Hi, since I am new to twingate, please forgive me for anything misunderstanding.
I have a scenario that I want to remotely access to multiple devices, (e.g. from my android phone from outside to connect to home router and local machines behind it, and computers in my office). It seems that twingate only allows connections from every clients to connectors (no matter p2p or through relay)? Is twingate suitable for me, or should I use a tranditional vpn or something like wireguard?
Additionally, if I insist to use twingate, will followings work and are them secure? (Even if they are weird …)
- Open ports from remote machines and only allow connections from connector in twingate
- Create mutliple remote networks and let remote machines I want to access to be connector in turn
- Only create one remote network, let all of them to be connector, and enable Make Connector available on local network. (Will there be conflictions? What will happen if remote network has mutiple connectors, and the services shared same names have different actions in different connectors?)
Your use case will work with Twingate very easily. If you follow the Quickstart to get started with your 1 (2 if you have a second machine that can run it) connector.
You then need to setup resources to access through twingate. You can setup individual resources such as your Home Router/FIrewall and another one for say a windows machine. With those individual resources you have fine controls over what ports are allowed.
Or you can make it easier on your self until you learn more about the controls and zero trust architecture model Twingate gives you. Simply setup your subnet as a resource, so if your home network is 192.168.0.1, create a resource called Home and use 192.168.0.1/24.
Hi jrbhjokwqizusrqbrr (That’s an interesting name, is it Swedish?),
John’s answer is great (you trying to get on the payroll, @johnwcahill ?). Just to add a few things:
- Yes, if you configure specific machines to only allow traffic from the local IP of your connector, when you’re connected to Twingate, it will behave just fine.
- You can create multiple remote networks and in most cases you can access the machines you have connectors deployed on with a bit of configuration, but sometimes there can be headaches with loopbacks and such.
- You generally wouldn’t want to have a connector on every machine in your remote network, this wouldn’t really do much other than make your configuration clunky as heck.
We’re really built around having 1 or 2 connectors per remote network, and having those connectors be separate from the resources you want to access, but on the same network.
So using your home setup as an example, you could have a RPi with the connector running on it on your home network, and then have the machines you want to access defined as resources (as well as the router), and then while you’re connected to Twingate, you would just access them via their “local” IPs at home, and we take care of the rest. (Presuming your router was
192.168.1.1, even if you’re out in the world and connected to Twingate on your phone via cellular signal, when you try to open
192.168.1.1 in your browser, we’ll route the connection to your home network and to your router.)
Let me know if you have any other questions.
Sorry for the late reply, @johnwcahill and @Arthur. I love the vivid examples, which make me very clear about resource and connector. However, I still have something not understood:
- Can clients access each other? Is it enough to install Twingate client on a device and add it to Twingate network? Or devices with Twingate client are different to managed devices, and if I want to make a windows machine able to access to other resources, and also be accessible from other devices, then is it needed to install two apps from Client Application | Docs | Twingate and Managed Devices | Docs | Twingate?
- How to bind resource and device? If CIDR blocks meet one resource, can twingate automatically lead me to where I want to go? Or do I need to bind in web controller panel?
- If twingate automatically leads me, does that mean I shall let all ip address of different resources to be not conflict, and otherwise, if I am not willing to use twingate dns, change the settings in each local network routers.
@Arthur not my intention, but I do like money if you are giving it away
no clients are not able to reach each other Twingate is not a mesh solution, if you need a solution like that there are at least 2 other solutions that could do that - Tailscale and ZeroTier
the resource can be a web interface and you would define the resource by name and/or IP as aliasing is possilb.e You can assign groups or users as to WHO can access a resource.
NO IP changes are needed, you can use the same IP addresses you use today, however if you have say 5 machines you wish to reach with varying degrees of access needs, you can setup 5 resources with their IP addresses (192.168.1.2, 192.168.1.5, etc) and you can add a friend ‘DNS’ name for each if you like.
Thanks! Actually, I am from tailscale (headscale) and zerotier, but they both have something uncomfortable for me and then I want to try something not based on wireguard.
Twingate is wicked! It seems that, if I set up my own DNS (on connector or at least connector can access to, similarly if using ip address), I will have a “mesh vpn” according to resources but devices. However, if my resources are behind different NAT and connetors cannot directly access to, then I still need vpn for connector and devices behind nat. In other words, unlike zerotier, servers that twingate offers are only for relay, and thus twingate only solves the connection of clients and connector. Though boosts difficulties in setting up, but strengthens safety significantly, especially when the connector and resources are inside a private network, not exposed. Did I get it right this time?
Thank you very much for the above replies. They are so helpful!