"Stop using VPN and instead embrace this corporate commercial solution where you depend on third party infastructure." should be the title of this video. Let's be hones, this is advertisement, for commercial product, there is nothing wrong with VPNs.
That is partially accurate. I would have to disagree because there's a lot wrong with how VPNs get configured. The trust model is broken and VPNs are included in the inherent trust model. Zero Trust, not this fake zero trust from Twingate, but real self managed Zero Trust like application embedded Zero Trust from OpenZiti is necessary.
It is advertisement, but the ZTNA concept is relevant regardless of the product or service that’s shown in the video. Feel free to do whatever you want, but I hope you reconsider unsubscribe :)
You are completely right! This concept is stupid. Do not trust third party infrastructure. Of course, it is free and fast. Otherwise nobody would use it.
While I can appreciate the tech, for me, it seems like opting to use a third party service over a self managed VPN connection is just not better. It opens up another attack vector that you have no control over. You have to trust that the third party service, Twingate in this case, never makes a mistake. Hell, they don't even have to make a mistake, they just have to become a juicy enough target to be attacked by a good enough adversary and you become collateral damage. From a self hosting perspective one of the largest motivations to do it, aside from learning, was to stop depending on third party services because of how often they become compromised, or accidentally leak your data. VPN isn't a perfect solution of course, but routing all your access through a third party is not better, just different. I realize this is an advertisement but even still compared to your other sponsored videos this felt more like an empty marketing pitch than a video about cool technology.
Agreed. Twingate would become a target at some point. Clearly, Twingate would isolate each customer's service/resources but depending on what the attackers have access to (e.g. internal services, customer support tools), compromising Twingate customers might be trivial.
The methodology ( Zero-Trust ) itself is an contradiction… if we are going to bring trust down to absolute 0-Zero : that would include : TwinGate … which will probably fall in line with historical scandals such as Watergate / PizzaGate / Enron / Theranos. that aside this is a brutally overt 23 minute… pounding infomercial. Yet, I have a far better solution : tiny… Classified… Ads…
The thing to remember is that they have teams of people working on their product versus some guy who’s job isn’t just security or VPNs. They likely have multiple jobs and simply can’t focus on everything at once. Not to mention budget, etc..
I understand this is a sponsored video. I think the general audience will appreciate a follow up video comparing all the various solutions out there, such as zerotier, Tailscale, tinc, and why would you choose one over the other.
So ZTNA is basically a VPN, but with all the hard work already done for you (dynamic dns, vpn server, firewall/nat rules) and the added ability to have security policies and policy enforcement. Authentication (strong password, certificates, 2FA) and authorization (firewall rules allow you to minimize what a VPN client has access to) are already there with VPN. ZTNA is something that sounds really nice for a corporate environment where users and resources are constantly changing. For a home lab or home network however, most users and services are pretty static, and having to trust and maintain the ZTNA service is just not worth it for me.
If twingate went completely open source with their client and control server, they would have an edge over something like tailscale. Twingate ACL's seem better than tailscale though. Tailscale at least keeps their client 100% open-source, which allows alternative control servers to be developed (such as headscale, which has contributions from tailscale developers who contributed on their own time).
I wouldn't dream of using another third party to carry all my most sensitive traffic. Advanced access control is good, but not like that in my opinion.
Zero Trust Network Access is really great ... unless when you don't know if you can trust the ZTNA provider. Just because a lot of big companies are using something, does not make it secure (remember SolarWinds?)
Yeah totally and they don't even seem to support IPv6. At least their website doesn't hand out a Quad-A record. So much on them claiming to be the future
I understand why people are upset about the title and throwing shade at VPNs. But, you clearly stated that this was a sponsored video at the beginning. Honestly, if your goal is to start a career in IT, this is exactly the kind of product to start getting familiar with in your homelab environment. There are ways to secure a VPN without 3rd party services, but this is so much more convenient and easy.
I might be talking to a wall but whatever, and who asked? but... 4 out of the 5 latest videos have been just full video ads. I can't take any of the information provided at face value or serious in these case. especially since you try to educate in then. unsubbed for now. but I do appreciate the transparency.
@@christianlempaI don’t mind when part of the video is sponsored, like “here is how you do this complicated thing that is a standard, then here is an open source package that is fine, and here is a shiny package that has a bunch of features (that just happens to have enterprise pricing)”
It happened to Nick Chapsas, the C# TH-camr, too. At one point not too long ago every single video of his was an ad about AI and some service his users should subscribe to. It's gotten to the point where even once-lauded TH-camrs like these are just becoming typical "influencers" that just shill products. I've unsubscribed as well.
In my opinion, anything can be fully self-hosted, it will be fine to take the money. Because for us, end users, we don’t want to depend on a not proven technology. Also SaaS startups can only survive by targeting enterprises, not us.
