Which is Better: Overlay Networks or Traditional VPN?

Подписаться 332 тыс.

Просмотров 98 тыс.

50% 1

lawrence.video/pfsense
pfsense TailScale
• How to Setup The Tails...
Headscale Tutorial
• Tutorial: Using Tailsc...
Nebula Tutorial
• Nebula, the open sourc...
How NAT Traversak Works
tailscale.com/blog/how-nat-tr...
How NAT Tailscale Works
tailscale.com/blog/how-tailsc...
My Cloudflare Tunnels Video
• Using Cloudflare Tunne...
Crosstalk Solutions Cloudflar VIdeo
• You Need to Learn This...
DBTech Cloudflare
• Cloudflare Tunnels: Ge...
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Time Stamps ⏱️
00:00 Overlay VPN Tailscale Headscale ZeroTier Nebula
01:48 Traditional VPN
03:29 How Overlay VPNs work
06:30 pfsense with TailScale
07:31 Headscale
07:57 Overlay Security
08:36 Cloudflare Tunnels
#VPN #firewall #networking

Наука

Опубликовано:

8 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 157

@olivierlambert4101 Год назад

I really like the fact you are always thinking about the risks on relying on 3rd party/big cloud players, I also share that vision which is not common enough sadly. Kudos for getting entirely the initial meaning/purpose of Internet, which is not meant to be centralized to a handful big entities.

@LAWRENCESYSTEMS Год назад

Thank you

@woswasdenni1914 7 месяцев назад

one of those risks peopel never think about is no support whatsoever. these entities are now so big that you rely on the pure hope it will be fixed if its broken. just spend 3 nights with microsoft highest tier support until i got someone to fix a trivial license issue on microsofts end that blocked all exchange services for the entire tennant with several hundred user

@aliaghil1 Год назад

Great video as always, defenatly that's not a VPN killer, I would never rely on a third party for access into my own network.

@nonkelsue Год назад

Very informative! Love to see how someone like you is on top of all this and keeps us informed of what is out there, the advantages and disadvantages, the pro's and con's, the pitfalls etc.. This allows us to make an informed choice. Thanks Tom for your time and effort in producing videos like this. Truly appreciated!

@speedup070605 Год назад

Thank you for this video. Love watching this because it explains the difference/similarity between vpn and overlay. Again thank you for the layman's term explanation.

@heshamkhalil2215 Год назад

As always objective & unbiased . thanks

@Weirlive Год назад

happy to see a video on this topic esp after the recent Network Chuck video

@dougp1856 Год назад

Thanks for this video, answered a question I had about the differences between VPN's and Cloud Flare Tunnel

@Ghost_n_Denver Год назад

Long time subcriber here... Love your content! Looked at Cloudflare Tunnels. They are cool, but I really didnt like being dependent on their network to access my network. Plus, i kind felt like i was giving them access to view my private network if they wanted to. 😅 Anyway, keep up the good work, sir. Your opinion and POV are valuable to us all.

@tomstechnews Год назад

Great explanations! Thank you Tom !

@chrisumali9841 Год назад

Thanks for the demo and info, have a great day

@TheCrazyCanuck420 Год назад

This video saved me hours or google searches, thanks!!!

@lordgarth1 Год назад

Used to use hamachi until it was bought out but tailscale is now my go to. It just works and works well.

@jensplsnkwn8152 Год назад

I am always enthusiastic about your videos because they briefly describe the most important contexts. I have heard about the new technique and unfortunately have not yet understood what the advantages are supposed to be. It just looks like a legal man in the middle attack.

@BrianPhillipsSKS Год назад

I use Wireguard for security and not relying on a third party. It was strange that as soon as Tailscale popped up it seemed like a huge number of homelab enthusiasts jumped in the bandwagon. Especially people that generally highly regard security and self hosting

@bivensrk Год назад

So, you're saying that Tailscale != security?

