NetBird does the job
I needed something that:
- provides access to the LAN when disconnected from home Wi-Fi
- simple to install and maintain for the whole family
- cheap
- some level of control on what is accessible and by whom
There are few things in this space, from the plain vanilla wireguard server/peer installation, to the more mainstream Tailscale and everything in between.
I had for a long time run a wireguard server, and after the pain of setting up a VPN profile for each mobile phone, tablet and laptop in the house, plus setting port forwarding on the router, it was working solidly, a workhorse that takes a lot of taming first, but is reliable and compliant afterwards.
The problem was always controlling resource access and updating profiles or enrolling new devides... way too much admin overhead, I have no interest in moonlighting as network support engineer.
I gave a try to Tailscale but somehow it just didn't click, I didn't like the GUI and, well it didn't work out of the door, and hell I was going to learn another tool manual (boy was I wrong...).
Looking for alternatives a youtube videos comparison brought NetBird to the table, it seemed to cover all my use cases, and so I opened a free account and off to a new install.
I quickly realised to cover all my needs I had to:
- make a Raspberry Pi I had on the network a Routing Peer
- setting it up also as an Exit Node
- record my local pi-hole DNS servers as available to use
- somehow tell all my other devices to use this Pi as an Exit Node and to use the local DNS too
The documentation provided is pretty good, and so is the UI, but you can't really skim it, you got to put it all together in your head by reading what the building blocks are: Peers, Users, Group, Policies, Networks, Networks Routes, Nameservers, DNS... they all have fairly established meaning, but how do they work here?
What steps do you need in order to advertise local DNS servers to a User (me on my phone) connecting through a Routing Peer (Pi)? There is a detailed article for that Quickstart: Private DNS Behind Routing Peers!
End to end it took half a day to setup, 80% reading the docs, 20% install, configure and test everything on all devices.
I now have a way to put all my, and my family, devices on the LAN, for free (!), when we are out and about, which means getting pi-hole adblocking DNS too.
Not bad.