The whole goal to get more secure is to actually minimize the use of 3rd party solutions where you have no real control how your data is being handled or monitored. In this case a self-hosted VPN solution would be much more secure, even if it involves opening up a firewall port for it. You know better, Christian. This pure advertisement hurt your image more than you'd like.
I also think the message here was that a self-hosted VPN can be more secure if you know what you're doing. But having to create a plethora of firewall rules, VLANS, ect. is a a lot of work. Basically these cloud services create a backdoor to your home network. I mean, whether something is a cloud service, or a remote access trojan is purely based on how it's used and by whom. I personally would not feel comfortable with a backdoor being planted on all my devices just so I can access them "securely". But of course it's not really a backdoor, but a cloud tunnel, but it's really just semantics at this point..
I confess I'm rather confused by all this Zero-Trust concept. If the principle of Zero-Trust is to add layers where you have to add another trusted third parties, there's something I don't understand. My VPN runs by myself, and I already have to trust the code, which may be open source but isn't infallible, and I also have to trust the hardware that runs it, which isn't infallible either, but it's the best I can do to accept a minimum number of trusted third parties. Zero-Trust just seems like a marketing term to me since it is often used by third parties that you have to trust...
@@Gnanmankoudji Zero trust done right is essentially just an added layer of security. You just mistrust devices and users in general no matter the network and implement solutions like MFA, enforce devide policies etc. There's even self hosted open source solutions for that. But you are right, it has become a buzz word of some sort. The underlying principles should be common sense by now.
openvpn runs wuth no port open on 1194, there is a dedicated tls-auth channel that reply only to authenticated packets, this put your vpn port to not reply any portscan. Is just stealthed.
You act like everyone that runs a home network is also a security professional…. Even “normal people” sometimes need a VPN, but aren’t experienced enough to keep it secure and functional. Not to mention easy. Look at Fortigate’s VPN vulnerabilities, for example.
I’m fine with this being sponsored. I can easily digest this valuable information and decide for myself what to use. Thanks for the info. Some people don’t think you should be able to eat.
Zerotrust is the way to go. VPNs provide no protection to your network once a bad actor gets on an end-user's system who is connected to your VPN. Ask me how I know 😞 Great video .. regardless if it is a sponsored video or not
I can not believe, that this is your opinion. You put a third party trojan in your network and explain it like the best thing ever. Did you watch this video yourself before publishing it? 😢
A properly configured VPN implementation will have VPN clients come into a "Grey Zone" subnet, and then firewalls between the Grey Zone, and the Internal resources. Firewalls are not just for the Edges of the network. At my day-job we have probably around 100 Firewalls throughout our Corporate Network. Also between the Corporate, and High Security networks have different brand Firewalls.
@christianlempa: I absolutely share your definition of Zero Trust (07:46), unfortunately most people don't really understand it, as you can see from many of the comments.
At home I use the Sophos Firewall's openVPN server. I like to think that because it's enterprise-level that it is secure. If you use a long random password, keep the opvn import file safe, and ditch the auto-created firewall rule at the top that allows the VPN users to access everything, you can create a rule that only allows the VPN users to access only hosts/IPs on your network that you allow. This is how it has been done for years. In the video he states that VPN is not secure. Did something drastically change that makes it not secure anymore or this belief just fear mongering by these cloud providers?
@@christianlempa Yes, I have heard that it will be included in the upcoming version 20 of Sophos Firewall. I will have to read more about it. I already like the 2FA that is mandatory in the firewall webadmin. I wish the SSL VPN used it as well.
@@canadianwildlifeservice8883If you mean a VPN with MFA via Sophos then it can be enabled. Maybe this is only at the enterprise level - never touched the personal one. Go into the admin portal and look under authentication. You can add mfa and also configure it to work from an AD group. User signs in then will get a qr code then can scan - they then sign in with username, password and mfa code right at the end of the password
@christianlempa - Perhaps you can provide an overview of your infrastructure setup? Simply picking 'frontend' in your case doesn't give much info (i.e. is this a renamed docker_default, or other custom). Can this talk to the main network? What about VLANs? In addition, how different is this to Cloudflare solution you warned about previously?
Im reallly confused ..... Is this a sponsored video?!? If yes, why doesnt it say so? I only says Advertisment, but thats to vague. Can we be a little more transparent with the viewership?
There's an ad banner in the entire video, as well as a notification when you start watching the video... I'm honestly not sure how much more transparency you need :/
@@christianlempa That Ad banner only means that something in the video is advertised or this video is making money from that. But this video was "Sponsored" by the tool you did. Sorry i wrote it in a confusing way, i just want to help you out and make things more clear to the viewer.
there's a huge advertisement watermark in the upper right corner of the video. he eplained why vpn is not secured anymore, the time stamps have titles that will help you find it
Seams awsome, but sadly like so many other services the client for Linux is something that seams to have been put together by an intern during a 30 minute break. It's always the same. Either a Linux client is missing or it may as well be. VPN may be an old way of doing this, but at least it has wide and tested platform support.
