I’m a digital nomad, and travel to different countries. I want my IP to be from my home ISP and have my connection more secure. I’d like to add that my employer is fine with me being out of the country, but I still want to protect myself. I’ve already installed algo vpn (WireGuard) on a VPC cloud as a temporary solution, but I haven’t heard great things and I would like the control over my own device.
I’ve heard things like PiVPN, VPN routers with WireGuard, using NAS w/ WireGuard, and using a separate computer to run the service. Right now, I only have a NAS (at my original home location) which I would gladly turn into a VPN since its not being used as a media server or anything else of that matter.
I was using piVpn on a raspberry until recently that I started using an ASUS router that has the WireGuard VPN server and client functionality integrated.
Both methods worked perfectly. Using the VPN server of the router is way simpler.
Highly recommend using TailScale for this. It’s free for the first few users and easier to manage across multiple devices than vanilla WireGuard. I run a pi5 as an exit node on my home network and egress through that. No more regional issues when traveling abroad and it works great across lots of different devices and OSes.
Here in Germany Fritzbox is the solution. super simple to manage.
Otherwise to a small fanless system , add docker and a wireguard container.
But important:
Do you ve remote hands to reset the system when somesthing gooees wrong.
For employees normally a professional managed VPN solution should exist.
I got a 2nd hand NUC, installed WG on it and use that. The boost in performance is noticeable over that of router in-built WG and pi WG solutions. The point of failure becomes that box alone. Works great for me from mobile devices, laptops and desktops wherever I am. Had moderate success in China too using well known UDP ports (eg NTP) as the service port. Since the box is standalone it doesn’t interfere with anything else when I switch ports.
I have a PiVPN running on Rpi 4B , it’s the best bang for the buck , 1 gbE port and can easily do 700-800 mbps. Depends on where you want that client to be. Dm me and I can help you out
I’ve done this for years (i travel a lot for work). I used to use a Raspberry PI to host the WG server but i found it didn’t really have the performance i needed after a while (such as when i was streaming Netflix etc). Sometimes the PI would just crash so i was having to use a smart plug to reboot it remotely. Also had to install a DynDNS service linked to a static but free domain name because my ISP kept changing my IP. I now have it running on an old(ish) laptop which has way more performance than the Pi. Bit of port forwarding required on your router etc but its quite straightforward. Use a site like ipleak.net to check its actually working properly. Being able to pop out a genuine residential IP address circumvents a lot of VPN detection (as most VPN detection now is actually just simple IP blacklisting).
Have 100+ customers doing exactly this successfully using GLiNet devices. Recommend using the Wireguard VPN functionality if your home ISP allows for port forwarding (and isn’t using CGNAT), or using Tailscale as a fallback.
Direct Wireguard has better compatibility than TS for tunneling a corp VPN inside your personal VPN due to the lower MTU overhead.
As others have mentioned, having a residential IP as you VPN endpoint is highly preferred over using a cloud VPS. Using a data center IP will look more suspicious to your employer, and you’ll run into trouble with some websites blocking you, or using additional captcha verifications all the time.
Before starting down this path, run a speed test on your ISP connection, as your total VPN connection speed will be limited to you ISP upload speed.
I got a glinet brume 2 router which stays home and acts as an exit node (traffic is routed through there) for 79.99 and a cudy ac1200 for 29.99 that I take with me as a client. Both have wireguard and openVPN installed already. I decided to use openVPN because it was easier to set up.
I had to use no-IP to get a domain name since I didn’t have a static address and didn’t want to pay for one. I tried to do it myself and couldn’t figure it out so I paid a guy 50$ on fiverr and he remote connected to my computer and set up both routers and the server in around 30 minutes. Most importantly, the Cudy router has a kill switch which disconnects if the VPN fails and before I used it, I was getting DNS leaks. Once I turned it on it only shows my home IP/servers.
Wireguard is faster but it doesn’t matter since it’s just my work computer. Other people have used raspberry pi as exit node/server to leave home but that was too complicated for me.
So it works perfectly to hide my location/keep my home IP wherever I go for a total of 110$ for the routers and 50$ for the setup. You can probably find someone to do it cheaper (25$) but I didn’t want any trouble.
If you want to hide your vpn usage and have active probing protection you can use OpenConnect. This protocol is externally indistinguishable from an https connection to some website and starting from version 1.2 it has protection against active probing, so now it’s actually usable.
I know it’s probably an overkill solution for your situation, but maybe you or someone else will find it helpful.
I currently run a IPsec VPN between two machines based on strongSwan. It’s blazingly fast and secure as well and there’re so much possibilities to build up your VPN as you want it. Just take a look at it. Maybe this is something for you.
You can also check out Hetzner. They have a way better pricing compared to AWS or Azure and also provide pre-built images with wireguard and wiregaurd-ui https://docs.hetzner.com/cloud/apps/list/wireguard/
At home I have a Gigabit connection. After the ISP router I have an Opnsense Firewall. On the Opnsense Firewall I run a WireGuard server. When traveling, I use my Beryl-AX (GL-MT3000) to create a tunnel back to my home using the builtin WireGuard client functionality. Currently in Africa and this setup works well. I have had no issue for the past week. Also, setup WireGuard to allow access to my network at home. I can reach all of the various VM’s running on my Proxmox cluster. My ISP modem and Opnsense Firewall box is on a UPS. The only thing which I had not figured out before I left was the setup of Wake on Lan (WOL) functionality in case there was a power outage and the Opnsense box does not automatically restart. Wanted to be able to sent WOL packet to wake the Opnsense Firewall just in case.
Also created a backup WireGuard Server VM on Hetzner in Ashburn VA and I have the client profile loaded on the Beryl-AX (GL-MT3000) as well.