@tehsimo 8 месяцев назад

we're fed up dealing with annoying VPN configuration UIs in hardware

@HSF-ec2bp 8 месяцев назад

@@bivensrk Tailscale/Headscale != actually functional OpenVPN/Wireguard, few lines in iptables, can actually be controlled with firewalls and security . Tailscale, its routing rules interfere with every well known security solution in existance. No, I'm not migrating my perfectly functioning iptable rules to deal with Tailscale lack of motivation to either use kernel wireguard or using the TUN/TAP driver to supplement the user-land Wireguard. Other solutions could deal with this - NetMaker, Firezone, etc. - why not Tailscale?

@nicholastoo858 7 месяцев назад

I also don’t know why introduce 3rd parties

@droknron Год назад

I've been using ZeroTier for a few years now (I was introduced to it through one of your videos in-fact!). I think one thing you should have added to this video though is performance. Wireguard and OpenVPN point-to-point are a lot faster than ZeroTier and TailScale. We're talking 50Mb vs 350Mb. So for anyone considering this just know it's not the fastest but these system (TailScale and ZeroTier) are super easy and very reliable.

@GrishTech Год назад

That’s a bit subjective. It all depends on whether or not zerotier or Tailscale peers can establish a direct tunnel to each other and if the peer is running in userspace or in the kernel. For example, Tailscale on windows runs in userspace, but on Linux, it can use the kernel drivers for wireguard. For example, two Linux hosts can communicate gigabits per second to each other, but to a windows host, maybe not so fast. Same thing applies for zerotier. Depends on the host and install.

@droknron Год назад

@@GrishTech Thank you for the clarification David. I wasn't aware of this and only saw poor performance compared with native Wireguard and OpenVPN (I am testing only on Windows).

@zadekeys2194 8 месяцев назад

@@droknrontalescale is ment to only be a control plane for wireguard, based on wireguard-go. Perhaps the out of the box TS config needed tweaking to get better speeds ?

@andrewjohnston359 Год назад

About 7 or 8 years ago I worked around the issue of having simple to setup VPN access or clients behind CG-NAT/dynamic ip addresses by implementing pritunl on my own AWS server. This works as an oVPN/Wireguard broker, and all the connections from routers/servers etc are coming from behind the firewall meaning no need for a static ip and works behind NAT. The other great thing is it has a centralised portal to manage all connections, organisations, and client certs/configs + monitoring the connections + it's open source and self hosted. Pritunl is barely (ever?) mentioned in all of LS vpn videos but in my opinion is one of the best pieces of software out there for this kind of thing. I will concede it does tunnel any traffic destined for the remote network through the server (it obviously supports split DNS/public routes through local gateway etc) - but that has never really cause nay issues for our clients in terms of speed or latency. The other plus is they have a wizard for edgerouters which makes the setup for our techs a couple of clicks - and likewise for our customers, they can deploy the software client/profile and cert themselves with a couple of clicks.

@tobiaskleimann6361 Год назад

I use tailscale since some month ago for connect two synology storage systems with hyperbackup. Not the fastest way, but works really nice for me. I can place my offsite backup where ever I want without care about vpn connection or forwarding ports.

@PowerUsr1 Год назад

One of the biggest issues i find with mesh vpn tech from Tailscale or ZT is access rules. I’m a bit more familiar with TS but controlling what client can access just sucks using TS access rules. Documentation isn’t great and writing it out in JSON is impractical if you are an unfamiliar engineer. So then you’re left with permit any any rules. The tech is great but access controls suck. At this point legacy VPNs are just better supported when it comes to access controls

@npgoalkeeper Год назад

I’m quite excited for zerotier 2.0, rewritten in rust! Hopefully they keep LF for self hosting root servers, improve performance a bit, and include DNS by default.

@itsmith32 8 месяцев назад

Tried ZT a little, but when I've found that I cannot use my exit node behind home router I have stopped trying.