Hi Chris, Good video en some good explanation. I’m not going to use it though, I don’t want vpn going through third party networks. Also reconsider your advertisements. Some videos ago you explained why not to use cloudflare tunneling, and here we are talking about vpn trough third party networks. Just advertise something you really stand for :-) Don’t get me wrong though, just a tip :-)
I had same thought, very critical and useful video about cloudflare tunneling (for that video i sub this channel) and now ''hey guys let 3th party go inside your network'' just because there is a bunch of money behind. I don't like that. Never sell your criticism and well disposed suspect for the good of money.
I am only 4:26 into the video, but I am going to assume this is like Hamachi, Zerotier, and TailScale. While there are certain situations where I have used all 3 previously mentioned, and still use TailScale, those services are not replacements for dedicated site-to-site business VPNs.
Hi Christian, for corporate environment and their employee user/devices this solution seems to provide nice features. But I see issues in other when service owner and user/device are not in such relation. I think you fall short to explain some details, from my point of view: - What about clients from coporation networks with equal high security structures? - Any user/client device needs to install the Twingate software as it seems to get access? - What are the requirements for the the clients at all? - Is a connection without the twingate agent possible? I am with you regarding the "least privilege principle" approach. And a session MFA authentication would allow me to verify the person, but to press a person to give up the freedom of device choice , I don´t see.
You always need to do a proper evaluation, if the solution is a good fit. The main goal of the video was to explain the differences between VPN and ZTNA, and how to easily implement this strategy with twingate.
That's so nice!! Thank you for sharing. I don't understand the complaint about Ads videos once they still bring value to the public. Sincerely, people are focus on bad things only.
@mvaldes - I presume by that comment you don't run your own business. I can understand as a consumer why you might feel that way but as anyone in the IT industry might be able to observe, the world is constantly changing and learning theory only goes so far when it comes to tech. I'm sure Christian does a lot of testing and quality control to make his videos which is why he's a popular TH-camr which is more to say then you or me. I'd also like to point out I'm not the only enthusiast that simply likes shiny new toys/tools/equipment... Only examples but any enthusiast in automotive buying car parts or tradesman buying Milwaukee, Klein or whatever else you fancy I'm sure can understand. As anyone who gets up everyday to make a living for themselves why wouldn't you want to get paid for your work? I mean unless your sponsoring Christian?
Getting money from youtube or your works always is a nice thing. If no one donate or sponsor him how can he keep up this channel? But i would like chris give some caption or tell about sponsor. So i can decide to watch to the end of video or not
@@immortalmyth5685 there's an "advertisement" disclaimer in the top right corner of the video and he mentions the video was made possible because of Twingate at like 45 seconds into the video.... it's about as much notice as you get from a coffee cup "Caution! It's hot"
The main issue for me here is the words "Stop using VPN" in this ad supported video. Do you really believe that? You make viewers doubt if your advice is sincere or not. Which will hurt all of your other videos as well. No it is not better/more secure than a self hosted open source VPN, just different.
My main problem with this product is that their android/iOS apps suck. I'll have to sign in every time I disconnect. With tailscale, it is a click away to toggle on/off. Very annoying!
chris very good video thanks! i have a question i have a cgnat and i have my wordpress landing pages and many of my services exposed on the internet and for that i use a vps in linode with a wireguard and a nginx so; with this twingate i could expose my landing pages and services without using the vps nor wireguar nor nginx anymore?
So this is really to hide from ISP but to access remote devices securely? I couldn't access sites from my mobile phone I blocked in my ISP's network but I could on desktop. What gives?
We understand that ads are okay but please keep the good work on home lab / open source / learning / diy / fun. I have the feeling that this channel is drifting. Hope I am wrong.. and sorry if this was rude to say..
Yeah it seems like TH-cam ads are not paying enough so they have to start accepting these sponsor videos. I don't like this trending because eventually it will become just for profit like Linus tech tips. I will prefer a video every month as an enthusiast.
But why would you choose to use this service in the first place? I don’t get what it solves or even offers that isn’t there already, but with a proven track record.
It sounds like this is a tool used for correcting issues caused only by verrrrryyyy poorly deployed VPNs and poorly configured firewalls... too much reliance on external servers, closed source, etc...'zero trust' just means 'trust us/our servers with all your data throughput' in this case. same issue with tailscale
Can you recommend a more zero configuration solution like twingate for normal people like myself who don't understand all the programming/Linux/docker garbage please?
It is secure alternative to VPNs. These days I am looking for VPNs that are undetectable by websites. I am trying to earn from microtasks but that is region specific and VPNs don't work. Can you suggest a solution?
