroTier for a few years now (I was introduced to it through one of your videos in-fact!). I think one thing you should have added to this video though is performance. Wireguard and OpenVPN point-to-point are a lot faster than ZeroTier and TailScale. We're talking 50Mb vs 350Mb. So for anyone considering this just know it's not the fastest but these system (TailScale and ZeroTier) are super easy and very reliable.

@GrishTech Жыл бұрын

That’s a bit subjective. It all depends on whether or not zerotier or Tailscale peers can establish a direct tunnel to each other and if the peer is running in userspace or in the kernel. For example, Tailscale on windows runs in userspace, but on Linux, it can use the kernel drivers for wireguard. For example, two Linux hosts can communicate gigabits per second to each other, but to a windows host, maybe not so fast. Same thing applies for zerotier. Depends on the host and install.

@droknron Жыл бұрын

@@GrishTech Thank you for the clarification David. I wasn't aware of this and only saw poor performance compared with native Wireguard and OpenVPN (I am testing only on Windows).

@zadekeys2194 9 ай бұрын

@@droknrontalescale is ment to only be a control plane for wireguard, based on wireguard-go. Perhaps the out of the box TS config needed tweaking to get better speeds ?

@TheCrazyCanuck420 Жыл бұрын

This video saved me hours or google searches, thanks!!!

@tomstechnews Жыл бұрын

Great explanations! Thank you Tom !

@cyucel2241 8 ай бұрын

Thanks for the good video. Initially, you suggested that you compare all three, but this wasn't included. Such a video would be fantastic. Especially interested to understand if Nebula is less prone to the controller (lighthouse) being compromised as the connectivity relies on certificates created outside the lighthouse and I am wondering if this would stop a compromised controller from adding a rogue node.

@richardw38fly Жыл бұрын

I'm behind Starlink's CG-NAT so my remote access options are limited. I would love to work out how to use a service like Cloudflare's secure tunnel on my pfsense external interface, so I can then use OpenVPN through the Cloudflare tunnel.

@SomeGuyWatchingYoutube Жыл бұрын

I've used all of your videos to build a pfSense for gaming. It uses a Ryzen 3 1300X can can route a Gigabit with NordVPN over multiple trunks. I have trunked, seemingly secure networks, with NordVPN, using traffic limiters for A+ bufferbloat gaming behind an AT&T fiber BGW-320. Thanks for the awesome guides. I can't seem to get it to work right using multiple NICs for WAN (using different IP addresses from my block), and split the DNS correctly between the WAN and VPN with policy routing. The NordVPN always has to go through the primary gateway which can break easily when I am using Squid Proxy for my non-VPN subnets. I bought a set of Static IPv4 addresses for my multiple NICs, but I need to run the second NIC via a public DHCP request to my AT&T GPON router, as pfSense won't let me have multiple WANs on the same subnet using my single gateway. Do I need to use IP aliases to set up multiple WANs on a single gateway? Do I need another pfSense to have another WAN giving me internet access?

@SomeGuyWatchingYoutube Жыл бұрын

Also, my AT&T router gives me /64 blocks of IPv6. Are these okay to assign in conjunction to my Static Block to my pfSense? I don't understand how to route the IPv6 while hiding my DNS from this primary AT&T router. Should I use SLAAC or IPv4 over IPv6? Do I need to use DNS64? Do you have any videos explaining the differences between SLAAC, 6rd Tunnels, 6 to 4 tunnels or the likes? I am kind of new to all of this. Been tuning everything for a year now. The last time I had experience with custom routers it was 10 years ago using DD-WRT. Random thought: SynProxy is a pretty cool feature imo and might be easier to set up than Squid. It helps some of my videogames lag less when servers cannot connect to my console directly.

@notreallyme425 4 ай бұрын

I just setup Tailscale and made a route to my home network. Wow, that was easy and I’m wondering why I didn’t do this a long time ago. Routes just the traffic I want to my services back home, while the rest of my traffic goes directly to the internet. I could also route all my traffic back through my home connection if I wanted to.

@keyboard_g Жыл бұрын

Tailscale has really nailed the ease of setup.

@LAWRENCESYSTEMS Жыл бұрын

They have a solid product for sure.

@itsmith32 9 ай бұрын

Yes, while Headscale made it yours and secure

@castigo1986 Жыл бұрын

Thanks for this interesting video! I wonder, would IP6 change anything in this setup or generally in an openvpn, given that there would be no Nat?

