I just bought a travel router Slate 7 GL-BE3600. I’m looking to create a secure tunnel from the travel router to loop back to my home gateway. I don’t own a static IP address but have a domain name. I plan to setup my ras pi 5 with WireGuard or Cloudflare to handle the DDNS from my home ip to the domain name. I will be using a vlan to segment the ras pi 5 off my home network. Is there a way to only allow authenticated users (Slate 7) on the domain and block all other traffic?
Ultimately, I want my home connection while traveling for personal use. Maybe later on expanding this remote connection to a small home lab. How secure is this setup? Any tips and tricks? Trying to avoid using Tailscale because I’m interested in learning. Any help/thoughts would be great!
I’m not really familiar with the Nokia routers though I’m sure someone here is. The way I run my VPN back home is through a wireguard server on my router (UDM Pro). I also don’t have a static WAN IP at home but it doesn’t change often, and when it does I just update the wireguard config file on the few clients I use manually.
VLAN assignments are done through a RADIUS server in my setup since unifi doesn’t have great handling for VPN client routing out of the box. Not sure if the Nokia routers would allow for this but if they do that my be a nice solution for you to handle the VLAN traffic.
Radius does seem cool to check out. I feel it’s the same as tailscale tho. I’m trying to learn how the automation does it. Also trying to learn Linux. I figure if I authenticate the pi server to share a privet key on a off network devise. Then change ssh to not allow passwords and changed the ssh port. Will that be good enough. I know it has to pass through my gateway and you can’t protect from everything. Just don’t want to make dumb mistakes being a new Linux user
Onenet, how experienced are you with networking? I am trying to help you without overconfusing you. The most secure way to accomplish your goal is to go ahead and use the Tailscale service and add whatever IP’s you want to connect.
I have never heard of using just a domain name to connect to different physical networks. I don’t think you can. You will need a public-facing static IP address. You should have a Public static IP unless your ISP is using CGNAT because of the shortage of IPv4 addresses. You might look into CloudFlare and see if they have a way for you to create a secure tunnel between your travel router and your home network. I recently just created a secure tunnel between Cloudflare and my self-hosted website. I would forget about creating a secure wireguard VPN to VPN connection. The reason I am suggesting forgetting about a Wireguard tunnel it is too easy to misconfigure one little setting, and you end up with both your home network and the other network very vulnerable.
Then a RADIUS server is an even better idea for you as it is “how the automation does it”. It takes a mac address and defines the VLAN tags for that specific device. freeRADIUS runs on linux and you could spin up an entire linux VM to play with it and other aspects networking and linux. You’ll be writing the config files to assign specific mac addresses to specific VLANS while also being able to assign default VLANS as well for a more global approach.
Tailscale is pretty much just wireguard with extra steps and an added lack of security by adding an extra layer. You could however look into headscale if you want to self host it completely and learn the inner workings of tailscale “automations”. Then again it’s just wireguard with extra steps so may as well just use wireguard on the router and RADIUS for VLAN tags.