What are the advantages and disadvantages of all three solutions (VPN, zero tier, reverse proxy). Running an HA VPN server.

---
John

No reason why not. Set up zerotier on a computer inside your firewall, connect via RDP to it than use that computer as a "Jump Box" to access resources inside your firewall. RDP directly from there with internal IP address. Nesting RDP does work.

langenet Yes, you absolutely can RDP into one computer (computer #1) that is running the ZeroTier client, then from that RDP session, RDP into another computer (Computer #2) - a RDP hop, if you will. This works surprisingly well. In theory, you can continue with as many of these hops as you like, but probably not advised due to the slowing done of the keyboard/mouse/screen response times the more hops you make.

A few tips though:

Tip 1 - RDP (Remote Desktop Protocol) is provided in all windows OS's, however you will need to do a one-time configuration on any windows computer to allow it and define 'who' can RDP into it. Mentioning this for others who may have never used RDP before.

Tip 2 - If you want to RDP into a non-windows linux computer with a graphical desktop, there are RDP servers and clients you can install. I personally use xrdp as the server and remmina as the client. They are simple to install and just work. I'm not an apple guy, so don't know how to RDP into an apple computer. I wouldn't suggest trying this with a Raspberry Pi because it takes a bit of hardware horsepower to have a nice/smooth experience.

Tip 3 - The RDP connection bar on computer (the blue tab at the top of your RDP session screen) can be slid/moved across the top of the screen with a left-click/drag, which you will want to do, because your second RDP hop connection bar on the second computer will sit underneath the first one. To see both computer connection bars, you will need to slide one off to the side.

Tip 4 - Don't try to RDP back into the computer that you made the first RDP session from. If I remember my "what if test' correctly from 15+ years ago, I believe you get an 'infinite mirror' result and will need to hard reboot one of the computers to break the 'infinite mirror' RDP connections!....

Thanks! I should have known to be able to RDP from another windows box. However, didn't realize not a great idea through a Pi.

This is one thing i like about this forum - you can learn so much from this great community.

Robert

Very good question! I'll do my best to answer based on my opinions. I personally use all three methods, depending on what I need to do at the time - and if I want to share some of my services, such as my custom public website, camera live feeds, and synology music station.


VPN:
Pro's
- Provides a very high level of security and privacy if set up and configured correctly
- Provides instant direct access to all the resources on your LAN - not just web/http(s) services
- Easy to use once setup/configured
- Does not require additional client software to be installed on any computers or smartphones. Windows, Apple, and Linux computers and smart phones already have VPN client software installed. (Unless you are using specific vendor VPN systems, then you may need to install vendor specific client software)

Con's
- Hardest method to setup and configure properly on both the server side and the client side. Definitely not for the feint-of-heart do-it-your-selfer's.
- Only handles 2 physical sites concurrently (IE the remote computer/smart phone and the site the remote client is VPN'ed into)
- Each physical site needs to have it's own local VPN server set up and configured
- Only on when you turn on the connection from remote device's VPN client
- Not recommended for sharing your local services with others because you would be opening up a huge security hole.

ZeroTier:
Pro's
- Provides a very high level of security and privacy
- Easiest of the methods to setup and configure
- Easy to use
- Provides direct access across the globe no matter where the devices are physically located and no matter if they are behind firewalls or cgnat
- Handles multiple connections across multiple physical sites with ease
- Can be always on. However, on a smart phone, a new 'VPN' is created that can be turned on/off as desired.

Con's
- Need to install client/server software on each device that you want to join to your global network
- Don't have instant access to all the other resources on each devices physical LAN, however you can use the local ZeroTier device as a 'bridge' to other devices on the LAN via a RDP, ssh, etc.
- Not recommended for sharing your local services with others because you may be opening up a huge security hole
- May be a huge security risk, if any single device on the network is compromised/hacked


Reverse Proxy:
Pro's
- Provides a high level of security and privacy if set up and configured correctly. However, you are 'opening up' your services via HTTP(s) to the whole internet, so you will need to make sure you have strong login/passwords set up. This could be also considered a Con if not set up properly.
- Very easy to use once set up and configured. You can remote back into all of your services via very easy to remember service names that you create. Basically, you have created your own self-hosted 'cloud' for all of your services
- No additional server/client software needs to be installed - a web browser is the connection method
- Handles multiple connections across multiple physical sites if each physical site has a local reverse proxy installed (this could be also listed as a con)
- Always on
- Best, most secure solution for opening up your web based services to others, such as a custom website or sharing your media via plex, synolgy music station, etc.