@raffiihzazuhairnawan2091 Жыл бұрын

Tailscale works great for me. It's free, easy to use, and supports ephemeral mode that deletes the instance when not active and adds again when active. It runs super well with PaaS that are bound to restart their containers every now and then.

@TotemTed Жыл бұрын

Any chance you could do a follow up video with performance metrics? Such as throughput of wireguard vpn vs tailscale, etc.

@kevinhughes9801 Жыл бұрын

Great stuff useful thanks. So is twingate classed as overlay networks to?

@bltavares Жыл бұрын

Zerotier has the NDP emulation for their 6PLANE addresses which is amazingly well fitted for Docker container addresses. I haven't found anything similar on top of Wireguard to make me switch

@npgoalkeeper Жыл бұрын

I’m quite excited for zerotier 2.0, rewritten in rust! Hopefully they keep LF for self hosting root servers, improve performance a bit, and include DNS by default.

@itsmith32 9 ай бұрын

Tried ZT a little, but when I've found that I cannot use my exit node behind home router I have stopped trying.

@liam2161 Жыл бұрын

I use cloudflared ZT. I like that I can integrate that with Azure conditional access. No client required for web applications or ssh can be done via browser. Warp client can then handle other ports etc. It's free for small teams and I got 5 YubiKeys for setting up the free tier at a ridiculously reduced price, think they were £10 each.

@mhwachter833 Жыл бұрын

You pointed out the biggest problem with services like tailscale and twingate, entrusting your network access to a third party. No thanks. Glad to know theres a self hosted option though, I’d love to see a more in depth video on that!

@cityhunter2501 Жыл бұрын

Agree, I still want to give twingate a try (which is basically a form of proxy) so that I don't need to have any open ports on my router but then I would be relying on twingate servers to stay up all the time. Even if I were to go headscale and host it somewhere, then I still need to make sure that it is locked down and another possible point of failure.

@itsmith32 9 ай бұрын

You better try rather watching videos.

@djstraussp Жыл бұрын

For me, The only benefit of using TS or ZT Overlay Network with it's Coordination Servers is when your ISP doesn't provide a Public IP you can route or Nat. Both ON are Great BTW.

@mabs-O_o 3 ай бұрын

I like the managed routes feature on zerotier, then i just deploy zerotier on my routers and voila, remote devices with the zerotier one have all the routes, and devices connecting through my routers are able to reach the overlay or remote networks.

@eduardonobrega77 Жыл бұрын

What happens if a notebook with the Tailscale installed, that is usually outside, is in the company internal network? Which network it will use? The internal gave by DHCP server or the one Tailscale creates? Is there a way to block tailscale if the computer is in the company to ensure that there is no problem with the Active Directory (kerberos, name resolution) for example? - Thanks for the video

@XSpImmaLion Жыл бұрын

ROFL, I was also going to ask if Lawrence tested or tried Twingate, but it seems this is a very tight knit community... and I do agree with his position that it's not an open source solution. Not quite there yet but I am in the process of building a TrueNAS Scale from an old PC here, and looking up how exactly I'm going to open this up to the void... :P Might go for Tailscale or Headscale then...

@BoraHorzaGobuchul 5 ай бұрын

Would live to learn what's the status on yggdrasil now. Is it usable, or not? How does it compare with these solutions?

@ChristerJohansson Жыл бұрын

Isnt this just a patch for poor network segmentation on the target site. Which is the result of not doing/planning a risk based / information security /availability based network architecure...?

@rallisf1 Жыл бұрын

I've been using netmaker to run both simple and overlay VPN networks. Should I consider headscale for any reason?

@dannythomas7902 9 ай бұрын

In Aus they are calling then SD-wan basically overlay network vpn as u said. I was asked in a interview about it I said no big deal just site to site can you ping it after setup or not

@tw3145wallenstein Жыл бұрын

Another note some of the commands for headscale have been updated as well I believe it was to parody Tailscale terms

@davidg4512 Жыл бұрын

Well. This went viral. Good performing video.

@akcesoriumpc6421 Жыл бұрын

I'm using open vpn and don't need relay on "coordination servers" or need "help" from others to send my data.

