Abandoning Nordvpn Meshnet for Wireguard
NordVPN’s free Meshnet doesn’t work with Docker port mappings on a host machine. Or at least very easily.
Meshnet is great for LAN parties and very simple stuff, but IMO it’s less geared for home-labs and more for casual use. Awesome that it’s free, but Tailscale has more support/resources for home-labs.
I need to get a VPN running to make communication between them easier and more secure. Currently I am running ssh tunnels with autossh and systemctl. This is fine, but if I add another service it can be a bit cumbersome because I need to rewrite the systemctl config file and check that. With a VPN you can just address the given IP address or the DNS record if you have dnsmasq set up.
Aside:
I previously was confused that a VPN was only for routing all your traffic through some exit node (another country/region for ex.). While they CAN serve this purpose, they are also really good for encrypted LAN-style communication, so you’re able to reference some host and port on your VPN network and access that without port forwarding or tunneling.
Use VPNs to connect devices securely like you are on a LAN.
Trying with Nord Meshnet
I couldn’t get NordVPN Meshnet to work. I wanted to get host A and host B set up in that I could access a socket (ip:port from a Docker container) on host A from host B with the VPN address.
I got both machines on the Meshnet with their own Meshnet IPs and then set up the local option on both Meshnet hosts. The local option allows you to view LAN devices on a Meshnet peer. You need this because Docker Containers give themselves IP addresses like 172.x.x.x to access directly. When you use the -p option it sets up a firewall rule in iptables to forward traffic from port 8000 to the ip and port of the container.
Well, it doesn’t work.
Call it a skill issue lol.
After doing some reading here, I realized that nordvpn on linux changes some rules in iptables. Those rules don’t play nice with Docker port publishing. You can’t access host_A_vpn_ip:docker_port from host B while on the Meshnet. That forum recommends enabling the local option, but that doesn’t work either.
Tbh, I don’t feel like delving into a fix. You could probably get iptables to work with Meshnet & Docker, but I don’t think its worth the effort. From what I hear, Tailscale does this well.
On Free & Proprietary Services
Cloudflare Tunnels, Tailscale, and NordVPN Meshnet are all examples of free but closed software. Even if they will always remain free, there is no direct way to fix/modify the source to fix these sorts of issues.
Going Forward & Conclusion
I’m going to use Wireguard to set up a VPN. It has a LOT of support and resources for this stuff. I’m personally wary of free and closed source software simply because you can become locked in without ability to modify the running software.
Tailscale is another great option if you aren’t bothered by the proprietaryness of it. There is headscale which does actually look pretty interesting but its just another thing to host.