My parents are moving into an assisted-living facility with its own Internet so I can really bring along their ASUS router. Instead I bought a gl.inet GL-AXT1800 travel router so I can build a network behind it and keep other old people’s prying eyes away from their LAN. Their Internet traffic will be double-NAT’ed. As such, I can’t poke holes for services so doing a traditional client VPN into their “home” network won’t work.
It looks like gl.inet routers support both ZeroTier and Tailscale. I have no used either one, so not sure which is best for my needs.
I’d like to be able to remote into their home network only from my home network. Manage their printer, PC’s with VNC, etc. I don’t need more than two endpoints. I assume their new GL-AXT1800 router would act as a client to get through the NAT. On my side, I can host anything I want, but I don’t believe either service works that way.
So if I have to sign up for either one, which is better for my simple needs? ZT or TS?
Edit: Do either of them operate like a traditional Site-to-site VPN where I can simply ping from one device to another, each on their respective LAN networks?
Set them up to connect to your IP:port which you must open yourself (perfectly safe, WG is effectively closed to everything except authenticated packets) and that’s it.
Your can route to as much of their subnet (and vice-versa) as you want, it’s just config.
Tailscale on their router with subnet routes activated will let you reach everything on their LAN (with the appropriate netmask) through the encrypted tailnet.
Or you can install Tailscale on the relevant devices (laptops etc.) directly.
Tailscale also lets you transfer files – but only on a device that runs tailscale.
Either way, you can then run VNC on their devices and connect to assist with their desktop etc.
You can also activate exit node on one of their devices and when you use that you can experience the internet exactly as that device does. You can use this to diagnose filtering or other issues with their internet connection.
Unrelated, in case you haven’t already, I strongly recommend making it so their entire LAN uses DoH or DoT for DNS and not rely on their internet provider. At the very least you can activate DoH in their browser but you can probably also make it so the router hijacks all plaintext DNS queries and forwards them over DoH or DoT.
An AdBlock filter list on the router would also be a good idea.
I’m not sure if I did something incorrectly, but Tailscale on my AppleTV expired the tokens and I had to redo by getting to the box. Mines at home so not a hassle but maybe OP might not have that liberty, hope this helps
Of the 2 tailscale as an exit node would also work perfectly.
I think you mean subnet routes? Not exit node.
Subnet routes let you reach other devices from a Tailscale device. Typically used if you have a server or router on a LAN enrolled into Tailscale and you want to be able to reach other devices on that LAN without installing Tailscale on each of them.
Exit nodes let you reach the internet from a Tailscale device using another Tailscale device as a forward proxy. Basically the same thing a commercial VPN service does. Useful for browing the net safely when traveling and connecting to insecure access points like hotels, cafes, airports etc., or for accessing geo-sensitive services like Netflix as if you were at home.
Yeah I may just use Wireguard since their new router supports it out of the box, but wanted to play with one of these alternatives since it appears they load up OpenWRT and have TS/ZT as GUI options. From what I read, Tailscale is what I want. I don’t need a layer-2 network between my parents LAN and mine. Or any of our two computers.
To answer your question Lol, the facilities’ WiFi network which is available to all residents is a flat network. I can ping any other device on the network. 'No client isolation, so that’s a bit scary. My parental units have a network HP printer I need to get on the network and I’d rather not everyone be able to “see” it, let alone their 2 computers. So the “LAN” behind the gl/inet router will be a new private network for those 3 items only. I don’t care if their TV, Roku or whatever else joins the community network.
I couldn’t get their ASUS router with ASUSWrt-Merlin router to use WiFi as the “WAN” interface which is why I bought the gl.inet device. There is no Ethernet there. When setting it up, the whole ZT and TS thing caught my eye.
It’s your firewall right? Just change the settings. Are you saying your firewall won’t allow you to allow traffic from a port? Or are you talking about issues related to port forwarding with your ISP?
Fair point indeed. It does last a good while without needing any interaction so hopefully when OP goes round to visit, they can just check it is all good and re-auth it.
That seems pointless though. Their features are equivalent. Besides, I used to have their ASUS router be an OpenVPN server so I can connect now & then for assistance. That goes out the window regardless.