I have a different opinion regarding vpn not secure, especialIy in what u said about ‘client is trusted as part of intranet’. I think vpn is only as secure as how we secure our vpn servers. We should always expect many outside traffic coming from the vpn server, and configure our firewall accordingly. Most of all, aside from network provider, all my data and authentication are transmitted through my own servers. Don’t get me wrong, I love this zero trust concept, and I am using cloudflare tunnel, which I think exactly the same as what twingate doing, maybe, cmiiw. Which is my daily alternative to my vpn. And in terms of speed, I didn’t notice any differences, definitely depending on usage, whether to ssh or stream jellyfin. So which one you like, controlling access via your own firewall, or zero trust provider’s controller or dashboard or whatever.
If it's not free and open-source, then it's a waste of everyone's time. I'm happy to pay for bandwidth and hardware, but I will never trust a company with protecting my data.
‘Zero trust’ is marketing BS. It is simply implementing least privilege and re authentication after a period of time. This has been a common and valuable security strategy for a very long time.
@ALL: Self-hosting is a trend on a private level. Companies are now moving more than ever to the cloud and are therefore dependent on other companies (see Microsoft). Personally, I'm also a fan of hosting as many services as possible myself, but solutions like those from TG or CF are no less secure - on the contrary. The “big” companies in particular are in the spotlight and can least afford security breaches or poorly programmed security solutions. As far as these approaches are concerned, I believe that this solution is currently at the forefront when it comes to security and integrity.
@@christianlempa aha.. said this after the big boys like lastpass hacked more times in row... don't be arrogant ;) I like your channel and learnt a lot but if you continue this "money hungry bitch" behavior and sell your soul for money (sponsors), instant unsub.
Hi Christian, even if you can't host it yourself, it offers some very good and important approaches towards Zero Trust! Used correctly (at least 2 docker containers - as lxc and distributed across 2 of 3 Proxmox nodes, in a DMZ with dedicated firewall rules towards LAN networks and the Internet) this is a really good and secure solution for accessing services in your own area access homelab. Thank you for your time and this video 🙂
Hi Christian, This is unrelated with the video, but as I know you self-host docker applications in your homelab, I would like to know how you deal with sqlite and multiple replicas. I followed your video about storage in Kubernetes and I am having issues with the database. Thanks.
Yeah, no thank you. I roll my own solution that i have full control over. Outsourcing your security is not my thing, but nice that you get some ad money
"Client is trusted as part of the internal network" No they are not Plenty of classic VPNs have rules to allow specific users or user groups access to only the IPs and ports you specify, AND can enforce rules like active firewalls, valid device certificates etc. The whole Zero Trust bs is confusing because it talks about classic VPN in a way that is often simply not true.
not a good way to sponsor! I liked the clouflare tunneling considerations and the basic criticism that should permeate everything in IT. So the balance about risk/benefit should be our thought, not the title of your video! You should never say stop using vpn. Openvpn is a 21year old protocol full audited with with also hardened versions and widely used worldwide. Is just secure as should be. So, talk about the main point. What is more zero trusted? A self hosted opensource service with user in full control, or a corporate service with closed source software running inside your house? you cannot deleted this comment.
What is the proper ways to secure tokens in the production? How do you not store them in clear text? I mean in the compose we can use environment variables defined in the .env file, but again, variables in .env are stored in clear text. Security in this way is acheaved by who exactly can read .env file. What is better solution? How to encrypt them and decrypt on the fly? You have to put description key somewhere. Thank you for all the help and hints I'll receive on this question.
There are multiple options, I'm still evaluating some for me. Currently, I'm using just environment variables that I pass through the session when I need them, but apparently it's not very convenient. Don't worry, I'll add this topic to the list of videos I'm going to do in the future!
This is within some of the worst videos on this channel. Explaining that using a third party server is more secure than your own VPN. Come on. It took me a few minutes to recognize that this whole video is an ad. This happened a few times now with these videos. I'll give you a last chance because mostly I like your channel, but if this is the way it'll be going in the future then I'm gone.
We are so worried about security and so bored managing VPN... So, we are outsourcing whole corporate entrance gates to some ... company because ... it's based in US 😂 Please get back that old level of quality to your videos. I'm really missing it.
this is good stuff. i’m interested in implementing this in my homelab environment. do you know what the upload limitations are for the free version? i want to use this as a proxy to my nextcloud instance.
My question is: as the admin to all the internal services, I would need access to virtually everything. So with a giant winner-takes all account, how are these more secure from an account hijack? Assuming the bad actor meets the basic security requirements and gained access to my account managing my homelab, how am I safer?
It's because we are trusting a third party company to access our infrastructure back home. And VPNs are not that bad or old school. Also its not the only TH-camr sharing these type of videos , so it seems twingate its filling everyone pocket with sponsors.
Yeah, this is just simply a bad video. Instead of bashing VPN's, you should advertise it as a cool alternative. This should avoid most controversy that you're seeing now in the comments.
