Need VPN solution for remote home network access.

[_Grid21]

Hello all! I need help finding an easy solution to something. I am running Docker/Portainer on an ARM64 Jetson Nano. I had been using OpenVPN server on my TrueNAS Server but I am having some issues where it isn't assigning IPs to different clients. So instead, what I want to do, is use the Jetson Nano as the "gate" VPN server that me and a few friends can access my file server remote, and also I'd like to be able to access my home network like I am right inside it. WireGuard has been a pain in the ass and never seems to work, OpenVPN Server seems to work mostly ok as we used to use it a Government Server Testing lab I use to work at, pfsense was running it and passed traffic to a sub-network. So because I am familiar with OpenVPN server and seemed to work well, I need and easy to configure ARM64 Docker image I can just start up using Portainer. Any help, suggestions would be really appreciate because I have been racking my brain trying to figure this out on my own. Thanks in advance! 

[Levent]

OpenVPN is a breeze to setup and use. If anything I would recommend attempting to fix your openvpn install. I personally always run OVPN through TCP and WG through UDP and connect using whichever lets me.

 

 

[_Grid21]

8 minutes ago, Levent said:

OpenVPN is a breeze to setup and use. If anything I would recommend attempting to fix your openvpn install. I personally always run OVPN through TCP and WG through UDP and connect using whichever lets me.

 

 

Oh I know it's mostly easy to use, but trying to find an easy Docker ARM64 image for it has been an issue, can you recommend where I can find it and start it up with Portainer?

 

Ever time I go to start it up, I get this error in the logs.
 

exec /init: exec format error

 

EDIT: Apparently it doesn't wanna run on a Jetson Nano, which I don't understand why.

[LIGISTX]

Wireguard is painfully easy, way, way easier then OVPN. You literally just instal wiregaurd, and you create a config file on your client. I can't speak to running any VPN in a container, I assume docker networking becomes a bit of a headache. Just run the VPN on bare metal on the host?

[_Grid21]

1 hour ago, LIGISTX said:

Wireguard is painfully easy, way, way easier then OVPN. You literally just instal wiregaurd, and you create a config file on your client. I can't speak to running any VPN in a container, I assume docker networking becomes a bit of a headache. Just run the VPN on bare metal on the host?

The strange part was, when I tried WireGuard Client cert on my laptop, and used my mobile phone as like an outside internet connection, WireGuard completely disabled my ability to connect to the internet. So I have never had any real luck with WireGuard and it seemed like a pain for me. 

[LIGISTX]

18 minutes ago, _Grid21 said:

WireGuard Client cert

WG client cert? Wireguard doesn't "use certs"... what do you mean? Wireguard uses keys. 

 

This is a random sample config from the interwebz:

 

[Interface]
Address = 192.168.2.1
PrivateKey = <server's privatekey>
ListenPort = 51820

[Peer]
PublicKey = <client's publickey>
AllowedIPs = 192.168.2.2/32

[_Grid21]

20 minutes ago, LIGISTX said:

WG client cert? Wireguard doesn't "use certs"... what do you mean? Wireguard uses keys. 

 

This is a random sample config from the interwebz:

 

[Interface]
Address = 192.168.2.1
PrivateKey = <server's privatekey>
ListenPort = 51820

[Peer]
PublicKey = <client's publickey>
AllowedIPs = 192.168.2.2/32

Sorry, I couldn't remember what WIreGuard called them. I haven't any luck with WireGuard, at least in it's Docker Container form. The Jetson Nano does a version of ubuntu called Xubuntu, so I could test WIreGuard in a Ubuntu VM and see if I can get it working as a service before I deploy it on the Jetson Nano. OpenVPN Server didn't seem like a bad idea either, but I guess it depends on which one actually works properly.

