khuedoan-homelab/docs/getting-started/vpn-setup.md

# VPN setup

You can choose between [Tailscale](https://tailscale.com), [Wireguard](https://www.wireguard.com), or use both like me.

## Tailscale (requires third-party account)

Get an [auth key](https://tailscale.com/kb/1085/auth-keys) from [Tailscale admin console](https://login.tailscale.com/admin/authkeys):

- Description: homelab
- Reusable: optionally set this to true

Add it to `external/terraform.tfvars` as an extra secret:

```hcl
extra_secrets = {
  tailscale-auth-key = "tskey-auth-myauthkeyhere"
}
```

Apply the secret:

```sh
make external
```

Finally, [enable subnet routes](https://tailscale.com/kb/1019/subnets#step-3-enable-subnet-routes-from-the-admin-console) for `homelab-router`
from the [admin console](https://login.tailscale.com/admin/machines).

You can now connect to your homelab via Tailscale and [invite user to your Tailscale network](https://tailscale.com/kb/1371/invite-users).

## Wireguard (requires port-forwarding)

Update the peer list in `apps/wireguard/values.yaml`:

```yaml
PEERS: |
  UserDevice
  FooPhone
  FooLaptop
  BarDesktop
```

Go to your router settings and forward the Wireguard service.
Each router is different, here's mine for reference:

- Protocol: `UDP`
- Start Port: `51820`
- End Port: `51820`
- Local IP Address: `192.168.1.226` (find it with `kubectl get service -n wireguard wireguard`)
- Start Port Local: `51820`
- End Port Local: `51820`

To get the QR code (for mobile) and config (for desktop), run:

!!! warning

    This command will print sensitive secrets to the terminal.

```sh
./scripts/get-wireguard-config FooPhone
```
refactor!: replace ZeroTier with Tailscale and Wireguard - Tailscale UX is better, and the Headscale control server is also easier to self-host than ZeroTier (although Headscale is not the official control server, the author now works at Tailscale) - Wireguard is also added as an alternative to avoid relying on a third-party service, however it requires port-forwarding 2024-04-18 20:11:18 +07:00			`# VPN setup`

			`You can choose between [Tailscale](https://tailscale.com), [Wireguard](https://www.wireguard.com), or use both like me.`

			`## Tailscale (requires third-party account)`

			`Get an [auth key](https://tailscale.com/kb/1085/auth-keys) from [Tailscale admin console](https://login.tailscale.com/admin/authkeys):`

			`- Description: homelab`
			`- Reusable: optionally set this to true`

			Add it to `external/terraform.tfvars` as an extra secret:

			```hcl
			`extra_secrets = {`
			`tailscale-auth-key = "tskey-auth-myauthkeyhere"`
			`}`
			```

			`Apply the secret:`

			```sh
			`make external`
			```

			Finally, [enable subnet routes](https://tailscale.com/kb/1019/subnets#step-3-enable-subnet-routes-from-the-admin-console) for `homelab-router`
			`from the [admin console](https://login.tailscale.com/admin/machines).`

			`You can now connect to your homelab via Tailscale and [invite user to your Tailscale network](https://tailscale.com/kb/1371/invite-users).`

			`## Wireguard (requires port-forwarding)`

			Update the peer list in `apps/wireguard/values.yaml`:

			```yaml
			`PEERS: \|`
			`UserDevice`
			`FooPhone`
			`FooLaptop`
			`BarDesktop`
			```

			`Go to your router settings and forward the Wireguard service.`
			`Each router is different, here's mine for reference:`

			- Protocol: `UDP`
			- Start Port: `51820`
			- End Port: `51820`
			- Local IP Address: `192.168.1.226` (find it with `kubectl get service -n wireguard wireguard`)
			- Start Port Local: `51820`
			- End Port Local: `51820`

			`To get the QR code (for mobile) and config (for desktop), run:`

			`!!! warning`

			`This command will print sensitive secrets to the terminal.`

			```sh
			`./scripts/get-wireguard-config FooPhone`
			```