Install Tailscale on the remote server and leave it up. Whenever you need to connect to it launch Tailscale on another device that you have access to, and you’ll be able to connect to the remote server at its Tailscale IP.

Tailscale consists of a config tool called tailscale and a daemon called tailscaled. The daemon needs to be up for connectivity, and it will raise a network interface called tailscale0 when it works. To connect/disconnect from the tailnet you say tailscale up or down. This is independent of whether the daemon runs or not – that’s a separate issue that’s usually dealt with by systemd or whatever service manager you use.

Tailscale doesn’t need public IPs because all the clients connect outward to a pairing server, which uses STUN to negociate direct connections between the nodes. The connection keys always stay with each client machine, the established connections cannot be snooped by Tailscale, and the clients are FOSS to make sure of that.

If by any chance the ISP of any node does aggressive UDP filtering STUN may not work and result in connections being relayed through a network of so-called DERP servers maintaned by Tailscale. These servers are reduced in number and locations so relayed connections will be bandwidth- and latency-limited. If STUN succeeds you’ll only be limited by each node’s internet connection.

Tailscale can provide DNS names for the enrolled nodes if you want, but you can also assign fixed IPs to each node in the range 100.64.0.0/10. I’m not a huge fan of the provided DNS because it’s a bit invasive (works by replacing /etc/resolv.conf temporarily with a version that resolves via 100.100.100.100 on the tailnet, and integrating it with local DNS can be a chore as you can imagine). There’s an option for tailscale nodes to not accept this DNS.

Make sure that services on the remote server that you want to access via Tailnet (also) bind to the Tailscale IP (or to 0.0.0.0).

Should you mess up, so long as the Tailscale client is still up on the remote server and it has an internet connection you can still reach it by enabling the Tailscale “fake” ssh service, which works through the tailscale client rather than a real ssh daemon. But please read up on what it involves to have this fake ssh access available (you don’t want to have to issue a command on the remote server to enable it).

I’m self hosting headscale (foss implementation of tailscale control server) for this scenario. Works great!

If this server is running Linux, you can use autossh to forward some ports in another server. In this example, they only use it to forward ssh port, but it can be used to forward any port you want: https://www.jeffgeerling.com/blog/2022/ssh-and-http-raspberry-pi-behind-cg-nat

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

9 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.

[Thread #707 for this sub, first seen 23rd Apr 2024, 11:05] [FAQ] [Full list] [Contact] [Source code]

You probably need the server to do relatively aggressive keepalive to keep the connection alive. You go through CGNAT, so if the server doesn’t talk over the VPN for say 30 seconds, the NAT may drop the mapping and now it’s gone. WireGuard doesn’t send any packet unless it’s actively talking to the other peer, so you need to enable keepalive so it’s sending stuff often enough the connection doesn’t drop and if it does, quickly bring it back up.

Also make sure if you don’t NAT the VPN, that everything has a route that goes back to the VPN. If 192.168.1.34 (main location) talks to 192.168.2.69 (remote location) over a VPN 192.168.3.0/24, without NAT, both ends needs to know to route it through the VPN network. Your PIVPN probably does NAT so it works one way but not the other. Traceroute from both ends should give you some insight.

That should absolutely work otherwise.

Can the ISP at the remote location remove your remote location from the NAT? I have a similar issue where sometimes it’s will reset and my services are inaccessible. A quick call to support usually has the problem fixed in a few minutes.

From your remote location I would set up at least two different tunnels back to your home network. Perhaps one service using cloudflare tunneling, and one using wire guard as you mentioned. That way if one of your tunnels goes down you have time to fix using the other tunnel.

If you have the budget for it ubiquiti gear is pretty good, and using their cloud configuration makes sense in this scenario. The ubiquiti gateway would sit at your remote location, maintaining tunnels, and if there any issues you could fix them through the UI.com interface.

I’m noob and this was simple. Works like a charm. It has readymade installers for Wireguard on different VPS providers and installer for your client (home server). https://github.com/mochman/Bypass_CGNAT

IPv6. Just let the other network through the firewall, use direct connections, no overcomplicated tunnel setup needed.