I’m re-setting up my HomeLab and one of the things I’m trying to learn about on this go-around is Zero Trust networking. To accomplish this I am planning on using NetBird’s mesh overlay network. I would like all of my services to use the NetBird mesh network at all times, whether they are communicating within my homelab’s LAN or I am accessing them from outside via the greater internet.

I have successfully set up the NetBird management interface on a Hetzner VPS, however the issue I run into is if I lose internet access at home, none of my services are able to function as they can no longer reach the management interface. However, if I self host the management interface in my homelab, I am unable to access it from outside my home LAN.

I’ve identified 2 solutions that could solve this:

  1. Self host the management interface and set up a Cloudflare tunnel to the management interface, which would allow access from outside my home network.

  2. Self host the management interface, then set up a wireguard proxy/tunnel on a VPS that forwards traffic to my management interface (Similar in my mind to option 1, but not relying on Cloudflare)

What are your thoughts? Any other ideas?

I appreciate your comments/criticisms!

  • @just_another_person
    link
    English
    13 months ago

    It’s not about actually getting it to work, it’s about having it work PROPERLY.

    You have multiple routes to the same network right now it sounds like, and you’re almost certainly routing local network traffic over NetBird instead of using local routes. Have you looked at your routing tables?

    • @unbroken2030
      link
      English
      3
      edit-2
      3 months ago

      That’s one of the advantages for those interested in ZTN. In a somewhat similar way to IPv6, a local address/network isn’t inherently trustworthy.

    • @tapdattlOP
      link
      English
      13 months ago

      you’re almost certainly routing local network traffic over NetBird instead of using local routes

      That’s precisely the functionality I want, though. Secure, encrypted, mutually identified traffic should be the only traffic in a zero trust network.

      I’m simply trying to create an ingress point into this network for outside access.