How I set up my own private, home-based VPN

First off, if you’ve ever visited my site before, I just want to take a moment to thank you for visiting, and for your readership. There was a time a couple years ago where I would post to this blog monthly. I obviously haven’t written on this blog for a couple years. There is a good reason for this, but I won’t bore you with the details for now. I will say something about this at the end of this post, which will probably lead into a future post where I can elaborate in greater detail how I’ve been spending my time over the last couple years.

My previous efforts, especially the studying and work that I did about cryptography, have given me a new appreciation for the virtues of data privacy. If the product is free, you’re the product. The exploits of Google, Apple, and other large Silicon Valley companies with respect to their customers’ data are well known. I don’t trust these companies, yet have had some of my most sensitive, personal documents saved in their cloud drive offerings.

So, some months ago, I started taking steps to move my personal data away from big tech and into self-hosted technologies, or at least into firms that are more focused on privacy and respectful of their customers. In the extreme, it’s possible to stand up a server rack in your own home and serve everything yourself. But this requires a lot of time, energy, effort and money, all of which are relatively scarce commodities for a full-time professional. But, there are some things you can do that aren’t quite so severe.

Among the first thing I looked at was getting as much sensitive data off of cloud-based office software services, namely google drive and dropbox. For this, I bought a Synology network-attached storage (NAS) drive and migrated all my personal documents off the cloud and into the NAS.

When I bought my NAS, I learned that it’s possible to use Tailscale to set up a personal VPN among my devices. This service is useful because it allows me to connect to any of my devices anywhere in the world in a secure, encrypted manner as if we were all on the same local network. This appealed to me. If I was going to host all my documents on my NAS yet retain the convenience of being able to access them anywhere in the world, the ability to set up an encrypted, personal VPN seemed like a good choice for that.

With that long-winded introduction, I now approach the meat and potatoes of this post (thanks for sticking with me). Tailscale is a great service, but they require you to use a big-tech (Apple, Google, Microsoft, Facebook, oh my!) identity provider (IdP) to sign up for their service. OR, if you have your own identity provider, you can integrate with them using OpenID Connect (OIDC).

Setting up my own personal identity provider

It’s worth taking a moment to explain what an identity provider actually does since even to software professionals it’s not always obvious or easy to understand.

In online applications, login security is one of the more complicated problems out there. Some even call it a nightmare. Login security forces you to prove you are who you say you are through one of three methods:

• You know something (usually a password)
• You have something (like a temporary one-time password [think google authenticator], a smartphone [think one-time text codes] or a yubikey … search for it if you don’t know what a yubikey is)
• You are something (biometric authentication … fingerprint, eye scan, face scan)

Obviously, the most common of these methods is through password authentication. Because of security concerns, many firms are now asking you to set up multiple methods of authenticating that you are who you say you are. Increasingly, it’s no longer enough to just know a password. You have to have that second factor to actually log in and gain access to whatever you’re trying to access.

Like I said, it’s a problem, and one that Tailscale explicitly decided they didn’t want to deal with. So they require you to have a system that will essentially vouch for you.

For 95-plus-percent of the population, using a Facebook or a Google login is going to be enough. But like I said, I’m trying to reduce my dependence on big tech. So, what to do? Well, use the open option of course!

But then what? How does one go about setting up an identity provider? And how does said identity provider end up vouching for you as someone who wants access to this sytem? Well, it’s a fun little dance that is illustrated pretty well by this diagram sourced from Zitadel.com.

In this diagram, you see the User, the Application, the Authorization Server, and the API. In my use case, I am the user (as in me, flesh and blood, not some system). The Application is Tailscale (their web-based service, not the VPN itself). The Authorization Server is the same thing as the identity provider, and the API (or Resource Server) is the VPN itself.

