Yeah, this. Plus if you leave it connected, you can use the VPN IPs while at home instead of having to use a different IP when at home vs when out (or deal with split horizon DNS)
Comment on How to secure Jellyfin hosted over the internet?
Lem453@lemmy.ca 3 weeks agoHe’s saying that while there is no benefit to being connect to WG at home, there is also no downside so many people just stay connected all the time.
dan@upvote.au 3 weeks ago
beerclue@lemmy.world 3 weeks ago
Oh, I get that, but it just doesn’t make any sense to me to be physically next to the server, and connect to it via VPN…
dan@upvote.au 3 weeks ago
My point is that since the VPN uses a different subnet, it’s fine to keep it connected even at home. It’ll only use the VPN if you access the server’s VPN IP, not its regular IP.
In any case, Tailscale and Wireguard are peer-to-peer, so the connection over the VPN is still directly to the server and there’s no real disadvantage of using the VPN IP on your local network.
beerclue@lemmy.world 3 weeks ago
Right, but I have wireguard on my opnsense. So when I want to reach jellyfin.example.com, if I am at home, it goes phone -> DNS -> proxy -> jellyfin (on the same network). If I am connected to the VPN, it goes from phone -> internet -> opnsense public ip -> wireguard subnet -> local subnet -> DNS -> proxy -> jellyfin. I see some unneeded extra steps here… Am I wrong?
dan@upvote.au 3 weeks ago
Oh yeah, there’ll be some overhead if you’re running Wireguard on a router. Hitting your router’s public IP won’t go out to the internet though - the router will recognize that it’s its IP.
It’s common to run Wireguard on every computer/phone/tablet/etc rather than just on the router, since this takes advantage of its peer-to-peer nature. Tailscale makes it a lot easier to configure it this way though - it’s a bit of work for vanilla Wireguard.