I’m re-setting up my HomeLab and one of the things I’m trying to learn about on this go-around is Zero Trust networking. To accomplish this I am planning on using NetBird’s mesh overlay network. I would like all of my services to use the NetBird mesh network at all times, whether they are communicating within my homelab’s LAN or I am accessing them from outside via the greater internet.
I have successfully set up the NetBird management interface on a Hetzner VPS, however the issue I run into is if I lose internet access at home, none of my services are able to function as they can no longer reach the management interface. However, if I self host the management interface in my homelab, I am unable to access it from outside my home LAN.
I’ve identified 2 solutions that could solve this:
-
Self host the management interface and set up a Cloudflare tunnel to the management interface, which would allow access from outside my home network.
-
Self host the management interface, then set up a wireguard proxy/tunnel on a VPS that forwards traffic to my management interface (Similar in my mind to option 1, but not relying on Cloudflare)
What are your thoughts? Any other ideas?
I appreciate your comments/criticisms!
however the issue I run into is if I lose internet access at home, none of my services are able to function as they can no longer reach the management interface.
Do the services stop working immediately, or only after restarting the netbird client(s)? I’ve found headscale/tailscale nodes will continue to communicate with each other with the internet down, but restarting the tailscale client will break things (which makes sense of course).
If netbird has an equivalent to MagicDNS that could cause issues after a while of losing connectivity (since the DNS will be hosted on the VPS).
Well the internet down scenario has only happened once, and I returned home to no internet, booted up my laptop, and could not connect to any of my services since I couldn’t reach my control server. I haven’t forced the issue to occur by disconnecting my internet and testing connectivity. I just did the lazy thing and connected to the services I wanted via their IPv4 address