@cyucel2241 7 месяцев назад

Thanks for the good video. Initially, you suggested that you compare all three, but this wasn't included. Such a video would be fantastic. Especially interested to understand if Nebula is less prone to the controller (lighthouse) being compromised as the connectivity relies on certificates created outside the lighthouse and I am wondering if this would stop a compromised controller from adding a rogue node.

@raffiihzazuhairnawan2091 Год назад

Tailscale works great for me. It's free, easy to use, and supports ephemeral mode that deletes the instance when not active and adds again when active. It runs super well with PaaS that are bound to restart their containers every now and then.

@keyboard_g Год назад

Tailscale has really nailed the ease of setup.

@LAWRENCESYSTEMS Год назад

They have a solid product for sure.

@itsmith32 8 месяцев назад

Yes, while Headscale made it yours and secure

@SomeGuyWatchingYoutube Год назад

I've used all of your videos to build a pfSense for gaming. It uses a Ryzen 3 1300X can can route a Gigabit with NordVPN over multiple trunks. I have trunked, seemingly secure networks, with NordVPN, using traffic limiters for A+ bufferbloat gaming behind an AT&T fiber BGW-320. Thanks for the awesome guides. I can't seem to get it to work right using multiple NICs for WAN (using different IP addresses from my block), and split the DNS correctly between the WAN and VPN with policy routing. The NordVPN always has to go through the primary gateway which can break easily when I am using Squid Proxy for my non-VPN subnets. I bought a set of Static IPv4 addresses for my multiple NICs, but I need to run the second NIC via a public DHCP request to my AT&T GPON router, as pfSense won't let me have multiple WANs on the same subnet using my single gateway. Do I need to use IP aliases to set up multiple WANs on a single gateway? Do I need another pfSense to have another WAN giving me internet access?

@SomeGuyWatchingYoutube Год назад

Also, my AT&T router gives me /64 blocks of IPv6. Are these okay to assign in conjunction to my Static Block to my pfSense? I don't understand how to route the IPv6 while hiding my DNS from this primary AT&T router. Should I use SLAAC or IPv4 over IPv6? Do I need to use DNS64? Do you have any videos explaining the differences between SLAAC, 6rd Tunnels, 6 to 4 tunnels or the likes? I am kind of new to all of this. Been tuning everything for a year now. The last time I had experience with custom routers it was 10 years ago using DD-WRT. Random thought: SynProxy is a pretty cool feature imo and might be easier to set up than Squid. It helps some of my videogames lag less when servers cannot connect to my console directly.

@mhwachter833 Год назад

You pointed out the biggest problem with services like tailscale and twingate, entrusting your network access to a third party. No thanks. Glad to know theres a self hosted option though, I’d love to see a more in depth video on that!

@cityhunter2501 Год назад

Agree, I still want to give twingate a try (which is basically a form of proxy) so that I don't need to have any open ports on my router but then I would be relying on twingate servers to stay up all the time. Even if I were to go headscale and host it somewhere, then I still need to make sure that it is locked down and another possible point of failure.

@itsmith32 8 месяцев назад

You better try rather watching videos.

@castigo1986 Год назад

Thanks for this interesting video! I wonder, would IP6 change anything in this setup or generally in an openvpn, given that there would be no Nat?

@richardw38fly Год назад

I'm behind Starlink's CG-NAT so my remote access options are limited. I would love to work out how to use a service like Cloudflare's secure tunnel on my pfsense external interface, so I can then use OpenVPN through the Cloudflare tunnel.

@notreallyme425 4 месяца назад

I just setup Tailscale and made a route to my home network. Wow, that was easy and I’m wondering why I didn’t do this a long time ago. Routes just the traffic I want to my services back home, while the rest of my traffic goes directly to the internet. I could also route all my traffic back through my home connection if I wanted to.

