[mschempp]

"Maybe the OP simply hasn't yet heard about or used Wireguard."

I have, but I do not want to run a VPN solution on my private sever, for which I barely have any need. Also Wireguard, although VERY secure is still not "simple" software.

In addition there are usecases where Wireguard would not help, for example when I want to open up an http service for the current network that Im in.

[throwitaway1123]

WireGuard is honestly very easy to set up. All of the commands feel very straightforward: https://www.procustodibus.com/blog/2020/11/wireguard-point-t...

You can definitely run an HTTP server behind WireGuard. WireGuard just adds a network interface that your server can listen on (e.g. your server would listen on a private address like 10.0.0.1).

[Jnr]

OP's example was a great one. For example, let's say you visit your friends and you want to watch some content together that is accessible on your server. Using this approach you can open access to that without setting up Wireguard on friend's smart TV.

And Wireguard does use quite a bit of CPU if you are using a lot of network bandwidth. Small servers don't have that much compute power, so utilizing the port knocking somewhat removes that issue.

[throwitaway1123]

WireGuard has apps for most devices (macOS, iOS, Android, Windows). For smart TVs it's a bit of a mixed bag. Some of them do support VPN clients, and I know Tailscale works on the Apple TV now (Tailscale uses WireGuard under the hood).

If you're using the Ruroco client to proxy requests to the server, then you could do the same with WireGuard. You could have HAProxy (or something similar) proxy requests from your local network to the WireGuard interface.

[Jnr]

It is much simpler to open access to the same network using port knocking than setting up VPN apps and profiles on TV.

[throwitaway1123]

Which smart TVs natively support port knocking?

[Jnr]

No, the example is - you go to friends, join their Wifi, have the same external IP, send the knock from your phone/laptop to open 443 to that IP, and then you can connect from TV or their computers.

[tptacek]

I don't know that you're right about the WireGuard CPU expense thing.

[Jnr]

My router (with Wireguard) can't handle more than 45Mbit/s through Wireguard because the CPU starts throttling.

I suspect that RaspberryPi or old Intel NUC also would not be able to handle speeds anywhere near gigabit.

[tptacek]

My NUC easily pegs the network. I'm not sure you're right about this. Either way: you can just use WireGuard as a control channel, the same way this software does.

[Jnr]

Wireguard doesn't require much, since it is part of Linux kernel.

But your use-case with http server is a good one. For similar cases I have used custom forward-auth service, but that still requires to have the web server accessible, while your solution hides it completely.