The only way to have a direct site to site VPN without a middleman (which you want) would either be to use DDNS, or possibly Tailscale has a server that simply tracks the IPs and coordinates the connection, then the actual VPN connects directly. Sort of how Wyze works for the live stream. Either way at least one end would need a port mapped or uPNP if you don’t want it all routing via a middleman server. NAT traversal isn’t really related, most routers have VPN aware NAT enabled by default. Since I have DDNS anyway I just use that.
Most routers and even NAS use minimal power when idle, and it will go up a bit when under a heavier load. I suppose an old PC wouldn’t be the best choice in this case as those will draw more idle power, and you wouldn’t want it going to sleep. Though most laptops from the last 10 years or so are pretty efficient. If you can set it up on your plex box on one end (not sure what it is or if it is capable of that) and then find something low power for the cottage end, should be good to go.
My “laptop server” draws around 10W idle and 15-20W when there are 10-15 users listening to the audio stream. That’s a pretty old 4th Gen i7 laptop. In my area that equates to around $3 to $4 per month in electricity, so buying something newer and more efficient to drop it to even half that would never pay off.
These are quite popular - the multi core Celeron processors are actually quite powerful and use very little electricity - but it would take me a long time to recoup the $100+. They make excellent little OpnSense routers and VPN endpoints though as all the x86 processors have hardware AES acceleration in them.
This one dropped down to $130 or so a while back and has nice specs for that price, but probably a bit overkill for a couple VPN endpoints, unless you want to get into OpnSense and a lot of advanced stuff.
You don’t need a very powerful device to do 30 megs over wireguard, so I guess it is just a matter of finding a couple low power devices that support the Tailscale client. Either that or just use a couple old routers with VPN support and either IPSEC or Wireguard without the Tailscale portion. Configuration isn’t all that hard as long as you aren’t looking to do a bunch of in depth routing.
Only other option I can think of is Raspberry Pi but the newer ones aren’t terribly cheaper than the mini PCs that are available, and they require a lot more involvement to set up and configure, and I’m not sure which ones (if any) have hardware VPN acceleration, they could end up having poor performance.
Yes, but the problem is that 80% of the cottage owners at least here in Ontario are not rich and famous. Most of them have inherited their cottages from parents/grandparents or like me started with a vacant land. I paid $40K for the property back in 2004 and spent another $50K in materials. I built it myself from scratch with my brother’s and neighbour’s help.
Thanks for the link, that looks like something I could use if I decide to bite the bullet. Also, it turns out that Tailscale can be installed on an Apple TV which is a really low powered device and I already have one. I just have to find out if it can act as a VPN server or just an internet exit point.
Another alternative might be to get two of these puppies and use them as end to end VPN servers.
Lots to digest and not in much of a hurry as I am not going back to the cottage until Easter weekend now. The place gets snowed in this time of the year and it makes it hard being there with no running water.
One more question, I guess once I opt for site 2 site VPN I won’t need a VPN client like Nord VPN anymore, right?
I know a lot of of people use those when travelling to connect via VPN back to their home network (and also provide secure wifi at hotels etc since it can use wireless WAN and automatically connect VPN). I haven’t personally used one so you just need to look at the specs, particularly the VPN protocols and throughputs it supports. If it can support 30M or more via IPSEC or wireguard it could be a good option. Or hopefully more to give you room for growth in case they ever get 5G on the island.
As far as your Apple TV, I don’t know for sure but I suspect it may run it as a client for that box only and probably not give access to your whole network, but not sure.
I haven’t dwelled too deep into their specs, but I know that it supports both OpenVPN and Wireguard. The speed might be not ideal though
Apple just “recently” added VPN compatibility to tvOS and NordVPN was the first to jump in and offer the client app. A quick Google search gives me this, so might be plausible.
I have another version of this router I take with me on vacation for hopefully a layer of protection and ease of use. I use a vpn of my devices but haven’t tried the unit’s vpn.
A quick search tells me that it can be used as a VPN server by connecting to Open VPN servers. Not ideal to what I am trying to achieve. I might have been misinformed as I don’t see Wireguard support in the specs.