@liam2161 Год назад

I use cloudflared ZT. I like that I can integrate that with Azure conditional access. No client required for web applications or ssh can be done via browser. Warp client can then handle other ports etc. It's free for small teams and I got 5 YubiKeys for setting up the free tier at a ridiculously reduced price, think they were £10 each.

@djstraussp Год назад

For me, The only benefit of using TS or ZT Overlay Network with it's Coordination Servers is when your ISP doesn't provide a Public IP you can route or Nat. Both ON are Great BTW.

@kevinhughes9801 Год назад

Great stuff useful thanks. So is twingate classed as overlay networks to?

@TotemTed Год назад

Any chance you could do a follow up video with performance metrics? Such as throughput of wireguard vpn vs tailscale, etc.

@davidg4512 Год назад

Well. This went viral. Good performing video.

@Netz0 8 месяцев назад

I see them as different purposes. An overlay VPN for unattended devices that always needs to be connected like servers, routers, etc. A traditional VPN requires user interaction, as such an Overlay VPN is a device connected network and a traditional agent VPN is a user connected network. Some people might not want to be always connected or might want to connect to a different corporate or business network or switch depending on the type of work required, which means a traditional VPN is not going away.

@user-hk3ej4hk7m Год назад

What made me choose zerotier over the other overlay alternatives is that it splits the coordination plane into configuration and routing. A zerotier controller manages authentication and configuration of each node on a network, but it is also a node itself, meaning that it can be behind a Nat and still be able to communicate with each member of the network, sending config updates, adding new nodes, etc. Routing between each node is managed by the zerotier root servers, which are only responsible of connecting nodes together, aiding with UDP hole punching and relaying data if necessary. Having your own controller means that you own your network, every config has to be authorized by your self hosted controller, while still not needing it to have a publicly accessible ip address tied to it. The most a malicious zerotier root could do would be to mess up new connections and maybe listen in on the encrypted connection between each node (it can't decrypt it) when relaying.

@itsmith32 8 месяцев назад

Hmmm... Which of this stuff cannot be accomplished with Headscale?

@user-hk3ej4hk7m 8 месяцев назад

@@itsmith32 my understanding is that if you want to host your own instance of headscale you'll need to have a public IP address to which you can forward ports. This is not always possible due to CG-NAT. With zerotier the routing and network configuration are separate parts. Zerotier inc does the routing (if you want), you host and control your own network, no port forwarding necessary to the controller.

@itsmith32 8 месяцев назад

@@user-hk3ej4hk7m Looks like you can do the same stuff with TS proprietary controller😁 and if you don't want to port forward you can use VPS for hosting.

@user-hk3ej4hk7m 8 месяцев назад

@@itsmith32 I'd rather have my controller hosted on my home, it's not bandwidth intensive and it has control over the hole network. zerotier has that clear separation and that's why I prefer it, others may have other preferences.

@BoraHorzaGobuchul 4 месяца назад

Would live to learn what's the status on yggdrasil now. Is it usable, or not? How does it compare with these solutions?

@XSpImmaLion Год назад

ROFL, I was also going to ask if Lawrence tested or tried Twingate, but it seems this is a very tight knit community... and I do agree with his position that it's not an open source solution. Not quite there yet but I am in the process of building a TrueNAS Scale from an old PC here, and looking up how exactly I'm going to open this up to the void... :P Might go for Tailscale or Headscale then...

@dannythomas7902 8 месяцев назад

In Aus they are calling then SD-wan basically overlay network vpn as u said. I was asked in a interview about it I said no big deal just site to site can you ping it after setup or not

@eduardonobrega77 Год назад

What happens if a notebook with the Tailscale installed, that is usually outside, is in the company internal network? Which network it will use? The internal gave by DHCP server or the one Tailscale creates? Is there a way to block tailscale if the computer is in the company to ensure that there is no problem with the Active Directory (kerberos, name resolution) for example? - Thanks for the video

@azrehman1 Год назад

excellent information as always! please make a video on Twingate also

@LAWRENCESYSTEMS Год назад

Looks similar, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

@bltavares Год назад

Zerotier has the NDP emulation for their 6PLANE addresses which is amazingly well fitted for Docker container addresses. I haven't found anything similar on top of Wireguard to make me switch

@mabs-O_o 3 месяца назад

I like the managed routes feature on zerotier, then i just deploy zerotier on my routers and voila, remote devices with the zerotier one have all the routes, and devices connecting through my routers are able to reach the overlay or remote networks.

