# Remote Access Guide Two methods for accessing home network remotely: **Tailscale** (recommended) and **WireGuard** (backup). ## Quick Reference | Method | Use Case | Connection | |--------|----------|------------| | **Tailscale** | Daily use, zero config | Automatic via mesh | | **WireGuard** | Backup, full LAN | `~/wireguard/home-vpn.conf` | ## Tailscale (Recommended) ### Why Tailscale - Zero configuration after setup - Works through any NAT/firewall - Auto-reconnects on network changes - No ports exposed on router ### Setup (Already Configured) **NUC as Subnet Router:** ```bash # On NUC - advertise home LAN sudo tailscale up --advertise-routes=192.168.1.0/24 --accept-routes ``` **Mac - Accept Routes:** ```bash /Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes ``` ### Usage Once connected to Tailscale, access home LAN directly: ```bash # SSH to NUC ssh 192.168.1.3 # Access router admin open http://192.168.1.1 # Access any LAN device ping 192.168.1.x ``` ### Status & Troubleshooting ```bash # Check status /Applications/Tailscale.app/Contents/MacOS/Tailscale status # Restart connection /Applications/Tailscale.app/Contents/MacOS/Tailscale down /Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes # If logged out /Applications/Tailscale.app/Contents/MacOS/Tailscale up # Click auth link ``` ### Tailscale Devices | Device | Tailscale IP | Purpose | |--------|--------------|---------| | alejandros-macbook-pro | 100.97.192.56 | This Mac | | alezmad-nuc | 100.113.153.45 | NUC (subnet router) | | nuc-tailscale | 100.110.198.76 | NUC Funnel endpoint | --- ## WireGuard (Backup) ### Why WireGuard Backup - Works if Tailscale is down - Direct connection (no relay) - Full LAN access via OpenWrt ### Architecture ``` Mac (10.10.10.2) ↓ WireGuard tunnel alezmad.duckdns.org:51820 (dynamic DNS) ↓ OpenWrt Router (10.10.10.1 / 192.168.1.1) ↓ Home LAN (192.168.1.0/24) ``` ### Server (OpenWrt Router) | Property | Value | |----------|-------| | Interface | wg0 | | Listen Port | 51820 | | Server IP | 10.10.10.1/24 | | Public Key | `LWajYq1vGnhnn5vC465nsXFWcbgflDxEHXDtUgTcwQs=` | ### Client Config (Mac) **File:** `~/wireguard/home-vpn.conf` ```ini [Interface] PrivateKey = aFklbF6A5dIWmV6gN0NI9A3pv/RmioEsBLWaaXupIns= Address = 10.10.10.2/24 DNS = 192.168.1.1 [Peer] PublicKey = LWajYq1vGnhnn5vC465nsXFWcbgflDxEHXDtUgTcwQs= Endpoint = alezmad.duckdns.org:51820 AllowedIPs = 192.168.1.0/24, 10.10.10.0/24 PersistentKeepalive = 25 ``` ### Usage **WireGuard App (GUI):** 1. Open WireGuard app 2. Import `~/wireguard/home-vpn.conf` (already imported) 3. Toggle "home-vpn" to connect **CLI:** ```bash # Connect sudo wg-quick up ~/wireguard/home-vpn.conf # Disconnect sudo wg-quick down ~/wireguard/home-vpn.conf # Status sudo wg show ``` --- ## DuckDNS (Dynamic IP) ### Why DuckDNS - ISP can change public IP anytime - DuckDNS tracks current IP - WireGuard uses hostname instead of IP ### Configuration | Property | Value | |----------|-------| | Subdomain | alezmad.duckdns.org | | Token | `8dd8e041-2fa3-4b3d-9317-f62b912214da` | | Update Source | OpenWrt router | | Check Interval | 10 minutes | ### OpenWrt DDNS Service ```bash # Check status ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "cat /var/run/ddns/duckdns.*" # Manual update ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "/etc/init.d/ddns restart" # View config ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "uci show ddns" ``` ### Verify DNS Resolution ```bash dig +short alezmad.duckdns.org # Should return current public IP ``` --- ## Comparison | Feature | Tailscale | WireGuard | |---------|-----------|-----------| | Setup complexity | Minimal | Moderate | | Port forwarding needed | No | Yes (51820) | | NAT traversal | Automatic | Manual | | Dynamic IP handling | Automatic | Via DuckDNS | | Speed | Good (may relay) | Excellent (direct) | | Dependencies | Tailscale service | OpenWrt only | --- ## Troubleshooting ### Tailscale Won't Connect ```bash # Check if running ps aux | grep -i tailscale # Restart app killall Tailscale open -a Tailscale # Re-authenticate /Applications/Tailscale.app/Contents/MacOS/Tailscale up ``` ### WireGuard Won't Connect 1. **Check DuckDNS resolves:** ```bash dig +short alezmad.duckdns.org ``` 2. **Check port 51820 is open:** ```bash nc -zv alezmad.duckdns.org 51820 ``` 3. **Check WireGuard on router:** ```bash ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "wg show" ``` 4. **IP changed but DuckDNS stale:** ```bash ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "/etc/init.d/ddns restart" ``` ### Can't Access LAN via Tailscale 1. **Check routes accepted on Mac:** ```bash /Applications/Tailscale.app/Contents/MacOS/Tailscale status # Should show alezmad-nuc as "active" ``` 2. **Re-enable route acceptance:** ```bash /Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes ``` 3. **Check subnet router is advertising:** ```bash ssh nuc "tailscale status" ``` --- ## Security Notes - **Tailscale:** Traffic encrypted end-to-end, keys managed by Tailscale - **WireGuard:** Traffic encrypted, keys stored locally - **DuckDNS:** Only exposes that a hostname points to your IP (no credentials) - **Port 51820:** Only WireGuard handshakes accepted, cryptographically verified