@jasonluong3862 Жыл бұрын

Ubiquiti just updated the firmware for its UDR which includes enhancement for its Teleport VPN. Can you do a video on this improvement (if any)?

@azrehman1 Жыл бұрын

excellent information as always! please make a video on Twingate also

@LAWRENCESYSTEMS Жыл бұрын

Looks similar, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

@michaelattisy4520 Жыл бұрын

Was my first though, what about the reliability of the third party? I honnestly don't see the point to take that risk. Thx Tom for sharering.

@nymnicholas Жыл бұрын

I only use Wireguard on Linux server (Pi400B with Quad9 DNS) under a 1 Gbps Dynamic line for my use case, as my users are under 10 to 15 per concurrent time. As Server's htop reports about 140 to 145 Mb at idle, with an increase of about 5 to 10 Mb per user load, its running fine for small office for the last 1 year. And, its Not on a Static public IP. Peace :-)

@Netz0 9 ай бұрын

I see them as different purposes. An overlay VPN for unattended devices that always needs to be connected like servers, routers, etc. A traditional VPN requires user interaction, as such an Overlay VPN is a device connected network and a traditional agent VPN is a user connected network. Some people might not want to be always connected or might want to connect to a different corporate or business network or switch depending on the type of work required, which means a traditional VPN is not going away.

@rrtech6793 Жыл бұрын

Great! VPN isnt dead! Public Cloud Solutions its exposed like your VPN incomming request too... Its like a big VPN public cloud server make the "gateway" function between the clients... Thank U !

@user-hk3ej4hk7m Жыл бұрын

What made me choose zerotier over the other overlay alternatives is that it splits the coordination plane into configuration and routing. A zerotier controller manages authentication and configuration of each node on a network, but it is also a node itself, meaning that it can be behind a Nat and still be able to communicate with each member of the network, sending config updates, adding new nodes, etc. Routing between each node is managed by the zerotier root servers, which are only responsible of connecting nodes together, aiding with UDP hole punching and relaying data if necessary. Having your own controller means that you own your network, every config has to be authorized by your self hosted controller, while still not needing it to have a publicly accessible ip address tied to it. The most a malicious zerotier root could do would be to mess up new connections and maybe listen in on the encrypted connection between each node (it can't decrypt it) when relaying.

@itsmith32 9 ай бұрын

Hmmm... Which of this stuff cannot be accomplished with Headscale?

@user-hk3ej4hk7m 9 ай бұрын

@@itsmith32 my understanding is that if you want to host your own instance of headscale you'll need to have a public IP address to which you can forward ports. This is not always possible due to CG-NAT. With zerotier the routing and network configuration are separate parts. Zerotier inc does the routing (if you want), you host and control your own network, no port forwarding necessary to the controller.

@itsmith32 9 ай бұрын

@@user-hk3ej4hk7m Looks like you can do the same stuff with TS proprietary controller😁 and if you don't want to port forward you can use VPS for hosting.

@user-hk3ej4hk7m 9 ай бұрын

@@itsmith32 I'd rather have my controller hosted on my home, it's not bandwidth intensive and it has control over the hole network. zerotier has that clear separation and that's why I prefer it, others may have other preferences.

@blazetechstuff Жыл бұрын

If you are working or have clients in china, you absolutely need/want something like tailscale. I live here and it is the only thing that gets me direct site to site location links(china to china) without the fuss of going through another server.

@allancreationz5625 Жыл бұрын

I rilly think u need to do a video about Twingate, under the hood working, pros &cons! Otherwise thanks for the informative in depth content!!!

@LAWRENCESYSTEMS Жыл бұрын

Except Twingate has a lack of details on how their security works VS TailScale being open source and very detailed so I use that.

@Ex_impius Жыл бұрын

I saw your comment on my comment on Network Chucks video. Ive used tailscale before and heard of headscale. I figured twingate was a wireguard overlay vpn but it seemed to have a lot more functionality than tailscale. Still, dont like the controller not being self hosted.

@markarca6360 Жыл бұрын

The good thing is it enables admins to fine-tune access to specific resources that the users need access.

@rafetjameel4476 Жыл бұрын

What do you think about DPN ?

@LawnD4rt Жыл бұрын

I think tailscale has the ability to create a subnet router inside the NAT. It was linux only for awhile. I think other os's can do it know also. Not played with it recently.