@tw3145wallenstein Год назад

Another note some of the commands for headscale have been updated as well I believe it was to parody Tailscale terms

@jasonluong3862 Год назад

Ubiquiti just updated the firmware for its UDR which includes enhancement for its Teleport VPN. Can you do a video on this improvement (if any)?

@blazetechstuff Год назад

If you are working or have clients in china, you absolutely need/want something like tailscale. I live here and it is the only thing that gets me direct site to site location links(china to china) without the fuss of going through another server.

@ChristerJohansson Год назад

Isnt this just a patch for poor network segmentation on the target site. Which is the result of not doing/planning a risk based / information security /availability based network architecure...?

@rrtech6793 Год назад

Great! VPN isnt dead! Public Cloud Solutions its exposed like your VPN incomming request too... Its like a big VPN public cloud server make the "gateway" function between the clients... Thank U !

@rallisf1 Год назад

I've been using netmaker to run both simple and overlay VPN networks. Should I consider headscale for any reason?

@akcesoriumpc6421 Год назад

I'm using open vpn and don't need relay on "coordination servers" or need "help" from others to send my data.

@nymnicholas Год назад

I only use Wireguard on Linux server (Pi400B with Quad9 DNS) under a 1 Gbps Dynamic line for my use case, as my users are under 10 to 15 per concurrent time. As Server's htop reports about 140 to 145 Mb at idle, with an increase of about 5 to 10 Mb per user load, its running fine for small office for the last 1 year. And, its Not on a Static public IP. Peace :-)

@gatolibero8329 Год назад

If anyone is interested in "Twingate" - last week Network Chuck posted a detailed video. Twingate looks sketchy to me. As Tommy said, it's closed source, and there's very little information about the company or the people behind it, which is also strange.

@welovefootball2026 Год назад

I watched it too but am not jumping in quite yet...

@metal-beard Год назад

Networkchuck does a lot of videos for his sponsors as ads but disguises them as ‘tech tutorials’.

@gatolibero8329 Год назад

@@metal-beard no shame in that game.

@michaelattisy4520 Год назад

Was my first though, what about the reliability of the third party? I honnestly don't see the point to take that risk. Thx Tom for sharering.

@rafetjameel4476 Год назад

What do you think about DPN ?

@LawnD4rt Год назад

I think tailscale has the ability to create a subnet router inside the NAT. It was linux only for awhile. I think other os's can do it know also. Not played with it recently.

@itsmith32 8 месяцев назад

Working just great with Headscale and GNU/L

@allancreationz5625 Год назад

I rilly think u need to do a video about Twingate, under the hood working, pros &cons! Otherwise thanks for the informative in depth content!!!

@LAWRENCESYSTEMS Год назад

Except Twingate has a lack of details on how their security works VS TailScale being open source and very detailed so I use that.

@trexx_media Год назад

i love twingate .... ease to use and simple ..... runs on my docker .... loving it . killers of traditional VPNs

@Ex_impius Год назад

I saw your comment on my comment on Network Chucks video. Ive used tailscale before and heard of headscale. I figured twingate was a wireguard overlay vpn but it seemed to have a lot more functionality than tailscale. Still, dont like the controller not being self hosted.

@markarca6360 Год назад

The good thing is it enables admins to fine-tune access to specific resources that the users need access.

