Hi redditors,
the goal is to connect to a 3rd party server (Real-Debrid in my case) when not at home with the same IP address as if I was at home.
I’ve always thought Tailscale is a good solution for that, but yesterday I’ve learnt that many routers have a built-in support of VPN, e.g. ASUS.
Are there any drawbacks and benefits of using the router’s built-in VPN capability vs. Tailscale (in the context of my goal)?
Thank you!
Are there any drawbacks
One draw back for hosting it on your own router is if you dont have a routable public ip address sitting on your WAN interface at home. This is easy to determine if you go to whatsmyip.com with a client sitting behind your router, note the ip address. Then login into your main router and look at the WAN ip address. Does it match what you see on whatsmyip?
If they match then you can host your own wireguard server as you have a routable public ip address. If they dont match then you are fighting CGNAT and not gonna be able to host
Tailscale doesnt care about any of the above, it will work around that (with some caveats and potential limitations mainly in regards speed)
With tailscale you gotta be more mindful with the whole NAT thing and how it works. So you can have clients that use the relay servers (which you dont want if performance is your need) because they couldnt open the correct ports. That is just the game you play since tailscale handling all of the connection/encryption and whatnot. With you hosting a wireguard server on say an Asus router with a routable public ip address your connection is always direct and get the best performance since your client is negotiating directly with the wireguard server/firewall
Asus makes setting up the wireguard super simple.
Tailscale makes setting up things super simple too.
Another plus with tailscale is being able to share your nodes with your friends and family if you get them setup with tailscale. Its easy and you dont have to worry about them touching the rest of your network where with wireguard you are gonna have to dink around with some firewall rules to make sure that they cant talk to the rest of your network. (That is something you would need to check to see if you can even do that with an Asus router). I know in pfsense I can do that with wireguard. That is more of an /r/ASUS question
The newer Asus routers support wireguard (make sure you double check), I honestly prefer hosting my own wireguard server and the wireguard client application over tailscale especially when it comes to my iOS/Mac as it seem more lightweight to me. I would still be using wireguard/my own server (running on pfsense) if I didnt move and now have to deal with CGNAT for my internet (what you were checking with the whatsmyip).
Now I will admit Tailscale has made my life a lot easier. I have somethings I run in the cloud and its been stable and the client configuration has been a no brainer. I would probably run both wireguard and tailscale in my network at the same time if I had a routable public ip address on my firewall
I use tailscale a lot, but I use the SSL VPN of my firewall because that’s what it is designed for.
I guess it depends on how good you manage your router (is the latest firmware supporte/installed?) or your endpoints.
GL.iNet routers have built in Tailscale.
Check out this guide
As someone already mentioned, plain Wireguard is preferred unless you’re behind CGNAT at home.
VPNs take CPU power. Unless your home router is beefy you’ll always tax its CPU pretty hard. Running Tailscale on both ends means you’re more likely to be running on desktops or servers with 100x more CPU to spare.
The VPN you linked to is also open VPN which is super slow.
Essentially the main difference is CGNAT. Regular traditional VPN’s require DDNS setup and the complications with that. Tailscale or any of the Wireguard variants don’t matter. They’re quickly taking over the VPN world and will probably continue to expand in the future
Put pivpn running wireguard behind your router. Pivpn auto updates. Pick an obscure port on your router to forward to. There are free dns services out there.
HOWEVER if you ever have to deal with NAT issues then run Tailscale at home with exit node. Again you can run it on a pi or you can even set it up on Apple TV. Dead simple.
Edit: free dynamic dns like freedns.dynun.com which has either a pc client or script for your router to auto update if your ip changes
Pfsense now runs Tailscale, so OP could use that as his router and subnet VPN, respectively. Of course, this means buying Netgate or setting up pfsense on some old hardware or buying a cheap headless unit and installing pfsense.
Thank you so much for such a detailed reply - I highly appreciate your help and time! May I ask you to kindly clarify a couple of things, so that I end up knowing in which direction to move on with my further research?
With tailscale you gotta be more mindful with the whole NAT thing and how it works. So you can have clients that use the relay servers (which you dont want if performance is your need) because they couldnt open the correct ports.
Am I right, that such clients are mainly P2P apps like uTorrent and similar?
