alezmad/nuc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8b503a549ca08b531b8358e66e7dd8a8dc68d7db
nuc/docs/remote-access.md
Alejandro Gutiérrez 8b503a549c Add operational documentation 
CloudBeaver database manager guide, Ecija intranet deployment,
Gitea-Coolify auto-deploy and integration docs, monitoring setup
with presentation, remote access guide, security architecture,
and Turbostarter deployment procedure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 15:17:18 +01:00

5.3 KiB
Raw Blame History

Remote Access Guide

Two methods for accessing home network remotely: Tailscale (recommended) and WireGuard (backup).

Quick Reference

Method Use Case Connection
Tailscale Daily use, zero config Automatic via mesh
WireGuard Backup, full LAN ~/wireguard/home-vpn.conf

Tailscale (Recommended)

Why Tailscale

  • Zero configuration after setup
  • Works through any NAT/firewall
  • Auto-reconnects on network changes
  • No ports exposed on router

Setup (Already Configured)

NUC as Subnet Router:

# On NUC - advertise home LAN
sudo tailscale up --advertise-routes=192.168.1.0/24 --accept-routes

Mac - Accept Routes:

/Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes

Usage

Once connected to Tailscale, access home LAN directly:

# SSH to NUC
ssh 192.168.1.3

# Access router admin
open http://192.168.1.1

# Access any LAN device
ping 192.168.1.x

Status & Troubleshooting

# Check status
/Applications/Tailscale.app/Contents/MacOS/Tailscale status

# Restart connection
/Applications/Tailscale.app/Contents/MacOS/Tailscale down
/Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes

# If logged out
/Applications/Tailscale.app/Contents/MacOS/Tailscale up
# Click auth link

Tailscale Devices

Device Tailscale IP Purpose
alejandros-macbook-pro 100.97.192.56 This Mac
alezmad-nuc 100.113.153.45 NUC (subnet router)
nuc-tailscale 100.110.198.76 NUC Funnel endpoint

WireGuard (Backup)

Why WireGuard Backup

  • Works if Tailscale is down
  • Direct connection (no relay)
  • Full LAN access via OpenWrt

Architecture

Mac (10.10.10.2)
    ↓ WireGuard tunnel
alezmad.duckdns.org:51820 (dynamic DNS)
    ↓
OpenWrt Router (10.10.10.1 / 192.168.1.1)
    ↓
Home LAN (192.168.1.0/24)

Server (OpenWrt Router)

Property Value
Interface wg0
Listen Port 51820
Server IP 10.10.10.1/24
Public Key LWajYq1vGnhnn5vC465nsXFWcbgflDxEHXDtUgTcwQs=

Client Config (Mac)

File: ~/wireguard/home-vpn.conf

[Interface]
PrivateKey = aFklbF6A5dIWmV6gN0NI9A3pv/RmioEsBLWaaXupIns=
Address = 10.10.10.2/24
DNS = 192.168.1.1

[Peer]
PublicKey = LWajYq1vGnhnn5vC465nsXFWcbgflDxEHXDtUgTcwQs=
Endpoint = alezmad.duckdns.org:51820
AllowedIPs = 192.168.1.0/24, 10.10.10.0/24
PersistentKeepalive = 25

Usage

WireGuard App (GUI):

  1. Open WireGuard app
  2. Import ~/wireguard/home-vpn.conf (already imported)
  3. Toggle "home-vpn" to connect

CLI:

# Connect
sudo wg-quick up ~/wireguard/home-vpn.conf

# Disconnect
sudo wg-quick down ~/wireguard/home-vpn.conf

# Status
sudo wg show

DuckDNS (Dynamic IP)

Why DuckDNS

  • ISP can change public IP anytime
  • DuckDNS tracks current IP
  • WireGuard uses hostname instead of IP

Configuration

Property Value
Subdomain alezmad.duckdns.org
Token 8dd8e041-2fa3-4b3d-9317-f62b912214da
Update Source OpenWrt router
Check Interval 10 minutes

OpenWrt DDNS Service

# Check status
ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "cat /var/run/ddns/duckdns.*"

# Manual update
ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "/etc/init.d/ddns restart"

# View config
ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "uci show ddns"

Verify DNS Resolution

dig +short alezmad.duckdns.org
# Should return current public IP

Comparison

Feature Tailscale WireGuard
Setup complexity Minimal Moderate
Port forwarding needed No Yes (51820)
NAT traversal Automatic Manual
Dynamic IP handling Automatic Via DuckDNS
Speed Good (may relay) Excellent (direct)
Dependencies Tailscale service OpenWrt only

Troubleshooting

Tailscale Won't Connect

# Check if running
ps aux | grep -i tailscale

# Restart app
killall Tailscale
open -a Tailscale

# Re-authenticate
/Applications/Tailscale.app/Contents/MacOS/Tailscale up

WireGuard Won't Connect

  1. Check DuckDNS resolves:

    dig +short alezmad.duckdns.org

  2. Check port 51820 is open:

    nc -zv alezmad.duckdns.org 51820

  3. Check WireGuard on router:

    ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "wg show"

  4. IP changed but DuckDNS stale:

    ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "/etc/init.d/ddns restart"

Can't Access LAN via Tailscale

  1. Check routes accepted on Mac:

    /Applications/Tailscale.app/Contents/MacOS/Tailscale status
# Should show alezmad-nuc as "active"

  2. Re-enable route acceptance:

    /Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes

  3. Check subnet router is advertising:

    ssh nuc "tailscale status"

Security Notes

  • Tailscale: Traffic encrypted end-to-end, keys managed by Tailscale
  • WireGuard: Traffic encrypted, keys stored locally
  • DuckDNS: Only exposes that a hostname points to your IP (no credentials)
  • Port 51820: Only WireGuard handshakes accepted, cryptographically verified
Reference in New Issue View Git Blame Copy Permalink