@stefanbehrendsen330 Год назад

You can also self host a zerotier controller. It's somewhat of a pain, though, because the only interface they provide for that is a json api. There is a third party all in one docker image developed by Key Networks with a webserver GUI, but you do have to trust / be able to inspect the source for that software, and hope that it gets patched. You'd still be relying on some of their "root" servers for connections though, so I guess it doesn't entirely solve the issue of trust / control.

@itsmith32 8 месяцев назад

Headscale does it for them😅

@deng.3844 10 месяцев назад

Great content! It would be good to hear your thoughts on Netbird (relatively new alternative to tailscale).

@LAWRENCESYSTEMS 10 месяцев назад

Never used it nothing about it looks so compelling that I would prefer it over existing solutions I have used.

@stevenhughes1254 Год назад

Facts are facts

@bmp6361 9 месяцев назад

@LAWRENCESYSTEMS I'd be interested to know if you'd tried PBR (policy routing), with pfsense and tailscale where one host or network uses another remote pfsense+tailscale as an exit node?

@LAWRENCESYSTEMS 8 месяцев назад

Not sure I understand the question.

@bmp6361 8 месяцев назад

@@LAWRENCESYSTEMS Lets say you wanted to have a system(s) on Site A exit Site B's internet connection. The rest of the systems(s) on Site A would exit to the local internet ISP.

@LAWRENCESYSTEMS 8 месяцев назад

@@bmp6361 does not sound like a great way to set thing up and I am not sure if Tailscale would route that way.

@bmp6361 8 месяцев назад

@@LAWRENCESYSTEMS use case would be appear to be working from one state vs working from another. I think it would be possible via traditional VPN, where gateways are established. Not sure you can set up Tailscale as a gateway. Thought I'd bounce it off of you. Thanks for you time.

@anthonymudge9768 Год назад

This does seem to be a sequel to the preoperatory Hamachi VPN. I would call it a scalable VPN, as it's much easier to set up and deploy I'd assume.

@DannyBazarte Год назад

Hamachi was the best for the short time before it was aquired by LogMeIn.

@DarkNightSonata Год назад

how about Twingate ? have you had a look at it ? is it similar to tailscale ? thanks for the inofrmation

@LAWRENCESYSTEMS Год назад

Looks similar, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

@EuroPC4711 Год назад

Do I see it correct, that Synology‘s QuickConnect is quite the same with synology as coordination server?

@LAWRENCESYSTEMS Год назад

QuickConnect just a reverse proxy that your Synology connects to to allow access. Much less complicated than a coordination server.,

@gjkrisa Год назад

With Tailscale I was not able to traverse the network once connected to the pfsense host from outside. Is there something misconfigured or maybe I was trying to access another machine before I had direct p2p connection. 🤔

@LAWRENCESYSTEMS Год назад

Possibly rules were missing. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-P-q-8R67OPY.html

@bobvb2351 Год назад

Would very much appreciate updated Headscale setup and use tutorial.

@LAWRENCESYSTEMS Год назад

ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--9gXP6aaayw.html

@DerekAldridge1 Год назад

Have you looked at Twingate at all? The granularity and redundancy seems to make a pretty resilient solution.

@LAWRENCESYSTEMS Год назад

So does TailScale. Twingate has a lack of details on how their security works VS TailScale being open source and very detailed so I use that.

@DECrainbow100A Год назад

Cat6 ! 🤣

@LackofFaithify Год назад

If you ever remove the problem of trust, you have removed humanity.

@genovo 8 месяцев назад

Question: are they a VLAN killer?

@bjarnenilsson80 Год назад

Or go for ipv6 if available, then you can run your vpn daemon on a host on the inside your network 20and you avoid the nightmare of cgnat ( which unfortunately gers mirecand mire vide soread on home internet connections)

@NetBandit70 11 месяцев назад

I'm another step closer to -white- allow lists for everything network related.

