10
How many of you host your IOT software in the cloud?
(lemmy.world)
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!
I plan to run a tailnet, which means the VPS box will be connected to my LAN using a VPN
Good luck connecting all of your IoT devices to the tailnet though. You'll need a firewall and lots of tinkering. I use linode and host some stuff in the cloud, but not Home Assistant.
What do you mean? Isn't this supposed to work similar to a direct VPN connection to the VPS box, i.e. akin to the machine being in the same network? Am I missing something? What do you mean by "firewall" (on my side, or on the side of the VPS)?
I'll likely be using Node-red and MQTT with some automation apps, probably. Not decided yet.
Tailnet requires you to run the Tailscale client. I would bet that the Tailscale client isn't even built to run on some/all of your IoT devices. Even if it were, I doubt many little esp devices would have the overhead to run them.
I suppose you are right, but if I install a tailscale on my router like so, wouldn't that work?
It just might. That's what I meant by firewall btw. A router is usually just three things, a firewall, a network switch, and a wireless access point. The part that handles routing to the internet (and your cloud instance) will be the firewall. I have OPNSense as my firewall with Tailscale installed on it.
Thanks. If I install tailscale on OPNsense I should be able to connect my IOT devices to the VPS.
Tailnet appears to be Tailscale which is Wireguard underneath. This means it operates at layer 3 (IP). However a bunch of smart home stuff (mDNS, WoL, etc) all depend on layer 2 connectivity (same subnet).
That means some stuff won't work correctly.
I see. Could you give me a few more examples on what could break if I go forward with this? Will I still need to consider multicast DNS if my DNS server is on-prem (Pi-Hole + Unbound)?
I remember that it was not possible to route multicast traffic through IPSec earlier, which is why people used to opt for GRE-over-IPSec. But just as IPSec supports multicast traffic now, doesn't Wireguard too? Or am I missing something important as to why this is not supported?
Multicast DNS is separate from DNS, so even if you have Pi-Hole, you'd still have devices using mDNS. It's possible to route mDNS across separate IP networks seeing as how there's mDNS relays across VLANs which would suggest Wireguard could support Multicast. Other things use Broadcast (e.g. WoL) which is a bit more challenging to forward across IP networks.
I'm not familiar with GRE so I couldn't comment on whether it's possible or not. I guess it all depends on how confident you are with your networking skills. If you get it working, you should definitely document it and share with others.
I didn't quite do what you did, but I ran HA in a Kubernetes cluster which was logically a separate IP network. I had to setup the container with multiple network interfaces and specially craft the route table to forward broadcasts + multicast traffic to the correct network.
Thank you for your reply.
It seems I need to study mDNS more. I haven't had the opportunity to play with IOT much, but this is something I never considered.
I will not be working with GRE over Wireguard though, I'd like to keep it simpler.
Thanks again, I'll have a look. Thanks for the tip with k8s