A detailed explanation of what a virtual private network (VPN) provides and how I use it may be found in Home Private Network (VPN) – 2021 edition. My goals for a VPN have not changed since then, but the technology used to implement it has. This change was made because unRAID, the platform I use to host the VPN service, integrated a VPN software called Wireguard. Additionally, the package of the software I used to use, OpenVPN, stopped being supported. While I could have just put OpenVPN on a virtual machine and continued to use that, Wireguard is noticeably faster and has some security options that in some cases are more advanced and forward-looking than OpenVPN.
While I would encourage you to read the 2021 edition article which goes into more detail on how and why I implemented a VPN, I will quickly recount my main goals which are as follows:
- Be able to access the home network from a variety of devices, (namely Windows and Android-based devices), when away from home
- Access region-restricted or region-tailored services to which I use or subscribe, (e.g. Netflix, Amazon, iTunes, Google, etc.), from outside my home country
The technologies used to implement the 2024 VPN solution are:
- unRAID server for hosting the VPN server in a Docker container
- unRAID‘s built-in support for Wireguard as the VPN server
- Wireguard as the VPN client on Android and Windows devices
- Wake On LAN (WOL) unRAID plug-in for waking up computers
Installing Wireguard on my Windows and Android devices was quick and painless as was the process of creating configurations for each client device on the server. Configuring the clients was then just a matter of scanning a QR code or downloading a configuration file from the server.
When opening access from the Internet to a service on my home network, I like to add additional security using tools like fail2ban and two-factor authentication (2FA). However, Wireguard does not easily integrate with my usual tools without some customizations. Things like attempts to connect with invalid credentials are not recorded anywhere so cannot be detected by fail2ban, and there is no native support of 2FA. This concerned me until I did some further research on how Wireguard works, especially sections 5.1, 5.2, and 5.3 of the design documentation, which made clear why protections against brute-force (password guessing) attacks and 2FA are not really applicable. In the future, I may log traffic sent from the Internet to the Wireguard server just for my own curiosity, but it will not be straightforward to determine programmatically if the traffic was legitimate or not.
While I had no issues with OpenVPN, Wireguard, even arguably not as feature dense, does everything I want it to do in a fast and simple way. I have not tried to use it on a plane or overseas as business travel has basically stopped currently due to various global events over the past few years, I have no reason to believe that Wireguard will not work as expected in those situations.