@marianarlt Год назад

As many others point out, I don't see how this would benefit me any more than setting up my VPN server, put it behind a deny all, and whitelist any access the clients need. I hear that it's easier to set up, but it seems there's actually more configuration to be done, not less. There's even an additional controller involved?! No thanks. Also I'm with everyone saying not to outsource my remote access methods to third parties. Like, ever. In all honesty it appears to me that these suites try to be a solution for people who might be uncomfortable with managing their ACLs, even though this might not be accurate. This whole zero trust cloud third party thing seems like the new networking hype I have to learn just to be able to say why I won't use it. Maybe (probably) I'm missing a lot of details, I just started to look into this rabbit hole.

@pavelperina7629 Год назад

I guess cloudflare tunnels are good if you don't want to deal with dynamic DNS via no-ip if you don't have a static IP and renewing let's encrypt certificates and you don't have to change anything if you reconfigure internal network (if you reset router to factory defaults etc). But I'm still using ssh and ssh tunnels for RDP/VNC and i think VPN is better in general. This solution might be useful only if your IP is not accessible at all I guess.

@marianarlt Год назад

Hm. Maybe I'm misinterpreting the target audience. Setting up DDNS with the domain provider should be as easy as a click in most situations. Static IPs are common for enterprises. Certificate renewal can easily be automated. The situation you mention could make for a use case I guess, but also seems to be very niche to me. Somebody in the comments is mentioning Zero Trust use with Azure and 2FA, which is more of an actual real use case. I probably have to look into this a little more at some point. The third party thing still bugs me. Kinda the opposite of zero trust... Thanks for commenting!

@grant_HH Год назад

I might be being dumb but how does the overlay network differ from Cloudflare tunnels ?

@LAWRENCESYSTEMS Год назад

Cloudflare tunnel is just a reverse proxy to Cloudflare servers.

@grant_HH Год назад

@@LAWRENCESYSTEMS Thanks. Just watched network chucks overview of setting up twingate before seeing this. On the surface all look similar. Install agent on network configure services in cloud/controller instead of opening ports 😁 One of these is somewhere on my list after getting pf sence setup

@walter.casanova Год назад

Another option is Netbird.

@Sama_09 Год назад

Is slack nebula something similar to this ??

@LAWRENCESYSTEMS Год назад

Yes

@insu_na Год назад

I honestly don't really get it. I think tailscale and regular vpns serve different purposes, so tailscale isn't really killing VPNs, just displacing them from areas they were previously used in but didn't really fit

@eointhomaskehoe4977 Год назад

I was trying to setup a vpn for a customer who a wireless ISP internet connection, we could not get any vpn working as it looks like internet was using CG-Nat After looking for other options I came across Tom using Zerotier and Tailscale and both worked flawlessly for this setup

@mishasawangwan6652 8 месяцев назад

let me explain: clickbait.

@justincase5272 Год назад

I seriously wish modern "VPNs" had chosen a different name, as they're use and purpose is very different than traditional Virtual Private Networks.

@murtadha96 Год назад

What about something like Twingate? I think NetworkChuck recently made a video about it.

@LAWRENCESYSTEMS Год назад

Looks similar to tailscale, never used it, closed source so I don't have a lot of desire to test it knowing there are open source solutions out there.

@Darkk6969 Год назад

@@LAWRENCESYSTEMS Same here. I did watch most of Chuck's video about Twingate and was turned off that it's completely closed source and no option to self host the controller. I'm staying with wireguard on pfsense.

@OldePhart Год назад

Cradlepoint is depreciating their overlay this year forcing me to go vpn .

@philipgriffiths5779 11 месяцев назад

This boggled my mind. Its a shame they got acquired by Ericsson. I thought their approach was on of the best I had seen, bar OpenZiti, the open source project I work on. But hey, big corps like to kill innovation and only deliver guaranteed returns.

