I’m using an ESP32 as a VPN gateway for my entire network – here’s how


I run a modest home lab with Proxmox, Home Assistant, Raspberry Pi, NAS and computers. I need to SSH into one of those machines when I travel. But I don’t want to expose anything on the internet. So I chose ESP32-S3 to access my home devices from anywhere.

Preface: this ESP32-based VPN gateway is designed for lightweight functions. not a high speed VPN a gateway that can forward all network traffic. Beyond that, I wanted an always-on, low-power solution that would allow me to SSH into my home server, Raspberry Pi, or other devices on my LAN. thanks to MicroLink project on GitHubit is possible.

With a little effort, a $10 ESP32-S3 powered by Tailscale was just what I needed, and it’s been the best addition to my home lab in a while.

A sea of ​​home network cables

Is Tailscale the most secure way to remotely access your home network?

Tailscale is easy to set up, but does it affect your security?

Why ESP32 on Raspberry Pi?

Does a job reliably

ESP32 can handle some tasks better than Raspberry Pi

The idea is to use a single Tailscale appliance rather than installing the client on every machine on the home network. Anyone can ask: why not use Raspberry Pi instead of ESP32?

The Pi can run the official Tailscale client and it takes less than 10 minutes to install on Linux. But using an SBC like a Pi just to run a Tailscale access point is overkill. Even the Pi Zero W works. I had an ESP32-S3 lying around and wondered if this was up to the task.

The ESP32 draws about 0.5W of power compared to the Pi’s 1.5W. Considering that I plan to run the ESP32 as an always-on device, the total consumption increases and is still lower than the Pi. Also, there is no Linux or OS to maintain or update.

Unlike the Raspberry Pi, there is no risk of corruption of the microSD card. The ESP32 boots in two seconds, while a Pi-based system takes at least 30 seconds to boot, even on a headless setup running an NVMe SSD.

The main reason I chose the ESP32 for the task was because it connects to Tailscale and sits quietly on my home network. As a dedicated entry point, it provides reliability with its simplicity, which is better than running a full Linux environment that is otherwise unused.

What makes the ESP32 work as a VPN gateway?

A simple resource efficient project

The MicroLink project on GitHub allows you to use Tailscale on the ESP32. The app is a Tailscale compatible VPN client WireGuard noise protocol handshake for encryption, authentication, Tailscale’s DISCO protocol to discover HTTP/2 over peer machines and encrypted transport. It’s the real implementation of all this that runs bare metal in FreeRTOS.

Honestly, it took a few hours to get the MicroLink project working on my ESP32-S3-N16R8. I cloned the MicroLink project into my project folder as a component. I used a reusable one Tailscale Authentication key so the ESP32 can authenticate without an interactive interface.

The main hurdle was providing enough headroom for TLS handshakes. For this I initialized the PSRAM properly so that the MicroLink would have enough memory to work with it. After I resolved this, the device used Auth keys to register and even showed up with the VPN IP in the Tailscale admin console along with other devices.

Use ESP32 to access and wake machines

No need to install Tailscale anywhere

ESP32 in Tailscale Management Console

Once the ESP32 is connected to my Tailscale network, I use it as an SSH pass-through host to access any machine on my home LAN.

For example, ssh -J tsd samir@192.168.1.5 allowing me to access my Raspberry Pi from anywhere. here, etc is the name of the ESP32 device and IP is the IP address of the target machine.

When machines are turned off or in sleep mode, I use Wake-on-LAN to poke and prod them. Here’s the command I used to send the magic packet and wake up the machine on my home LAN:

curl "http:///wol?mac=AA:BB:CC:DD:EE:FF"

As the MicroLink doesn’t have an SSH server at the time of writing, I’m running a lightweight HTTP server on the ESP32 instead. Wake-on-LAN functionality.

Living with some disadvantages

Things to consider

ESP32-S3 with other ESP32 boards

The idea wasn’t to build a high-speed VPN for data transfer or streaming 4K content. Real world speeds are only a few Mbps. So copying a large file or viewing a camera feed will strain the connection.

Extending the timeout from 3000 milliseconds to 6000 milliseconds to allow Tailscale to use STUN servers to find the public IP for peer situations helped resolve timeout issues. Since WireGuard uses port 51820, I changed the DISCO socket binding to port 51821. Finally, I forced the heartbeat to always transmit so that Tailscale stops closing connections every 2 seconds.

The updated code is available on my page GitHub page for flashing and further testing.

tailscale website on laptop

Stop port forwarding your self-hosted services: Do this instead

Say goodbye to port forwarding hassles with this secure, easy-to-use alternative.

Always-on, low-power VPN gateway hardware

To be honest, the ESP32 is not a replacement for a fully functional VPN router, and it was never intended to be. For my use case, I needed a single access point to SSH into my home lab and wake up my home machines remotely. I was able to do this at a fraction of the power and cost of popular Linux-based alternatives.

The MicroLink project does the heavy lifting of providing a Tailscale client for the ESP32, and adding a Wake-on-LAN server will add value to my goal. If you have an ESP32-S3 around, flash this code and turn it into a weekend project for your home lab.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

I used TCL NXTPAPER 70 Pro’s e-paper display and I can’t wait for the US launch next month
DeepRare outperforms doctors in rare disease diagnosis study
Steam Giveaway: Free until March 9th with Parkitect Multiplayer Co-Op
PopSockets founder David Barnett talks about building a viral business