I also heard that since Tailscale can’t (by design?) establish direct connection between 2 Tailscale clients, they will be using DERP servers (whatever that might mean), which significantly drop data transfer speed between these clients. I don’t know whether or not you know what Plex is, so just in case - this is the home media server which I can also access remotely. So if Tailscale really significantly slows down data transfer (e.g., between my home PC with Plex server running on it and my mobile device when I’m out of home) you can imagine that 4K movies will be frequently interrupted for buffering for several seconds. 
Will be glad to hear your comments on that too. Thank you!
Are you saying that you think your firewall was designed for the SSL VPN it runs, or that the SSL VPN was designed for your firewall, because likely neither is true.
Thank you for the link - appreciate your help!
Do note OP that the tailscale client on the gl inet is old so a manual update is the only way to get it updated if you want the latest client (and pretty much you will manually update it until gl inet catches up)
Also if you are looking for a simple do everything in the GUI the tailscale client on the gl inet has a ways to go before its matured so as you can see in the link above you are doing a lot of things in the CLI
Yeah, good note, thank you!
Yup I run tailscale on my pfsense I debated mentioning in my post but some people dont want those kind of firewalls when it comes to a home network
Wireless support on pfsense sucks, and some people want those all in one devices. That is something else OP would need to consider when looking for hardware
Another thing is the lack of support for the --snat-subnet-routes=false function on pfsense. We would want to get more information about their use case to make sure its gonna support everything they want to do. <---- Mainly this is if they want to do something with site to site VPNs down the road with tailscale. If they have no interest in doing that ever and dont mind working with something like pfsense then I would say pfsense all the way (if they dont mind getting extra hardware to add wireless to the network)
To me the whole NAT thing and how tailscale gets around it is amazing and a curse (just because firewalls are a pain in the ass) and you can spend hours banging your head against your firewall trying to get a direct connect
Am I right, that such clients are mainly P2P apps like uTorrent and similar?
Not sure what you are asking here
I also heard that since Tailscale can’t (by design?) establish direct connection between 2 Tailscale clients,
Lots of variables when it comes to if your client is using a DERP or direct connect, depends on your firewall. Tailscale has documentation on this:
so they will have to use DERP servers (whatever that might mean),
which significantly drops data transfer speed between them
This is true, relayed/DERP clients have worst performance because the bandwidth is shared among other DERP/relayed clients
Lets say your server at home is behind CGNAT, you are already kind of at a disadvantage because you dont have a routable public ip address and cant open up ports. However if the other client has routable ip address tailscale can work around. If both clients on networks where you dont have control of the firewall/cant open up ports and whatnot then they will utilize the DERP servers
This is true, however I would hesitate in upgrading manually as to not break things. GL.iNet may be ready to release an update any day now. Who knows.
I haven’t installed pfsense yet, been looking at it for a couple of years and wasn’t ready until recently to do drop in a new router (it won’t be drop in, Cisco router, complex network, including ruckus APs — all in my home). Just found Tailscale and read the blog post on the PTP DNS network and how it drills through firewalls and NAT. Absolutely blown away. I have a vacation home with CGNAT and have been looking for a VPN solution. Tailscale works amazingly well, just tested on local computer and phone running over cellular. Wow.
Anyway, I need to learn more about all of the architecture and configurations. Looking forward to implementing all of this over time.
So can I summarize the “DERP topic” as follows:
Is the above correct?
Do P2P clients (if you’re not comfortable with their names) always connect via DERP servers if Tailscale is used?
No doubt there are some risks things break. So far I havent run into anything but im not doing anything too complicate
There are some security updates between the release on 1.32.x gl inet and the 1.58.2 so that is something an end user needs to take into consideration. If gl inet isnt gonna keep up with at least some of the newer releases then you need to weigh the risks of running/relaying on some older software that is doing your VPN
Now ive read on the gl inet forums they are looking to push out the updates sooner but they hit some snags and that has been delayed so we wait with our gl inet twiddling our thumbs for updates
I run pfsense at home with unifi switches and ruckus (vlans, dual wan, policy based routing, etc) and its been solid so once you are ready to make the move it shouldnt be too much of a pain.
The only thing is learning how pfsense does things which isnt too hard once you get comfortable with the GUI. Pfsense documentation is solid. I have actucally been looking to move away from Pfsense some day just because of the drama behind the company. I tried Opnsense but I hate their interface