@javiej Год назад

Mesh networks are powerful tools, but security problems arise when they are given to ignorant users. Recently Linus (LTT) made a tutorial in "Tailscale for idiots" style that I think is very wrong. Firewalls exist for a reason, creating unsupervised tunnels for family and friends (and the firends of their friends...) with no supervision and no Vlan isolation, having ignorant users passing links to give access to that streaming service that everybody wants to watch but nobody wants to pay (which is why most of them use it)... that's a delicious cake for hackers: You get one, you get them all.

@Darkk6969 Год назад

Well for small networks like the home with few users it's not much of an issue. When you get into like 300+ users for corporate / enterprise then it's a completely different beast all together. For something like tailscale I did not like the idea of default mesh network for all users. Lazy admins would certainly take this route just to get started without thinking things through like security.

@ronbovino Год назад

I wish they would cut thru all the buzz words and just call this VPN-NG or 2.0 .... This stuff was done 20 years ago with Cisco VPN Concentrators.

@bradrobbin4281 Год назад

Funny you mention that, as Cisco is now looking to kill the VPN all together utilizing their Zero trust and duo MFA tools

@mjmeans7983 Год назад

No one should ever trust a cloud coordination server that is not under their direct control unless the third party is subject to strict liability in case of breach. And none are.

@realms4219 Год назад

Is Headscale hostable in a HA manner?

@GrishTech Год назад

If you use it in a container and thus in Kubernetes, sure. Or you can have it in a vm and use the traditional VM H/A.

@philipgriffiths5779 11 месяцев назад

@@GrishTech but can you run more than one controller for graceful takeover if a controller fails? For me, that's the benchmark of HA.

@GrishTech 11 месяцев назад

@@philipgriffiths5779 I don't believe that's supported.

@TechySpeaking Год назад

First

@markarca6360 Год назад

Another option is Twingate, which uses split-tunneling by default! It allows orgs to adopt ZTN (Zero-Trust Networking) by implementing the principle of least access.

@LAWRENCESYSTEMS Год назад

Looks similar, never used it, closed source, light on security details so I don't have a lot of desire to test it knowing there are open source solutions out there.

@danielchien7274 Год назад

VPN can be MITM attack

@tomasztomaszewski9826 Год назад

Is this coffee mug a bit of a tease?

@LAWRENCESYSTEMS Год назад

We do have coffee mugs in our store lawrence.video/swag/

@moelassus Год назад

Hey Tom, what about Twingate? 😉🤣

@Antebios 9 месяцев назад

Overlay looks way too complicated. I'm sticking with my Raspberry Pi & Wireguard. Easy-Peasy, I have full control, and no dependency on a 3rd party.

@miltonatgoogle1140 Год назад

The statement that "overlay networks are VPN killers" is likely an oversimplification and doesn't capture the full nuances of these technologies.

@danielkingly3673 Год назад

Your logo is too generic… this channel is amazing

@dezznuzzinyomouth2543 Год назад

Stealing WiFi... Cough... Excuse me ... Being intrusive on someone's elses resource then using a vpn paid in crypto.... Ahhhj the good ol war driving days...

@romangeneral23 2 месяца назад

Overlay network is a VPN with extra annoying steps

@jsieb Год назад

You missed the chance to include Twingate. :D

@LAWRENCESYSTEMS Год назад

¯\_(ツ)_/¯

@Mr.Leeroy Год назад

Killer is the BS & clickbait universe marker-word.

@xelerated 6 месяцев назад

Tailscale is pure 💩

@limpep Год назад

this used to be a respectable channel, shame he's just a paid for shill now

@LAWRENCESYSTEMS Год назад

Huh? 🤔 This wasn't sponsored

@perfect.stealth 8 месяцев назад

When you say using cloudflare means exposing your devices, what do you mean? I use cloudflare zero trust to connect to my office devices om a local network. What is exposed about that? Asking concerned

@LAWRENCESYSTEMS 8 месяцев назад

Are you using cloudflare tunnels?