To expand on my use case and restrictions, I want to access my home network remotely, but can't use a simple WireGuard VPN due to CGNAT/no carrier support for IPv6 at work/on my mobile data plan. On my home network I have a Jellyfin server, Bitwarden instance and a couple of surveilance cameras for now.
Are there any other steps I should consider before taking the plunge (for the sake of privacy/security)?
Also is there a way to combine my existing WireGuard installation with Tailscale (or any benefit to doing it if it's possible)? And what are some resources you would recommend for actually installing and using tailscale?
And no. "Plain" wireguard can be used too. Just as the same as with tailscale!
Click your self an VirtualServer and connect remotely to that. From the openwrt router to the vm, and from your i.e. phone to the vm.
What is a "Ipv6 limit"?!
Security? Yeah great idea. Tunnel all your traffic through a 3rd party. I see. Now you are secure as shit.
PS: Yes I get really irritated where you kids all get your ill advice from!
Renting a VPS also requires trust in a third party. If you use the VPS in the usual way where it is a "hub" for plain Wireguard connections, anyone who can get into your VM OS and run packet captures on the Wireguard interface will have the plaintext of everything sent through your VPN.
A perhaps crude but effective approach to the untrusted third party problem would be to run Wireguard inside the SD-WAN. The most likely attack of an SD-WAN would be a malicious central control or someone hacked into central control creating an additional node and using central to authorize it on your network. But if the only ports open on your network are encrypted external Wireguard interfaces, they would not be able to do much. You would need to manually key all of the overlaying Wireguard peering completely outside of the SD-WAN infrastructure.
DDNS is not necessary when you use a SD-WAN. A major advantage is that you don't need to know or care how the nodes are connected to the Internet. Your internal network is always the same regardless of how the nodes are reaching the Internet.
I've used Zerotier for years and for mostly that reason haven't bothered to study Tailscale in much depth. I like that Zerotier is a smaller binary. It can run comfortably on 16/128 memory, while the Tailscale executive itself is 22 MB. Zerotier central also presents the entire network on one web page making it relatively simple to configure.
SQM is used for Traffic Shaping on the WAN Interface and is setup independently of Tailscale.
Tailscale has built in DNS called Magic DNS, so you may want to read up on that.
Without knowing how you use Wireguard it is impossible to say if you can or should combine Wireguard with Tailscale Mesh VPN built on Wireguard. Having said that I would be surprised if you needed to run both.
The Tailscale website and YouTube are good places to find information on installing and using Tailscale.
Getting started is easy and you don't need to involve the Router. As a proof of concept all that is needed is a Tailscale Exit Node on the LAN -an Apple TV can perform that function if you have one and Tailscale Client installed on your Android/Apple Phone.
I've read up a little and I'm pretty confident about starting with the router. What do you think about ZeroTier, since it's the second most suggested option I've seen, followed by maybe netmaker.
AFAIK, tailscale only does something similar to "route" the data, which is protected by wireguards encryption. Thus, please elaborate the security issue(s).
I briefly looked at ZeroTier before settling on Tailscale. Tailscale supports a wider variety of devices than ZeroTier and because it is not reliant on a Router it gives me more deployment options, especially for family living and traveling abroad. I found Tailscale easy to install(minimal CLI) and use, hence I have continued to use it.