Mate, I'm noooo way trusting a cloud service to VPN in my own network, I would rather self host all myself like I do wireguard and openvpn on my opnsense firewall
"Stop using VPN and instead embrace this corporate commercial solution where you depend on third party infastructure." should be the title of this video. Let's be hones, this is advertisement, for commercial product, there is nothing wrong with VPNs.
Really thinking about unsubscribing.
That is partially accurate. I would have to disagree because there's a lot wrong with how VPNs get configured. The trust model is broken and VPNs are included in the inherent trust model. Zero Trust, not this fake zero trust from Twingate, but real self managed Zero Trust like application embedded Zero Trust from OpenZiti is necessary.
It is advertisement, but the ZTNA concept is relevant regardless of the product or service that’s shown in the video. Feel free to do whatever you want, but I hope you reconsider unsubscribe :)
You are completely right! This concept is stupid. Do not trust third party infrastructure. Of course, it is free and fast. Otherwise nobody would use it.
@@urzaaaaaexactly this, me too, I would rather host my own vpn and not depend on some *insert flavor of the month* cloud solution.
While I can appreciate the tech, for me, it seems like opting to use a third party service over a self managed VPN connection is just not better. It opens up another attack vector that you have no control over. You have to trust that the third party service, Twingate in this case, never makes a mistake. Hell, they don't even have to make a mistake, they just have to become a juicy enough target to be attacked by a good enough adversary and you become collateral damage.
From a self hosting perspective one of the largest motivations to do it, aside from learning, was to stop depending on third party services because of how often they become compromised, or accidentally leak your data. VPN isn't a perfect solution of course, but routing all your access through a third party is not better, just different.
I realize this is an advertisement but even still compared to your other sponsored videos this felt more like an empty marketing pitch than a video about cool technology.
Agreed. Twingate would become a target at some point. Clearly, Twingate would isolate each customer's service/resources but depending on what the attackers have access to (e.g. internal services, customer support tools), compromising Twingate customers might be trivial.
Completely agree, 100%. Nothing exciting, but the beginning of the video was very intriguing.
why are you using a similar profile picture than me? why?
The methodology ( Zero-Trust ) itself is an contradiction… if we are going to bring trust down to absolute 0-Zero : that would include : TwinGate … which will probably fall in line with historical scandals such as Watergate / PizzaGate / Enron / Theranos. that aside this is a brutally overt 23 minute… pounding infomercial. Yet, I have a far better solution : tiny… Classified… Ads…
The thing to remember is that they have teams of people working on their product versus some guy who’s job isn’t just security or VPNs. They likely have multiple jobs and simply can’t focus on everything at once. Not to mention budget, etc..
I understand this is a sponsored video. I think the general audience will appreciate a follow up video comparing all the various solutions out there, such as zerotier, Tailscale, tinc, and why would you choose one over the other.
This is the way
and NetMaker
So ZTNA is basically a VPN, but with all the hard work already done for you (dynamic dns, vpn server, firewall/nat rules) and the added ability to have security policies and policy enforcement.
Authentication (strong password, certificates, 2FA) and authorization (firewall rules allow you to minimize what a VPN client has access to) are already there with VPN.
ZTNA is something that sounds really nice for a corporate environment where users and resources are constantly changing.
For a home lab or home network however, most users and services are pretty static, and having to trust and maintain the ZTNA service is just not worth it for me.
yeah, the whole thing ZTNA vs VPN is just BS really.
If twingate went completely open source with their client and control server, they would have an edge over something like tailscale. Twingate ACL's seem better than tailscale though. Tailscale at least keeps their client 100% open-source, which allows alternative control servers to be developed (such as headscale, which has contributions from tailscale developers who contributed on their own time).
I wouldn't dream of using another third party to carry all my most sensitive traffic. Advanced access control is good, but not like that in my opinion.
Non-opensource is such a big turnoff though..
Zero Trust Network Access is really great ... unless when you don't know if you can trust the ZTNA provider.
Just because a lot of big companies are using something, does not make it secure (remember SolarWinds?)
Yeah totally and they don't even seem to support IPv6. At least their website doesn't hand out a Quad-A record. So much on them claiming to be the future
@@LampJustin In their forum twingate said that they want to roll out IPv6 in the next release of the client, what was 3 months ago.
I understand why people are upset about the title and throwing shade at VPNs. But, you clearly stated that this was a sponsored video at the beginning. Honestly, if your goal is to start a career in IT, this is exactly the kind of product to start getting familiar with in your homelab environment. There are ways to secure a VPN without 3rd party services, but this is so much more convenient and easy.
Thanks I think you’re on spot
I might be talking to a wall but whatever, and who asked? but... 4 out of the 5 latest videos have been just full video ads. I can't take any of the information provided at face value or serious in these case. especially since you try to educate in then. unsubbed for now. but I do appreciate the transparency.