@itsmith32 9 ай бұрын

Working just great with Headscale and GNU/L

@gjkrisa Жыл бұрын

With Tailscale I was not able to traverse the network once connected to the pfsense host from outside. Is there something misconfigured or maybe I was trying to access another machine before I had direct p2p connection. 🤔

@LAWRENCESYSTEMS Жыл бұрын

Possibly rules were missing. kzbin.info/www/bejne/hl7UXmuIa5yChrs

@stefanbehrendsen330 Жыл бұрын

You can also self host a zerotier controller. It's somewhat of a pain, though, because the only interface they provide for that is a json api. There is a third party all in one docker image developed by Key Networks with a webserver GUI, but you do have to trust / be able to inspect the source for that software, and hope that it gets patched. You'd still be relying on some of their "root" servers for connections though, so I guess it doesn't entirely solve the issue of trust / control.

@itsmith32 9 ай бұрын

Headscale does it for them😅

@bobvb2351 Жыл бұрын

Would very much appreciate updated Headscale setup and use tutorial.

@LAWRENCESYSTEMS Жыл бұрын

kzbin.info/www/bejne/Y2rKiYNslsaUr9k

@EuroPC4711 Жыл бұрын

Do I see it correct, that Synology‘s QuickConnect is quite the same with synology as coordination server?

@LAWRENCESYSTEMS Жыл бұрын

QuickConnect just a reverse proxy that your Synology connects to to allow access. Much less complicated than a coordination server.,

@gatolibero8329 Жыл бұрын

If anyone is interested in "Twingate" - last week Network Chuck posted a detailed video. Twingate looks sketchy to me. As Tommy said, it's closed source, and there's very little information about the company or the people behind it, which is also strange.

@welovefootball2026 Жыл бұрын

I watched it too but am not jumping in quite yet...

@metal-beard Жыл бұрын

Networkchuck does a lot of videos for his sponsors as ads but disguises them as ‘tech tutorials’.

@gatolibero8329 Жыл бұрын

@@metal-beard no shame in that game.

@bmp6361 9 ай бұрын

@LAWRENCESYSTEMS I'd be interested to know if you'd tried PBR (policy routing), with pfsense and tailscale where one host or network uses another remote pfsense+tailscale as an exit node?

@LAWRENCESYSTEMS 9 ай бұрын

Not sure I understand the question.

@bmp6361 9 ай бұрын

@@LAWRENCESYSTEMS Lets say you wanted to have a system(s) on Site A exit Site B's internet connection. The rest of the systems(s) on Site A would exit to the local internet ISP.

@LAWRENCESYSTEMS 9 ай бұрын

@@bmp6361 does not sound like a great way to set thing up and I am not sure if Tailscale would route that way.

@bmp6361 9 ай бұрын

@@LAWRENCESYSTEMS use case would be appear to be working from one state vs working from another. I think it would be possible via traditional VPN, where gateways are established. Not sure you can set up Tailscale as a gateway. Thought I'd bounce it off of you. Thanks for you time.

@DarkNightSonata Жыл бұрын

how about Twingate ? have you had a look at it ? is it similar to tailscale ? thanks for the inofrmation

@LAWRENCESYSTEMS Жыл бұрын

Looks similar, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

@deng.3844 11 ай бұрын

Great content! It would be good to hear your thoughts on Netbird (relatively new alternative to tailscale).

@LAWRENCESYSTEMS 11 ай бұрын

Never used it nothing about it looks so compelling that I would prefer it over existing solutions I have used.

@anthonymudge9768 Жыл бұрын

This does seem to be a sequel to the preoperatory Hamachi VPN. I would call it a scalable VPN, as it's much easier to set up and deploy I'd assume.

@DannyBazarte Жыл бұрын

Hamachi was the best for the short time before it was aquired by LogMeIn.

@genovo 9 ай бұрын

Question: are they a VLAN killer?

@bjarnenilsson80 Жыл бұрын

Or go for ipv6 if available, then you can run your vpn daemon on a host on the inside your network 20and you avoid the nightmare of cgnat ( which unfortunately gers mirecand mire vide soread on home internet connections)

@DerekAldridge1 Жыл бұрын

Have you looked at Twingate at all? The granularity and redundancy seems to make a pretty resilient solution.

@LAWRENCESYSTEMS Жыл бұрын

So does TailScale. Twingate has a lack of details on how their security works VS TailScale being open source and very detailed so I use that.