Con's
- Limited (mostly) to web/http(s) interfaces for all of your services/remote connections. However, pretty much all of the common server software has a web interface option for most day-to-day usage and management
- Each physical site needs a reverse proxy installed
- Not as 'hard' to install and configure as a VPN, but still takes some knowledge and effort

Edit: I didn't originally add this to the Pro section under all of these options, because it most likely only pertains to myself:
- Reduces the number of 'YAFCS' (I just made this up) to keep track of and rely on - Yet Another F** Cloud Service - which may be, but most likely is not, secure and private.

Edit 2: I mainly put this together to discuss remote access to server software and/or computers. However, all these methods can be used to remotely access any of your other devices that have HTTP(s) user interfaces as well - such as (many) cameras without going through YAFCS. This is how I can, and selectively authorize other users to remotely view camera live streams directly from my outdoor Reolink cameras without using their smartphone app. I access them via my reverse proxy server. This bypasses any Reolink cloud servers and is therefore, by definition, more secure and private (Reolink does not have true end-to-end encryption as far as I know - actually, I know of no cameras that have true end-to-end encryption via YAFCS).

"Only handles 2 physical sites concurrently (IE the remote computer/smart phone and the site the remote client is VPN'ed into)"

Is untrue and is dependent on the VPN access server one has implemented. For example, OpenVPN server currently supports 2 concurrent connections in the unlicensed model. And the answer will be different from product to product. And there's a difference between a site-to-site VPN tunnel (always-on connection between two distinct networks), and a client to access server connection (which is more dynamic in nature).

Yeah, I knew that I would be called out on that statement by somebody. I was trying to keep the statements 'true' for most simple personal use cases. Our company VPN encompasses 4 physical sites....

One thing I noticed with the Windows client is that it can't be configured to start before logging in (like a service natively). Which means should a MS update occur and cause a reboot, then I won't be able to get in remotely without a bit of extra work. Oh well, still a great tool.

Thanks for the clarrification.

Currently running a HA VPN Server on the NAS. Within a couple of weeks I will be able to setup a HA VPN Server on my Sophos FW. What is the best location to locate the VPN Server?

---
John

That is definitely not normal behavior. In 20+ years of working around Windows servers and desktops, I have never experienced your issue, nor even heard about it. That being said, I did do a very quick search on some windows support forums and it does appears that others have experienced your issue. You will want to do your own searching on the issue, but it very may be due to a configuration issue or a particular windows update. Man, if I had a nickle for every time MS pushed out an update that unintentionally broke something, I would have been able to retire years ago.......

Not sure I understand your question. Are you are asking which device (the NAS vs the Sophos) I think you should use for hosting the VPN server on?

That is correct. The Sophos is in use as FW and router. The question is indeed if I should host the VPN server on the Sophos device or on the NAS.

Currently hosting on the HA NAS cluster. But within a few weeks the Sophos is also HA.

---
John

I'm not familiar with Sophos nor the particular VPN server software that you are running. That being said, many users do like running VPN server software on their firewall devices, whether it's for home use or for business use - while others like to run a VPN server on a different device. Not sure it really matters either way in a home environment, so probably just user preference.

That's just my opinion - as I am not a network specialist. I hired people who are much more knowledgeable than I am about networking to set up, configure, and maintain our business networking infrastructure. Others, who may be networking guru's may have other opinions.....

Edit: If you are interested in seeing what other users are setting up and configuring regarding networking and other topics - in a home environment, I highly recommend this as a go-to forum: https://old.reddit.com/r/homelab/new/