Thanks for addressing this, I'm sorry you feel that way. I hope to have soon some changes in place that would bring you back to the channel.
@@christianlempaI don’t mind when part of the video is sponsored, like “here is how you do this complicated thing that is a standard, then here is an open source package that is fine, and here is a shiny package that has a bunch of features (that just happens to have enterprise pricing)”
It happened to Nick Chapsas, the C# TH-camr, too. At one point not too long ago every single video of his was an ad about AI and some service his users should subscribe to. It's gotten to the point where even once-lauded TH-camrs like these are just becoming typical "influencers" that just shill products. I've unsubscribed as well.
In my opinion, anything can be fully self-hosted, it will be fine to take the money. Because for us, end users, we don’t want to depend on a not proven technology. Also SaaS startups can only survive by targeting enterprises, not us.
It is ADs?
The whole goal to get more secure is to actually minimize the use of 3rd party solutions where you have no real control how your data is being handled or monitored. In this case a self-hosted VPN solution would be much more secure, even if it involves opening up a firewall port for it. You know better, Christian. This pure advertisement hurt your image more than you'd like.
I also think the message here was that a self-hosted VPN can be more secure if you know what you're doing. But having to create a plethora of firewall rules, VLANS, ect. is a a lot of work. Basically these cloud services create a backdoor to your home network. I mean, whether something is a cloud service, or a remote access trojan is purely based on how it's used and by whom. I personally would not feel comfortable with a backdoor being planted on all my devices just so I can access them "securely". But of course it's not really a backdoor, but a cloud tunnel, but it's really just semantics at this point..
I confess I'm rather confused by all this Zero-Trust concept. If the principle of Zero-Trust is to add layers where you have to add another trusted third parties, there's something I don't understand.
My VPN runs by myself, and I already have to trust the code, which may be open source but isn't infallible, and I also have to trust the hardware that runs it, which isn't infallible either, but it's the best I can do to accept a minimum number of trusted third parties.
Zero-Trust just seems like a marketing term to me since it is often used by third parties that you have to trust...
@@Gnanmankoudji Zero trust done right is essentially just an added layer of security. You just mistrust devices and users in general no matter the network and implement solutions like MFA, enforce devide policies etc.
There's even self hosted open source solutions for that. But you are right, it has become a buzz word of some sort. The underlying principles should be common sense by now.
openvpn runs wuth no port open on 1194, there is a dedicated tls-auth channel that reply only to authenticated packets, this put your vpn port to not reply any portscan. Is just stealthed.
You act like everyone that runs a home network is also a security professional…. Even “normal people” sometimes need a VPN, but aren’t experienced enough to keep it secure and functional. Not to mention easy. Look at Fortigate’s VPN vulnerabilities, for example.
Twingate Controller "provided on their servers" - no thank you.
I’m fine with this being sponsored. I can easily digest this valuable information and decide for myself what to use. Thanks for the info. Some people don’t think you should be able to eat.
Awesome, thank you!
Zerotrust is the way to go. VPNs provide no protection to your network once a bad actor gets on an end-user's system who is connected to your VPN. Ask me how I know 😞
Great video .. regardless if it is a sponsored video or not
Thank you man!
I use tailscale combined with tailnet lock and headscale, everything local and secure enough!
What is the tailgate?
tailscale and headscale, but tailgate? is this some tool/application?
@@NatalieUoker I am also wondering what tailgate is. I can't find it through google 🙃
I can not believe, that this is your opinion. You put a third party trojan in your network and explain it like the best thing ever. Did you watch this video yourself before publishing it? 😢
A properly configured VPN implementation will have VPN clients come into a "Grey Zone" subnet, and then firewalls between the Grey Zone, and the Internal resources. Firewalls are not just for the Edges of the network. At my day-job we have probably around 100 Firewalls throughout our Corporate Network. Also between the Corporate, and High Security networks have different brand Firewalls.
The whole video has a watermark 'advertisement'. I'm skipping this one.
VPN is better. You're in control.
@christianlempa: I absolutely share your definition of Zero Trust (07:46), unfortunately most people don't really understand it, as you can see from many of the comments.
Thank you for highlighting this! It's such an important concept to understand, I think that needs more videos. :D
At home I use the Sophos Firewall's openVPN server. I like to think that because it's enterprise-level that it is secure. If you use a long random password, keep the opvn import file safe, and ditch the auto-created firewall rule at the top that allows the VPN users to access everything, you can create a rule that only allows the VPN users to access only hosts/IPs on your network that you allow. This is how it has been done for years. In the video he states that VPN is not secure. Did something drastically change that makes it not secure anymore or this belief just fear mongering by these cloud providers?
There are some security issues highlighted in the video. Btw at Sophos we also have a Zero-Trust Network Access Solution :)
@@christianlempa Yes, I have heard that it will be included in the upcoming version 20 of Sophos Firewall. I will have to read more about it. I already like the 2FA that is mandatory in the firewall webadmin. I wish the SSL VPN used it as well.
