What's the best FOSS remote access VPN for production small business use cases?>tailscale: proprietary expensive slop that's paying twitter and youtube paid shills to masquerade as foss >headscale: retarded version of tailscale by design to force you to buy tailscale subscription>plain wireguard/openvpn: too primitive for a serious modern VPN with SSO>octelium: arguably the strongest foss option but I am too brainlet to use it.>netbird: tailscale clone and self hosting is painful>pangolin: insecure plebbit-tier slop>teleport: not open source anymore.
>>108909132I don't understand.SSH tunnel + xdrp on localhost?You retarded?
>>108909203I am asking about remote access VPNs not SSH, retard.
Wireguard
>>108909132i use zerotier one, free tier is free
https://github.com/DefGuard/defguard
>>108909132>headscale: retarded version of tailscale by design to force you to buy tailscale subscriptionwhat's retarded about it? it seemed very just werks like proper tailscale.
>>108909987You can access everything with ssh. Just forward the port.
>>108909987You create a tunnel via ssh to reach your local x11/rdp port, retard.
>>108909132inb4 this retard doesn't have a public static IP at his "business".
>>108910146Remote access VPNs aren't just about connectivity, I need to integrate with my SSO and SIEM and set access policies for each resource.
>>108910164So a wireguard?
>>108910103Thanks, this looks as serious as Octelium and Teleport. I will try this one.
>>108910174Vanilla WireGuard is useless for serious business use. You still need SSO, access control, visibility and access logs, MFA, dashboard, etc...
>>108910127It isn't. That is the whole point of headscale. It's an intentionally retarded version of tailscale by tailscale to force you to pay tailscale to use the full version of failscale.
>>108910183Then pay the subhuman niggers that built your shitty SSO system to build an overlay for wireguard that integrates with your shitty system.
>>108910188that's not an argument, you said the same thing as op
>>108910197This. Broke ass niggas...
Why are you demanding FOSS for SMB when you need a SEIM and SSO? Just got pick up a cisco small business router, have it run as the VPN server, boom done. You could even do one of their virtual appliances.>inb4 muh FOSSenjoy 0 days off and VPN being your fault for outage. Wiregaurd is the solution it's certificate based and probably the most secure. Funnel all traffic through your SOHO and monitor via normal network tools, if that won't work gg explain to the business why you need a budget.>inb4 this is like some small 5-10 man shop that just needs a basic fileshare and the entire reason for VPN
>>108910309>wireguard>certificatevanilla wireguard is similar to SSH and it uses static keys.
>>108910183Bloat.
>>108911755>t. NEET
>>108910127I think OP is just being lazy. Headscale works great; subnet routers, ACLs, magic DNS function exactly like the paid product, they're just set up in a config file rather than a webui. Even taildrop works.
>>108910103>using gRPC when all you need is data serialisation and there are 20 better native options in Rustlol corporate-targeting software is funny, even when done in a good language
>>108909132what's wrong with pangolin?
>>108913593>>108913336headscale, tailscale including its enterprise version and pangolin are absolute joke security-wise. These are unserious shill-based products.
>>108913684yes, what part of pangolin is bad security wise?
>>108913709it's merely a traefik wrapper with auth larping as a ztna
>>108913684Why would tailscale be a joke security wise retard?
>>108915766it does rely on traefik, when you configure public services.but even then when you use it only with private resources and client app, what is the issue there? It's pretty much wireguard then with sso integration.
>>108915905https://www.reddit.com/r/Tailscale/comments/1ksy3xy/someone_just_randomly_joined_my_tailnet/and btw this unauthorized access story happened for many users over many years. You could trivially access other customers private networks by using the right usernames and emails without being an authenticated member.
>>108915921pangolin is fine for personal use cases not for businesses.
>>108916060>https://www.reddit.com/r/Tailscale/comments/1ksy3xy/someone_just_randomly_joined_my_tailnet/kek
CLOUDFLARE TUNNEL
>>108917874I'd agree that pangolin isn't something I'd trust for a medium to large enterprise, but mostly because the company behind it is fairly small, not because of some inherent flaw with their systems. it's perfectly fine for a business the size of op's.besides some of the comments here about tailscales make me wonder if this thread is too melaninated to understand how this stuff works.
>>108910039>zerotierbased boomer
>headscale: retarded version of tailscale by design to force you to buy tailscale subscriptionIn what sense does it force you to do anything?
>>108916060how does that apply to headscale
>>108915905>>108917887>>108919876Tailscale is 100% broken by design. The coordination server only needs to replace a peer public key with their own and now somebody is inside your machine. It's like an external server dynamically injecting trusted SSH public keys in your machine without you knowing and logging into your machine whenever it feels like it.In other words, Tailscale doesn't even need to know the private key of your machine, it can inject whatever public key inside your machine and connect it whenever they like.It's incredible how vulnerable this slop is. If they weren't shamelessly bribing every twitter and youtube paid shill on the planet and their mother, nobody would have used it.
>>108920094And this is one appeal of Headscale; network coordination is done on your own server using open source software
>>108917897based retard
>>108919339why do you think tailscale maintains headscale? they literally bought the dev just to control its development and make sure it's retarded enough to not be useful for serious business use cases.
>>108921796it's literally FOSShttps://www.gnu.org/licenses/license-list.htmlhttps://github.com/cloudflare/cloudflared Source is up there. If you have concerns with cloudflare's service that's not related. Cloudflared is FOSS.
https://github.com/firezone/firezone used to be an interesting option, but they've gone full enterprisey. you can still supposedly self-host it, it's just kind of a pain
>>108909132https://github.com/pritunl/pritunlinb4 >ovpnit supports wireguard too chuddie, you can calm down :)
>>108920326Has headscale stripped every bad/insecure feature from Talescale?Instead: why not return to the basic wireguard that is trusted and well audited with zero third parties involved, or code scanning configs is pretty convenient, I don't understand why these networks must be so over complicated.Like I head they form a mesh network but have you ever traced route, of the connections I have tested here in UK all traffic is roted through London, so this vision of a neat mesh network is not so neat in reality. A wireguard server hosted in london would be better in this case
>>108925259I meant to say "QR code scanning configs is a convenient feature"The real reason the choose Talescale is it has a marketing budget behind it unlike regular wireguard
>>1089100392nd for zerotier, it just werks
