alezmad/nuc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8b503a549ca08b531b8358e66e7dd8a8dc68d7db
nuc/docs/remote-access.md
Alejandro Gutiérrez 8b503a549c Add operational documentation 
CloudBeaver database manager guide, Ecija intranet deployment,
Gitea-Coolify auto-deploy and integration docs, monitoring setup
with presentation, remote access guide, security architecture,
and Turbostarter deployment procedure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 15:17:18 +01:00

253 lines
5.3 KiB
Markdown
Raw Blame History

# Remote Access Guide
Two methods for accessing home network remotely: **Tailscale** (recommended) and **WireGuard** (backup).
## Quick Reference
| Method | Use Case | Connection |
|--------|----------|------------|
| **Tailscale** | Daily use, zero config | Automatic via mesh |
| **WireGuard** | Backup, full LAN | `~/wireguard/home-vpn.conf` |
## Tailscale (Recommended)
### Why Tailscale
- Zero configuration after setup
- Works through any NAT/firewall
- Auto-reconnects on network changes
- No ports exposed on router
### Setup (Already Configured)
**NUC as Subnet Router:**
```bash
# On NUC - advertise home LAN
sudo tailscale up --advertise-routes=192.168.1.0/24 --accept-routes
```
**Mac - Accept Routes:**
```bash
/Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes
```
### Usage
Once connected to Tailscale, access home LAN directly:
```bash
# SSH to NUC
ssh 192.168.1.3
# Access router admin
open http://192.168.1.1
# Access any LAN device
ping 192.168.1.x
```
### Status & Troubleshooting
```bash
# Check status
/Applications/Tailscale.app/Contents/MacOS/Tailscale status
# Restart connection
/Applications/Tailscale.app/Contents/MacOS/Tailscale down
/Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes
# If logged out
/Applications/Tailscale.app/Contents/MacOS/Tailscale up
# Click auth link
```
### Tailscale Devices
| Device | Tailscale IP | Purpose |
|--------|--------------|---------|
| alejandros-macbook-pro | 100.97.192.56 | This Mac |
| alezmad-nuc | 100.113.153.45 | NUC (subnet router) |
| nuc-tailscale | 100.110.198.76 | NUC Funnel endpoint |
---
## WireGuard (Backup)
### Why WireGuard Backup
- Works if Tailscale is down
- Direct connection (no relay)
- Full LAN access via OpenWrt
### Architecture
```
Mac (10.10.10.2)
↓ WireGuard tunnel
alezmad.duckdns.org:51820 (dynamic DNS)
OpenWrt Router (10.10.10.1 / 192.168.1.1)
Home LAN (192.168.1.0/24)
```
### Server (OpenWrt Router)
| Property | Value |
|----------|-------|
| Interface | wg0 |
| Listen Port | 51820 |
| Server IP | 10.10.10.1/24 |
| Public Key | `LWajYq1vGnhnn5vC465nsXFWcbgflDxEHXDtUgTcwQs=` |
### Client Config (Mac)
**File:** `~/wireguard/home-vpn.conf`
```ini
[Interface]
PrivateKey = aFklbF6A5dIWmV6gN0NI9A3pv/RmioEsBLWaaXupIns=
Address = 10.10.10.2/24
DNS = 192.168.1.1
[Peer]
PublicKey = LWajYq1vGnhnn5vC465nsXFWcbgflDxEHXDtUgTcwQs=
Endpoint = alezmad.duckdns.org:51820
AllowedIPs = 192.168.1.0/24, 10.10.10.0/24
PersistentKeepalive = 25
```
### Usage
**WireGuard App (GUI):**
1. Open WireGuard app
2. Import `~/wireguard/home-vpn.conf` (already imported)
3. Toggle "home-vpn" to connect
**CLI:**
```bash
# Connect
sudo wg-quick up ~/wireguard/home-vpn.conf
# Disconnect
sudo wg-quick down ~/wireguard/home-vpn.conf
# Status
sudo wg show
```
---
## DuckDNS (Dynamic IP)
### Why DuckDNS
- ISP can change public IP anytime
- DuckDNS tracks current IP
- WireGuard uses hostname instead of IP
### Configuration
| Property | Value |
|----------|-------|
| Subdomain | alezmad.duckdns.org |
| Token | `8dd8e041-2fa3-4b3d-9317-f62b912214da` |
| Update Source | OpenWrt router |
| Check Interval | 10 minutes |
### OpenWrt DDNS Service
```bash
# Check status
ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "cat /var/run/ddns/duckdns.*"
# Manual update
ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "/etc/init.d/ddns restart"
# View config
ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "uci show ddns"
```
### Verify DNS Resolution
```bash
dig +short alezmad.duckdns.org
# Should return current public IP
```
---
## Comparison
| Feature | Tailscale | WireGuard |
|---------|-----------|-----------|
| Setup complexity | Minimal | Moderate |
| Port forwarding needed | No | Yes (51820) |
| NAT traversal | Automatic | Manual |
| Dynamic IP handling | Automatic | Via DuckDNS |
| Speed | Good (may relay) | Excellent (direct) |
| Dependencies | Tailscale service | OpenWrt only |
---
## Troubleshooting
### Tailscale Won't Connect
```bash
# Check if running
ps aux | grep -i tailscale
# Restart app
killall Tailscale
open -a Tailscale
# Re-authenticate
/Applications/Tailscale.app/Contents/MacOS/Tailscale up
```
### WireGuard Won't Connect
1. **Check DuckDNS resolves:**
```bash
dig +short alezmad.duckdns.org
```
2. **Check port 51820 is open:**
```bash
nc -zv alezmad.duckdns.org 51820
```
3. **Check WireGuard on router:**
```bash
ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "wg show"
```
4. **IP changed but DuckDNS stale:**
```bash
ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "/etc/init.d/ddns restart"
```
### Can't Access LAN via Tailscale
1. **Check routes accepted on Mac:**
```bash
/Applications/Tailscale.app/Contents/MacOS/Tailscale status
# Should show alezmad-nuc as "active"
```
2. **Re-enable route acceptance:**
```bash
/Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes
```
3. **Check subnet router is advertising:**
```bash
ssh nuc "tailscale status"
```
---
## Security Notes
- **Tailscale:** Traffic encrypted end-to-end, keys managed by Tailscale
- **WireGuard:** Traffic encrypted, keys stored locally
- **DuckDNS:** Only exposes that a hostname points to your IP (no credentials)
- **Port 51820:** Only WireGuard handshakes accepted, cryptographically verified
Reference in New Issue View Git Blame Copy Permalink