@@canadianwildlifeservice8883If you mean a VPN with MFA via Sophos then it can be enabled.
Maybe this is only at the enterprise level - never touched the personal one.
Go into the admin portal and look under authentication. You can add mfa and also configure it to work from an AD group.
User signs in then will get a qr code then can scan - they then sign in with username, password and mfa code right at the end of the password
How does it compare to Teleport? Would like to see a video on these two: Teleport vs. Twingate.
i pass think my selfhosted vpn is pretty safe
@christianlempa - Perhaps you can provide an overview of your infrastructure setup? Simply picking 'frontend' in your case doesn't give much info (i.e. is this a renamed docker_default, or other custom). Can this talk to the main network? What about VLANs? In addition, how different is this to Cloudflare solution you warned about previously?
Im reallly confused ..... Is this a sponsored video?!? If yes, why doesnt it say so? I only says Advertisment, but thats to vague. Can we be a little more transparent with the viewership?
There's an ad banner in the entire video, as well as a notification when you start watching the video... I'm honestly not sure how much more transparency you need :/
@@christianlempa That Ad banner only means that something in the video is advertised or this video is making money from that. But this video was "Sponsored" by the tool you did. Sorry i wrote it in a confusing way, i just want to help you out and make things more clear to the viewer.
sure, rely on a third party to route your traffic can you elaborate why vpn is not secure? this looks like advertising
there's a huge advertisement watermark in the upper right corner of the video. he eplained why vpn is not secured anymore, the time stamps have titles that will help you find it
Seams awsome, but sadly like so many other services the client for Linux is something that seams to have been put together by an intern during a 30 minute break. It's always the same. Either a Linux client is missing or it may as well be. VPN may be an old way of doing this, but at least it has wide and tested platform support.
Hi Chris,
Good video en some good explanation. I’m not going to use it though, I don’t want vpn going through third party networks.
Also reconsider your advertisements. Some videos ago you explained why not to use cloudflare tunneling, and here we are talking about vpn trough third party networks.
Just advertise something you really stand for :-)
Don’t get me wrong though, just a tip :-)
Thanks! I appreciate your honest feedback :)
I had same thought, very critical and useful video about cloudflare tunneling (for that video i sub this channel) and now ''hey guys let 3th party go inside your network'' just because there is a bunch of money behind. I don't like that. Never sell your criticism and well disposed suspect for the good of money.
That's exactly what I thought.
I am only 4:26 into the video, but I am going to assume this is like Hamachi, Zerotier, and TailScale. While there are certain situations where I have used all 3 previously mentioned, and still use TailScale, those services are not replacements for dedicated site-to-site business VPNs.
twingate client works behind CGNAT without using static IP from sim-provider?😮
Hi Christian, for corporate environment and their employee user/devices this solution seems to provide nice features.
But I see issues in other when service owner and user/device are not in such relation.
I think you fall short to explain some details, from my point of view:
- What about clients from coporation networks with equal high security structures?
- Any user/client device needs to install the Twingate software as it seems to get access?
- What are the requirements for the the clients at all?
- Is a connection without the twingate agent possible?
I am with you regarding the "least privilege principle" approach.
And a session MFA authentication would allow me to verify the person,
but to press a person to give up the freedom of device choice , I don´t see.
You always need to do a proper evaluation, if the solution is a good fit. The main goal of the video was to explain the differences between VPN and ZTNA, and how to easily implement this strategy with twingate.
With a VPN the client does not get access to all internal resources. You can configure so only a subnet or specific servers are accessible!
That's so nice!! Thank you for sharing. I don't understand the complaint about Ads videos once they still bring value to the public. Sincerely, people are focus on bad things only.
Thank you 😊
@@christianlempa I agree, I like seeing the tech regardless if it’s an ad or not! Keep up the great work Christian! Quality content as always.
It would be good if there is a demo show how to set up a DNS name, instead of ip address.
Good idea, maybe I'll cover DNS in a future video!
This is an ads channel now 😂
😢
@mvaldes - I presume by that comment you don't run your own business.
I can understand as a consumer why you might feel that way but as anyone in the IT industry might be able to observe, the world is constantly changing and learning theory only goes so far when it comes to tech. I'm sure Christian does a lot of testing and quality control to make his videos which is why he's a popular TH-camr which is more to say then you or me.
I'd also like to point out I'm not the only enthusiast that simply likes shiny new toys/tools/equipment... Only examples but any enthusiast in automotive buying car parts or tradesman buying Milwaukee, Klein or whatever else you fancy I'm sure can understand.
As anyone who gets up everyday to make a living for themselves why wouldn't you want to get paid for your work? I mean unless your sponsoring Christian?
