Looking for a dual VPN solution

XjFred · February 20, 2023, 1:25pm

Hello everyone !

I use a VPN for privacy reason (Proton).
But I need another one (Tailscale) in order to acces my local network from everywhere outside my house.

Each time I need to access my local network, I have to switch from Proton to Tailscale.

Is there a solution to avoid this manipulation ? As far as I know, I can’t have 2 VPN in Android as there is only one VPN slot.
If I root my phone, will I be able to force the access of one app to Tailscale and all the other traffic through Proton ?
Or does anybody have a solution for that ?

Regards
Fred

Macrophag · February 20, 2023, 3:45pm

I would probably set up Proton on your router, so your entire home network would be protected, and then just be on tailscale from the phone consistently

Leifrod · February 21, 2023, 7:39am

Could do but there are things to consider.
Proton VPN over OpenVPN on a router will do max 40MB/s
Unless you have a wireshark option on your router it’s slow.
Why have constant vpn to home lan? You need file access?
There are ways around that.

XjFred · February 21, 2023, 8:14am

I didn’t think about that solution. I have to buy a router (my ISP box is not really “set-able”).
So what you mean is to set Proton on the router, access my LAN from everywhere with tailscale and using the router as exit node to allow browsing ? That may work indeed.

XjFred · February 21, 2023, 8:17am

Proton uses Wireguard protocol, as well as Tailscale. Do you think going through a first tunnel from the phone to my home network, and using another one from my router to internet will slow the trafic ? It’s 2 VPN one after the other, not at the same time.

I need a VPN to my LAN because I have a domotic app that works perfectly well locally but sometimes crashes with remote access (because of an open source cloud solution with quite poor reliability).

tcecyk · February 21, 2023, 8:29am

tailscale is great, but doesn’t allow yet to define an exit-node that has no tailscale installed (but wireguard). Really only destination, port and public key is necessary to do this and ProtonVPN as vpn provider publishes those 3 items in the config panel.

If you manually configure wireguard nodes (without tailscale) you can do this, as the default route is set on the wireguard nodes you own. Would allow you do to it selectively too per node.

Why not write the tailscale peeps and let them know you want this? I really think there is a chance they’d implement it

Leifrod · February 21, 2023, 8:50am

What you can do is set up a wireguard tunnell going out from your router to protect the LAN and then on same router set up vpn server for external ->in to LAN
All depends what router options you have.
Regarding slowness, most routers have OpenVPN protocol but not wireguard.
OpenVPN is CPU intensive and with small router CPUs they can only do about 40MB/s using OpenVPN protocol.

XjFred · February 21, 2023, 7:57pm

Thank you all for your ideas.
Now, I have to learn/figure out how to do that. As I’m not a network expert.
But the idea of centralize all my connections (locally or not) to my home, to a router in which Proton is installed looks great and make me feel like I gain a little bit more control.

tcecyk · February 22, 2023, 12:34am

a tailscale developer catalogued the need to use an external / “upstream” wireguard exit-node already. You can track the related tickets to know when they implemented something (Mullvad here would be synonymous with ProtonVPN - both make it easy to retrieve wg pubkey, ip+port)

github.com/tailscale/tailscale

FR: support adding Mullvad servers as Exit Nodes

opened 07:54PM - 19 Sep 21 UTC

bradfitz

L2 Few P1 Nuisance T0 New feature vpn-interop fr

We have a number of users who try to use multiple VPN products at the same time …and then get sad when they inevitably break, trying to hook into the OS networking stacks at the same places and conflicting: https://github.com/tailscale/tailscale/issues?q=is%3Aissue+label%3Avpn-interop+ But of all the other VPN services, Mullvad (https://mullvad.net/) seems like the best/easiest one for us to support interop with. Mullvad already supports Wireguard, so we could probably pretty trivially support letting you add Mullvad Servers to your network such that they show up as Tailscale Exit Node options. Possible options: 1) CLI tool to just do the API calls to Tailscale to pretend to be a Tailscale node, but actually set the endpoints/etc of a Mullvad server. 2) Let you define Mullvad servers in your tailnet's ACL/Policy JSON. Then the control plane server would blend them in to your netmap so they'd be Exit Node options. 3) Add your Mullvad account number to your Tailnet policy, then we do some API calls or something to query all Mullvad servers and and add them all? 4) web GUI options for one/some of the above. For now I was playing with just doing (1) as a proof of concept. I see reference to a Mullvad API but I've yet to find it. The Mullvad client is open source, though, so I assume that configuring Wireguard within their app ultimately does some API calls to Mullvad.

FR: Support importing wireguard config files · Issue #3852 · tailscale/tailscale · GitHub (related)

though what you want can be done manually (“split tunnel config” or just different routing with multiple wireguard peers), tailscale makes all of this much more accessible so it would be quite comfortable to import that exit peer

XjFred · February 22, 2023, 4:31am

Work is in progress in the Tailscale team. It gives me time to learn how to do it even without them.