@trexx_media Жыл бұрын

i love twingate .... ease to use and simple ..... runs on my docker .... loving it . killers of traditional VPNs

@Sama_09 Жыл бұрын

Is slack nebula something similar to this ??

@LAWRENCESYSTEMS Жыл бұрын

Yes

@grant_HH Жыл бұрын

I might be being dumb but how does the overlay network differ from Cloudflare tunnels ?

@LAWRENCESYSTEMS Жыл бұрын

Cloudflare tunnel is just a reverse proxy to Cloudflare servers.

@grant_HH Жыл бұрын

@@LAWRENCESYSTEMS Thanks. Just watched network chucks overview of setting up twingate before seeing this. On the surface all look similar. Install agent on network configure services in cloud/controller instead of opening ports 😁 One of these is somewhere on my list after getting pf sence setup

@murtadha96 Жыл бұрын

What about something like Twingate? I think NetworkChuck recently made a video about it.

@LAWRENCESYSTEMS Жыл бұрын

Looks similar to tailscale, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

@Darkk6969 Жыл бұрын

@@LAWRENCESYSTEMS Same here. I did watch most of Chuck's video about Twingate and was turned off that it's completely closed source and no option to self host the controller. I'm staying with wireguard on pfsense.

@stevenhughes1254 Жыл бұрын

Facts are facts

@LackofFaithify Жыл бұрын

If you ever remove the problem of trust, you have removed humanity.

@OldePhart Жыл бұрын

Cradlepoint is depreciating their overlay this year forcing me to go vpn .

@philipgriffiths5779 Жыл бұрын

This boggled my mind. Its a shame they got acquired by Ericsson. I thought their approach was on of the best I had seen, bar OpenZiti, the open source project I work on. But hey, big corps like to kill innovation and only deliver guaranteed returns.

@realms4219 Жыл бұрын

Is Headscale hostable in a HA manner?

@GrishTech Жыл бұрын

If you use it in a container and thus in Kubernetes, sure. Or you can have it in a vm and use the traditional VM H/A.

@philipgriffiths5779 Жыл бұрын

@@GrishTech but can you run more than one controller for graceful takeover if a controller fails? For me, that's the benchmark of HA.

@GrishTech Жыл бұрын

@@philipgriffiths5779 I don't believe that's supported.

@insu_na Жыл бұрын

I honestly don't really get it. I think tailscale and regular vpns serve different purposes, so tailscale isn't really killing VPNs, just displacing them from areas they were previously used in but didn't really fit

@eointhomaskehoe4977 Жыл бұрын

I was trying to setup a vpn for a customer who a wireless ISP internet connection, we could not get any vpn working as it looks like internet was using CG-Nat After looking for other options I came across Tom using Zerotier and Tailscale and both worked flawlessly for this setup

@mishasawangwan6652 9 ай бұрын

let me explain: clickbait.

@marianarlt Жыл бұрын

As many others point out, I don't see how this would benefit me any more than setting up my VPN server, put it behind a deny all, and whitelist any access the clients need. I hear that it's easier to set up, but it seems there's actually more configuration to be done, not less. There's even an additional controller involved?! No thanks. Also I'm with everyone saying not to outsource my remote access methods to third parties. Like, ever. In all honesty it appears to me that these suites try to be a solution for people who might be uncomfortable with managing their ACLs, even though this might not be accurate. This whole zero trust cloud third party thing seems like the new networking hype I have to learn just to be able to say why I won't use it. Maybe (probably) I'm missing a lot of details, I just started to look into this rabbit hole.

@pavelperina7629 Жыл бұрын

I guess cloudflare tunnels are good if you don't want to deal with dynamic DNS via no-ip if you don't have a static IP and renewing let's encrypt certificates and you don't have to change anything if you reconfigure internal network (if you reset router to factory defaults etc). But I'm still using ssh and ssh tunnels for RDP/VNC and i think VPN is better in general. This solution might be useful only if your IP is not accessible at all I guess.

@marianarlt Жыл бұрын

Hm. Maybe I'm misinterpreting the target audience. Setting up DDNS with the domain provider should be as easy as a click in most situations. Static IPs are common for enterprises. Certificate renewal can easily be automated. The situation you mention could make for a use case I guess, but also seems to be very niche to me. Somebody in the comments is mentioning Zero Trust use with Azure and 2FA, which is more of an actual real use case. I probably have to look into this a little more at some point. The third party thing still bugs me. Kinda the opposite of zero trust... Thanks for commenting!