Walk through this diagram. In order to access my VPN, I would need to open up Tailscale and follow prompts to log in. At that point, Tailscale points me to my IdP who goes through the login process. If I fail to prove I am who I say I am (via password or whatever other method of authentication I have set up with that IdP), then access is denied. If I am able to authenticate with the IdP, though, then the IdP will serve up an authorization code and client authentication token to Tailscale, which will confer a bit more with Tailscale to learn more about the scope of access, etc., and obtain an access token. It’s this access token that ultimately will grant me access to the VPN service administered by Tailscale.

That’s all great… but where am I supposed to get an IdP that isn’t big tech?

Zitadel

I have good experience with Auth0 as an IdP for a number of projects, both personal and professional. It’s very useful, and it follows the same authentication pattern illustrated above, so I was initially inclined to use them, except that they are owned and managed by Okta… big tech. So, for this use case, Auth0 was out.

I looked at potentially buying hosting to run my own Keycloak service, but a friend of mine who has had to solve this problem a number of times spoke in glowing terms about Zitadel. They have their own self-hosted option (i.e., you can run it out of a docker container on your own server if you want), but you can also use the software on their servers. I didn’t want to spend money on hosting, and Zitadel isn’t big tech, so I chose to use Zitadel’s free tier.

After getting in, I set up a “project” that would function as the IdP for my Tailscale network. All that means is that I set something up in Tailscale that would function as an abstract representation of the VPN that I wanted to set up. If I wanted access to the VPN, I would need to log in against that project with my username, password, and one-time password.

Although initially disorienting, I ultimately was able to work out how to configure Zitadel such that a third-party system (Tailscale) would be able to use the Zitadel project as an IdP. Part of that included obtaining a key and a secret from Zitadel which would be later put into Tailscale during signup. With all this in place, I was ready, except for one thing…

Webfinger

In order to set up Tailscale with OIDC, the first thing they require is a webfinger endpoint.

Webfinger is a standardized web protocol that provides systems with information about known individuals/users under that domain and where these users are authenticated. I won’t illustrate in its entirety how I managed to set up a Webfinger endpoint, but to sum up, I used open source software on a domain that I control to meet Tailscale’s requirements. When I look up my user account on Webfinger.net, my Webfinger endpoint will report the location of my OIDC issuer, which is my Zitadel project.

Hooking it all up

With the Webfinger endpoint up and an IdP in place. Now, I was ready to spin up my Tailscale VPN. I input all the required keys and secrets from my IdP into Tailscale. Tailscale reached out to Zitadel and asked about me. I was redirected to Zitadel to log in. I logged in and authenticated with Zidatel. At that point, I was sent back to Tailscale and granted access to my brand new VPN.

Success!

Where I have been

In January of 2022, I was approached by some family members and persuaded to work on a CRM project to help my mother with her business. She was struggling to manage her clientele and needed simple software tools to help her out. This project was presented to me as a business opportunity because my mother is among the most connected people I have ever known, and she works with hundreds of people who needed some quality CRM tools.

For the next two years, I spent almost all my free time, with some exceptions, on this CRM project. In April of this year, I decided to stop. Various aspects of the project were not what I had hoped or expected, and the best choice for me was to stop.

This was hard for me, first because family was and is involved. I didn’t want feelings to get hurt and didn’t want to alienate my family. Also, it was especially hard because of all the hours I had spent on the project. I spent roughly 1,200 hours working on this project, and it was no longer possible for me to continue unless things changed.

Since I stepped away, I am pretty happy to say that others who are still involved in the project seem to be continuing. I’m happy that they have continued forward. If, at some point, circumstances change again, then I might return. In the meantime, from my perspective, the project is just in maintenance mode. I’m not working on it, even if I have to provide limited support to those who are.

Anyway, because I’m not doing that, I am now redirecting my efforts to a great many other things that I had put off in the interim. This post is, in part, a result of that decision. I never would have had the chance to set up my Tailscale network or write this post if I hadn’t done so. I would have been preoccupied with that project instead.

Again, thanks for stopping by and reading. I appreciate it.