I’m starting my CCNP Service Provider studies and I had to get a server (128GB RAM, 2X 28C CPU) for it because Cisco decided that an IOS XR node will be as big as one gaming PC and my current desktop can only run 1. I’ll run Proxmox on top of it and inside Proxmox, I’ll run Cisco CML.
I spend a lot of my time at work so I would like to access this server from the internet. I’ve read that there are many ways to do it. For example, You can set up port forwarding which is probably the most direct method. Although this isn’t fully secure and I happen to be behind CGNAT so there is barely any use to it anyway
The most secure way would probably be setting up a VPN. I’d have to use a cloud-based VPN since a self-hosted VPN would need me to, again, port forward the VPN ports.
I’ve read that Tailscale is a good way to do this. It’s really simple and easy to set up → you don’t have to manage any keys and such (although you can for increased security) and adding devices there is pretty straightforward.
What do you guys think about this? Do you have any personal experience with the topic of this thread? What do you think is the best way to connect your homelab (or just my server in this case) securely to the internet so only I can access it?
Port forwarding should be avoided as much as possible because you’ll open your application to the outside world. If you must, add an IP whitelist to restrict who can access it.
If you want to run a VPN, you’ll have to forward something so you can’t avoid it. Make sure you always keep the VPN server up to date to reduce the risk of application vulnerabilities.
OpenVPN and Wireguard are two popular options. OpenVPN is a bit more advanced because you have many client/server authentication options including certificates. Wireguard uses a simpler key system but works great, has less overhead and is simpler to setup.
I used OpenVPN for years but switched to wireguard because of its speed and how simple it is to setup. On my Android phone I use WG tunnel so it auto connects and disconnects with your wireguard whether I’m on my home wifi or not. Works great. Tailscale uses wireguard under the hood.
If you want to do this, I would recommend to use a firewall that has wireguard support like pfsense or opnsense. You’ll have your routing, NAT, and VPN on one box. I use pfsense on a dedicated box.
For everything else I run I use proxmox. CML is virtualized on proxmox too.
Are you still able to port forward something with your CGNAT?
I’ll run Proxmox on top of it and inside Proxmox, I’ll run Cisco CML.