@walter.casanova Жыл бұрын

Another option is Netbird.

@DECrainbow100A Жыл бұрын

Cat6 ! 🤣

@NetBandit70 11 ай бұрын

I'm another step closer to -white- allow lists for everything network related.

@ronbovino Жыл бұрын

I wish they would cut thru all the buzz words and just call this VPN-NG or 2.0 .... This stuff was done 20 years ago with Cisco VPN Concentrators.

@bradrobbin4281 Жыл бұрын

Funny you mention that, as Cisco is now looking to kill the VPN all together utilizing their Zero trust and duo MFA tools

@tomasztomaszewski9826 Жыл бұрын

Is this coffee mug a bit of a tease?

@LAWRENCESYSTEMS Жыл бұрын

We do have coffee mugs in our store lawrence.video/swag/

@justincase5272 Жыл бұрын

I seriously wish modern "VPNs" had chosen a different name, as they're use and purpose is very different than traditional Virtual Private Networks.

@mjmeans7983 Жыл бұрын

No one should ever trust a cloud coordination server that is not under their direct control unless the third party is subject to strict liability in case of breach. And none are.

@markarca6360 Жыл бұрын

Another option is Twingate, which uses split-tunneling by default! It allows orgs to adopt ZTN (Zero-Trust Networking) by implementing the principle of least access.

@LAWRENCESYSTEMS Жыл бұрын

Looks similar, never used it, closed source, light on security details so I don't have a lot of desire to test it knowing there are open source solutions out there.

@danielchien7274 Жыл бұрын

VPN can be MITM attack

@Antebios 9 ай бұрын

Overlay looks way too complicated. I'm sticking with my Raspberry Pi & Wireguard. Easy-Peasy, I have full control, and no dependency on a 3rd party.

@moelassus Жыл бұрын

Hey Tom, what about Twingate? 😉🤣

@javiej Жыл бұрын

Mesh networks are powerful tools, but security problems arise when they are given to ignorant users. Recently Linus (LTT) made a tutorial in "Tailscale for idiots" style that I think is very wrong. Firewalls exist for a reason, creating unsupervised tunnels for family and friends (and the firends of their friends...) with no supervision and no Vlan isolation, having ignorant users passing links to give access to that streaming service that everybody wants to watch but nobody wants to pay (which is why most of them use it)... that's a delicious cake for hackers: You get one, you get them all.

@Darkk6969 Жыл бұрын

Well for small networks like the home with few users it's not much of an issue. When you get into like 300+ users for corporate / enterprise then it's a completely different beast all together. For something like tailscale I did not like the idea of default mesh network for all users. Lazy admins would certainly take this route just to get started without thinking things through like security.

@miltonatgoogle1140 Жыл бұрын

The statement that "overlay networks are VPN killers" is likely an oversimplification and doesn't capture the full nuances of these technologies.

@romangeneral23 2 ай бұрын

Overlay network is a VPN with extra annoying steps

@dezznuzzinyomouth2543 Жыл бұрын

Stealing WiFi... Cough... Excuse me ... Being intrusive on someone's elses resource then using a vpn paid in crypto.... Ahhhj the good ol war driving days...

@TechySpeaking Жыл бұрын

First

@danielkingly3673 Жыл бұрын

Your logo is too generic… this channel is amazing

@jsieb Жыл бұрын

You missed the chance to include Twingate. :D

@LAWRENCESYSTEMS Жыл бұрын

¯\_(ツ)_/¯

@Mr.Leeroy Жыл бұрын

Killer is the BS & clickbait universe marker-word.

@xelerated 6 ай бұрын

Tailscale is pure 💩

@limpep Жыл бұрын

this used to be a respectable channel, shame he's just a paid for shill now

@LAWRENCESYSTEMS Жыл бұрын

Huh? 🤔 This wasn't sponsored

@perfect.stealth 8 ай бұрын

When you say using cloudflare means exposing your devices, what do you mean? I use cloudflare zero trust to connect to my office devices om a local network. What is exposed about that? Asking concerned

@LAWRENCESYSTEMS 8 ай бұрын

Are you using cloudflare tunnels?