I’ve made a few posts in the past about my experimentation with connecting various devices and servers over a VPN (hub and spoke configuration) as well as my struggles adapting my setup towards a mesh network.
I recently decided to give a mesh setup another go. My service of choice is Nebula. Very easy to grasp the system and get it up and running.
My newest hurdle is now enabling access to the nebula network at the same time as being connected to my VPN service. At least on iOS, you cannot utilize a mesh network and a VPN simultaneously.
TLDR: Is it a bad or a brilliant idea to connect my iOS device to a nebula mesh network to access for example my security camera server, as well as route all traffic/web requests through another nebula host that has a VPN such as mullvad on it so I can use my phone over a VPN connection while still having access to my mesh network servers?
If I’m understanding correctly, I think I’ve actually done something similar with tailscale. I run a VPN on my server and use it as a tailscale exit node (since it’s always running, I never have to worry about it turning off) and this allows me to connect to my server remotely while using a VPN, since Android also doesn’t allow simultaneously VPN connections
@DesolateMood @brownmustardminion if you root it, you can run multiple VPNs simultaneously. I’m always connected to my VPS for some services and to my home for Home Assistant (all with Wireguard).
Yeah I think we’re talking about the same thing. Got any guidance on how you set that up?
tailscale also just has a button to buy/enable mullvad as an exit node. if you’re just looking for a commercial vpn for privacy it works well.
You need a VPN that can split tunnel by ip via CLI (although I think it’s also possible to set it up in an ovpn file, but I haven’t tried it). The only one I’ve found that can do this natively is proton, specifically the python community version.
I don’t know how this next part works if you use something that isn’t tailscale, but if you do then just set proton’s split tunneling for 100.64.0.0/10
Then, still on this machine, advertise the exit node from tailscale (you also have to allow it from your tailscale admin console). Connect to it from your phone, making sure to use the server as an exit node, and head over to ip.me to see if it’s working
I’ve done this with Tailscale and a VPS running WireGuard on one interface and Tailscale on another on Alpine Linux. I just set up routing so that any Internet traffic coming from
tailscale0
is masqueraded/NAT over thewg0
interface. It took me months of screwing around to figure it all out, but I can provide all the necessary commands here if anyone wishes.It should be generic enough to use with any two interfaces given one is your “internal” VPN and another is some other VPN (probably from a commercial offering).
Interestingly (I just found this out) Android permits 1 VPN connection per user profile.
So I run a VPN in my regular profile, and found my work profile wasn’t using it. So I installed Tailscale there, and it works only in the work profile, while my regular VPN only works in my main profile.
If always assumed VPN config was a system-wide thing.
I remember figuring this out when I realized my vpn wasn’t connecting while I was inside of my secure folder, which acts like it’s own user profile
I would be interested to hear how this goes. I had this setup with tailscale but having it run 24/7 on both our phones drained the battery really quickly. That being said I was running full tunnel and also needed home assistant background location running as well.
Pretty sure that was home assistant. I had the same issue. Phone would even get piping hot. Killed home assistant, problem solved. I’m connected to VPN to home using openvpn 24/7. Too lazy to switch to wireguard :p
Hmm yeah makes sense, I just can’t do it since then I would need VPN app and home assistant app running 24/7 lol. I need location for home assistant and both appa are too much for my wife’s iPhone. I might tey again but with gpslogger instead of home assistant for location.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters IP Internet Protocol NAT Network Address Translation VPN Virtual Private Network
3 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #829 for this sub, first seen 26th Jun 2024, 02:05] [FAQ] [Full list] [Contact] [Source code]
Seems like a good way to do it, would be fun to try that setup myself.
@brownmustardminion i think it depends on how secure your mobile phone is.
I would say pretty secure. Of course, I would ensure all of the proper firewall, app pins, 2FA are in place in case my phone was ever compromised.
I’m already accessing all of the services now over the web with authentication. This new configuration would shift thos services from being public to only devices on my private mesh network with the proper certificates.