Which VPN do you use?

Like many of you, I use a VPN for my home lab at home and to manage servers at work.

For a long time I was using OpenVPN Access Server as my VPN, but recently I discovered the Tailscale product and I found its features more useful than OpenVPN. Especially the fact that it is built on the Wireguard protocol, the distributed-mash structure and the ability to connect servers behind NAT/CGNAT is more useful than OpenVPN.

After discovering Tailscale, I did some more research and found that other products like ZeroTier and Netmaker have the same structure.

I’d like to ask you, have you used and experienced any VPN services before and what are their pros and cons?

Wiki list: (Level 2+ members can edit)

I am using Opera VPN. But as for sure, it doesn’t seems to work as expected in normal site then I create GX Profiles to surf on linuxcommunity and similar platforms without VPN. If a site ban my country I open Opera GX my opera profile where I was subscribed to VPN option. I think OpenVPN is beginner VPN set up or people does not have money to purchase a VPN. This is my point of view only.

I’ve been using Zerotier.com, ovpn.com, Zero Trust (thanks to you, I believe) and also have Proxmox setup with Debian+xfce4 VMs in a few locations. (using x2go and nomachine).

ovpn is enabled from my home lab router so that the entire home and Wi-Fi uses dedicated US IP. (with my work desktop, IPTV box, and a few other devices excluded):

I dont use a VPN, instead I use OpenZiti. I actually was using Cloudflare ZeroTrust but I did not like the idea of them holding my private keys. Who knows, disgruntled employee gets his hands on your private keys, then its tits up from there!
OpenZiti, I am in total control of everything.
VPN’s still suffer from access to devices and applications. With Openzizti I can lock down application level by embedding zero trust into the app SDK’s!
Definitely the most secure way!! If you prefer,you can use tunnelers to network devices and manage access that way…

1 Like

Hi @chmod600

Welcome to our Linux community!

Thanks for sharing Openziti I have not heard of this before.

The risk of an employee accessing your private keys in a well-managed, reputable cloud service like Cloudflare is very low due to stringent security measures and protocols, it is not impossible.

If absolute control over your keys is a non-negotiable, it looks like that’s a great solution. Will give this a try as well.

Hi Haydn - not so much disgruntled employee, Cloudflare actually decrypts the info before encrypts it again before you can get to your network/or devices. Much more from a privacy issue… anyway not saying dont use them, I dont want them to see inside my packets…

Check out this video by Christian Lempa : https://www.youtube.com/watch?v=oqy3krzmSMA

1 Like

Ahh, ok, I was going based on this.

I agree with his perspective, stating at 3:12 (the “Privacy Perspective” section of his video) in that I’m also ok with the decryption and encryption.

As he also correctly states, “nothing is 100% secure”. In the video description he also links to his other video: “How to use Cloudflare Tunnel in your Homelab”.

…or your data then yes it would be best to avoid 3rd party services like this. Personally, I have no issues with Cloudflare’s security for my use cases.

Thanks for the replies and suggestions.

I agree with the trust concerns of Cloudflare, although it is not that important to me. I think Cloudflare tunnel is still the best option for publishing local web applications to the public. It’s easy to set up and privacy is not that important for the public application.

Conversely, using the local network away from it is rather messy. You should install Cloudflare WARP and the access control is hard to manage. I think privacy is more important when it comes to local networks. That’s why I switch to Tailscale.

I’ll also take a look at Openziti too. It looks like Tailscale but I wonder what it offers.

1 Like

Even though I am not a VPN person, if the need arises to use one, I always give with Mullvad on my Linux. Good speeds even as it gives you native Linux clients and it is open source too.

1 Like

Thanks for sharing. Will turn the first post into a Wiki. Adding https://www.ivpn.net/ to it.

I tested all the other VPN suggestions here and I decided to keep using Tailsale. Here are the better sides of Tailscale, if anyone wonders;

  • It’s using Wireguard, but it resolves and automates most of their connection issues.
  • Its P2P mesh system is better than the centralized VPN system of OpenVPN and the like.
  • The free version allows you to add 100 devices which is much more than the others.
  • Its free version includes all enterprise features! But limited to 3 users.
  • It’s so flexible, i.e. you can create multiple exit nodes and you don’t need to redirect all client’s traffic to the exit node, they can choose if they want.
  • You can choose to redirect traffic over exit nodes only for some domains, which is an awesome feature.
  • It has a modern UI and is easy to use.

Btw, you can add Mullvad to Tailscale directly, if you want.

1 Like

Agreed. Found this also: :upside_down_face: (uses Tailscale)

I see Open Ziti is a docker based VPN. Means first of all you need to install Docker first of all. After that, you process installation process. Except the first option, other options needs to have docker installed to manipulate their VPN.

I watched the video you shared @hydn :slight_smile: I think he uses the old version of the Tailscale because, in the new version, there is an “Apps” section that allows you to redirect only some domains to the exit node. In this way, you don’t need to route all your traffic to the exit node, Tailscale just realizes the App domains and redirects them only. Very cool feature actually.

1 Like

I also examined OpenZiti @saoussen5765, I think it is not for general usage like the others, but more like for DevOps.

As you said, it is generally used with Docker and designed to work with application communication. It saves a lot of firewall settings and it makes the applications communicate easily between servers. It’s worth a chance if you develop any disrupted applications.

1 Like