I’ve made a few posts in the past about my experimentation with connecting various devices and servers over a VPN (hub and spoke configuration) as well as my struggles adapting my setup towards a mesh network.

I recently decided to give a mesh setup another go. My service of choice is Nebula. Very easy to grasp the system and get it up and running.

My newest hurdle is now enabling access to the nebula network at the same time as being connected to my VPN service. At least on iOS, you cannot utilize a mesh network and a VPN simultaneously.

TLDR: Is it a bad or a brilliant idea to connect my iOS device to a nebula mesh network to access for example my security camera server, as well as route all traffic/web requests through another nebula host that has a VPN such as mullvad on it so I can use my phone over a VPN connection while still having access to my mesh network servers?

  • DesolateMood@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    5 months ago

    If I’m understanding correctly, I think I’ve actually done something similar with tailscale. I run a VPN on my server and use it as a tailscale exit node (since it’s always running, I never have to worry about it turning off) and this allows me to connect to my server remotely while using a VPN, since Android also doesn’t allow simultaneously VPN connections

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Interestingly (I just found this out) Android permits 1 VPN connection per user profile.

      So I run a VPN in my regular profile, and found my work profile wasn’t using it. So I installed Tailscale there, and it works only in the work profile, while my regular VPN only works in my main profile.

      If always assumed VPN config was a system-wide thing.

      • DesolateMood@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        I remember figuring this out when I realized my vpn wasn’t connecting while I was inside of my secure folder, which acts like it’s own user profile

      • brian@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        tailscale also just has a button to buy/enable mullvad as an exit node. if you’re just looking for a commercial vpn for privacy it works well.

      • DesolateMood@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        5 months ago

        You need a VPN that can split tunnel by ip via CLI (although I think it’s also possible to set it up in an ovpn file, but I haven’t tried it). The only one I’ve found that can do this natively is proton, specifically the python community version.

        I don’t know how this next part works if you use something that isn’t tailscale, but if you do then just set proton’s split tunneling for 100.64.0.0/10

        Then, still on this machine, advertise the exit node from tailscale (you also have to allow it from your tailscale admin console). Connect to it from your phone, making sure to use the server as an exit node, and head over to ip.me to see if it’s working

        • Prison Mike@links.hackliberty.org
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          I’ve done this with Tailscale and a VPS running WireGuard on one interface and Tailscale on another on Alpine Linux. I just set up routing so that any Internet traffic coming from tailscale0 is masqueraded/NAT over the wg0 interface. It took me months of screwing around to figure it all out, but I can provide all the necessary commands here if anyone wishes.

          It should be generic enough to use with any two interfaces given one is your “internal” VPN and another is some other VPN (probably from a commercial offering).

  • Tinkerer@lemmy.ca
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    5 months ago

    I would be interested to hear how this goes. I had this setup with tailscale but having it run 24/7 on both our phones drained the battery really quickly. That being said I was running full tunnel and also needed home assistant background location running as well.

    • Stowaway@midwest.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Pretty sure that was home assistant. I had the same issue. Phone would even get piping hot. Killed home assistant, problem solved. I’m connected to VPN to home using openvpn 24/7. Too lazy to switch to wireguard :p

      • Tinkerer@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        Hmm yeah makes sense, I just can’t do it since then I would need VPN app and home assistant app running 24/7 lol. I need location for home assistant and both appa are too much for my wife’s iPhone. I might tey again but with gpslogger instead of home assistant for location.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    5 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    IP Internet Protocol
    NAT Network Address Translation
    VPN Virtual Private Network

    3 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.

    [Thread #829 for this sub, first seen 26th Jun 2024, 02:05] [FAQ] [Full list] [Contact] [Source code]

  • Kairos@lemmy.today
    link
    fedilink
    English
    arrow-up
    2
    ·
    5 months ago

    You can add multiple peers WireGuard but not multiple interfaces. If the IPs line up well it can work. You can also NAT through a device if the IPs don’t line up well.

    • brownmustardminion@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      5 months ago

      I would say pretty secure. Of course, I would ensure all of the proper firewall, app pins, 2FA are in place in case my phone was ever compromised.

      I’m already accessing all of the services now over the web with authentication. This new configuration would shift thos services from being public to only devices on my private mesh network with the proper certificates.