[LIGISTX]

17 minutes ago, _Grid21 said:

Sorry, I couldn't remember what WIreGuard called them. I haven't any luck with WireGuard, at least in it's Docker Container form. The Jetson Nano does a version of ubuntu called Xubuntu, so I could test WIreGuard in a Ubuntu VM and see if I can get it working as a service before I deploy it on the Jetson Nano. OpenVPN Server didn't seem like a bad idea either, but I guess it depends on which one actually works properly.

I have used both, and I find wireguard a lot easier (and more performant, its way lighter weight than OVPN). But either works great. I agree, whichever actually works for you is the right one to use. I am just curious why WG wouldn't be working. Ports are opened in your router? 

[Levent]

27 minutes ago, LIGISTX said:

I have used both, and I find wireguard a lot easier (and more performant, its way lighter weight than OVPN). But either works great. I agree, whichever actually works for you is the right one to use. I am just curious why WG wouldn't be working. Ports are opened in your router? 

OPs client might in a CGNAT which tends to block UDP. Which is precisely why I prefer OVPN over TCP.

[LIGISTX]

4 minutes ago, Levent said:

OPs client might in a CGNAT which tends to block UDP. Which is precisely why I prefer OVPN over TCP.

Oh, true. 

[Alex Atkin UK]

14 minutes ago, LIGISTX said:

Wireguard is painfully easy, way, way easier then OVPN. You literally just instal wiregaurd, and you create a config file on your client. I can't speak to running any VPN in a container, I assume docker networking becomes a bit of a headache. Just run the VPN on bare metal on the host?

You say that, but Wireguard is practically unusable on my connection for some reason.  Its odd as everything I read said its supposed to be more fault tolerant, but often it barely works at all whereas OpenVPN over UDP is always fine.

 

21 hours ago, Levent said:

OpenVPN is a breeze to setup and use. If anything I would recommend attempting to fix your openvpn install. I personally always run OVPN through TCP and WG through UDP and connect using whichever lets me.

Its generally not recommended to use TCP, as sending TCP traffic over a TCP VPN causes issues with congestion control.

 

I personally find OpenVPN over UDP far more reliable than Wireguard, I have no idea why.  Don't know if its some oddity with my ISP or pfSense.

 

7 hours ago, Levent said:

OPs client might in a CGNAT which tends to block UDP. Which is precisely why I prefer OVPN over TCP.

That can't be right as DNS, games and http/3 use UDP.

[Levent]

1 hour ago, Alex Atkin UK said:

That can't be right as DNS, games and http/3 use UDP.

It is and it is extremely common around my part of the woods. Mobile networks are the primary culprits.

1 hour ago, Alex Atkin UK said:

Its generally not recommended to use TCP, as sending TCP traffic over a TCP VPN causes issues with congestion control.

True, however running OVPN over TCP443 for example is better than having caught by firewalls and not having any access whatsoever.

[Alex Atkin UK]

2 hours ago, Levent said:

It is and it is extremely common around my part of the woods. Mobile networks are the primary culprits.

True, however running OVPN over TCP443 for example is better than having caught by firewalls and not having any access whatsoever.

So you mean actively blocking specific UDP traffic?  Then sure.  Although its pretty dumb of them considering people use VPNs for work.

 

It can't just be blocking all UDP however, the Internet relies on UDP to function.

[_Grid21]

15 hours ago, Levent said:

OPs client might in a CGNAT which tends to block UDP. Which is precisely why I prefer OVPN over TCP.

I honestly don't know if they use CGNAT, I know I have a lot of devices that are assigned normal IP address. The issue is that I don't want my TrueNAS Server to be the VPN server while it's primary focus is storage. I also need to find something that works on ARM64 Jetson Nano, but I am find a lot of docker containers are x86_64 and I don't have a lot of x64 machines around. I could run a VM on my main desktop of Ubuntu yes, but then that ties up my main desktop as the OpenVPN Server. I don't know what other solutions I have and while yes my router natively supports OpenVPN, there isn't much management as far as assigning users/giving access and I feel like having a router issue all that stuff doesn't sound as smart/safe as having a machine that's semi-"behind" the router. So what options do you suggest I take here?