Wireguard is extremely efficient and can do double (or more) the throughput of OpenVPN and other IPSEC based clients. A quick google of that model says wireguard performance is 35M on the client side but half that on the server side (so your throughput would be about 17.5M on a site to site VPN). Looks like they have other models in similar price range that bump it to up like 55/27.5, and more expensive ones that can exceed 100M, and their website mentions some upcoming models too.
Right but you need to check whether it is just to give your apple TV VPN access to Nord or a remote VPN server for itself only (to bypass Netflix restrictions etc) or if it can act as a router for your whole network to access the VPN. I suspect the former, but could be wrong.
Not sure which “it” you’re referring to but as far as I know nearly all the GL.Inet routers can be used to set up site to site VPN, very common use case for them. You just need to do a little research since the throughput specs are often “best case”. They’re also more designed for people travelling where the expectation is you’ll use the wifi for LAN and potentially WAN also, so make sure you pick one that has physical LAN and WAN ports and not just wifi (for your use case you’d just disable the wifi in both completely).
If you google “GL.inet site to site VPN” should find some good examples of what people are doing and how it performs. There are better/faster solutions out there but they also require more setup/learning curve. Raspberry Pi and mini x86 PCs are typically the de facto choices for people who want good throughput and constant use, but both are going to be more involved than one of these little routers that has the support built in.
Ok, it turns out the Tailscale can be used as a client only on Apple TV. Also it can turn the Apple TV as an exit node to the internet so all traffic is routed through it. No server capabilities
No matter what I chose I will have to keep the site 2 site VPN off when at home and on only when at the cottage. I don’t think I can leave with those speeds at home
You don’t know what you don’t know. This is from chatGPT, my go to source
I can ask it an idiotic question and will receive a solid answer, whereas if I ask on a forum, I get all sorts of negativity.
A grawlix is a string of typographical symbols (such as @#$%!) used to represent profanity or obscenities in text, particularly in comic strips or cartoons. The term was coined by American xcartoonist Mort Walker, best known for creating Beetle Bailey and Hi and Lois. He introduced the term in his 1980 book, The Lexicon of Comicana, where he humorously categorized comic symbols and conventions.
In everyday use, grawlixes are a playful or visually striking way to convey strong emotions or censored language without explicitly spelling out offensive words.
Nah the whole point is to have it always on and not have to do special things when you need to access something.
You can configure it so that your internet traffic (or just the internet traffic that you want) stays local and bypasses the VPN. VPN rule base lets you choose what to keep local and what to send over the VPN. Doing that gets a bit more complex with the “single subnet” network design but if you do two different subnets, very easy to do. Split Tunneling it is called, and you’d essentially just have the remote subnet routed over the VPN and everything else goes direct to internet.
The dual subnet design may not allow the wyze cams to stream direct, never tried to see if they’re smart enough (doubtful) but that’s not a big deal.
If you did the single subnet design, you can still set it up this way, just a bit of extra thinking and tweaking involved.
The simplest way of looking at it is
Home = 10.1.1.0/24
Cottage = 10.2.2.0/24
Home rule says send everything for 10.2.2.0/24 over site to site VPN, everything else goes to internet
Cottage rule says send everything for 10.1.1.0/24 over site to site VPN, everything else goes to internet.
Then you can add things on top of that, say you want to watch a sports event that is blacked out at the cottage, you can find the IPs for that service and route them over the VPN to your house to use the internet there as the exit point (or even temporarily/permanently route all internet traffic from cottage to the house first).
It may seem like you’re starting down a rabbit hole, and you kind of are, but in reality you can dig a very shallow hole at first and get some benefits, and as you play around with it and find new needs, add layers as needed over time.
Yes that example was for the dual subnet design which is going to be a bit easier to set up, and still offer most of the same benefits (though mDNS which apple products use probably won’t traverse it, and as mentioned the Wyze cams probably won’t stream direct). Neither should be a huge deal, mDNS is used for discovering local devices and typically that’s not going to be needed between the sites, and Wyze works via their servers smoothly for me.
It can also be done with a single subnet, just requires going a bit deeper down the hole, especially if you want internet to stay local for both sites. If routing the cottage through the home internet is acceptable (without having to route the home via the cottage) that is relatively straightforward to do with a single subnet.
But you’ll need to confirm whatever box and protocol you end up using can do a Layer 2 VPN, usually it is an add on to run GRE or L2TP within the VPN.
puppies and use them as end to end VPN servers.
now that Justin quit. 