Getting money from youtube or your works always is a nice thing. If no one donate or sponsor him how can he keep up this channel?
But i would like chris give some caption or tell about sponsor. So i can decide to watch to the end of video or not
@@immortalmyth5685 there's an "advertisement" disclaimer in the top right corner of the video and he mentions the video was made possible because of Twingate at like 45 seconds into the video.... it's about as much notice as you get from a coffee cup "Caution! It's hot"
What's wrong with ads?
It's relevant with the content and I would've thought for most of us, its fun to play about with this stuff.
The main issue for me here is the words "Stop using VPN" in this ad supported video. Do you really believe that? You make viewers doubt if your advice is sincere or not. Which will hurt all of your other videos as well. No it is not better/more secure than a self hosted open source VPN, just different.
Agree with you!
My main problem with this product is that their android/iOS apps suck. I'll have to sign in every time I disconnect. With tailscale, it is a click away to toggle on/off. Very annoying!
chris very good video thanks! i have a question i have a cgnat and i have my wordpress landing pages and many of my services exposed on the internet and for that i use a vps in linode with a wireguard and a nginx so; with this twingate i could expose my landing pages and services without using the vps nor wireguar nor nginx anymore?
So this is really to hide from ISP but to access remote devices securely? I couldn't access sites from my mobile phone I blocked in my ISP's network but I could on desktop. What gives?
What's the diference with cloudflare Zero trust? You have a video about the security issue of this service.
Thanks for your videos.
There will be a comparison video in the future, just takes some time to prepare it
Tailscale vs Twingate. What should I use in 2023?
Hi Chris, can Twingate be implemented onto pfsense firewall network? Thank you.
im curious how you come to the conclusion that "VPN is no longer secure"
We understand that ads are okay but please keep the good work on home lab / open source / learning / diy / fun. I have the feeling that this channel is drifting. Hope I am wrong.. and sorry if this was rude to say..
Yeah it seems like TH-cam ads are not paying enough so they have to start accepting these sponsor videos. I don't like this trending because eventually it will become just for profit like Linus tech tips. I will prefer a video every month as an enthusiast.
I’ll release a video later this day to talk about some of this, hope that gives you some clarity on the topic.
But why would you choose to use this service in the first place? I don’t get what it solves or even offers that isn’t there already, but with a proven track record.
It sounds like this is a tool used for correcting issues caused only by verrrrryyyy poorly deployed VPNs and poorly configured firewalls...
too much reliance on external servers, closed source, etc...'zero trust' just means 'trust us/our servers with all your data throughput' in this case. same issue with tailscale
Can you recommend a more zero configuration solution like twingate for normal people like myself who don't understand all the programming/Linux/docker garbage please?
What is the benefit of Twingate vs Tailsclae or Perimeter81 which using WireGuard Connection?
You have to compare the features and find out what's important to you. Maybe I'll make a comparison video somewhere this year.
It is secure alternative to VPNs.
These days I am looking for VPNs that are undetectable by websites. I am trying to earn from microtasks but that is region specific and VPNs don't work.
Can you suggest a solution?
I have a different opinion regarding vpn not secure, especialIy in what u said about ‘client is trusted as part of intranet’. I think vpn is only as secure as how we secure our vpn servers. We should always expect many outside traffic coming from the vpn server, and configure our firewall accordingly. Most of all, aside from network provider, all my data and authentication are transmitted through my own servers.
Don’t get me wrong, I love this zero trust concept, and I am using cloudflare tunnel, which I think exactly the same as what twingate doing, maybe, cmiiw. Which is my daily alternative to my vpn. And in terms of speed, I didn’t notice any differences, definitely depending on usage, whether to ssh or stream jellyfin.
So which one you like, controlling access via your own firewall, or zero trust provider’s controller or dashboard or whatever.
If it's not free and open-source, then it's a waste of everyone's time.
I'm happy to pay for bandwidth and hardware, but I will never trust a company with protecting my data.
‘Zero trust’ is marketing BS. It is simply implementing least privilege and re authentication after a period of time. This has been a common and valuable security strategy for a very long time.
@ALL: Self-hosting is a trend on a private level. Companies are now moving more than ever to the cloud and are therefore dependent on other companies (see Microsoft). Personally, I'm also a fan of hosting as many services as possible myself, but solutions like those from TG or CF are no less secure - on the contrary. The “big” companies in particular are in the spotlight and can least afford security breaches or poorly programmed security solutions. As far as these approaches are concerned, I believe that this solution is currently at the forefront when it comes to security and integrity.
Well said! As much as the self-hosting fans dislike security services... That's what the big boys use ;)
@@christianlempa aha.. said this after the big boys like lastpass hacked more times in row... don't be arrogant ;) I like your channel and learnt a lot but if you continue this "money hungry bitch" behavior and sell your soul for money (sponsors), instant unsub.
Hey, there's a video on my 24 min AD, what's up with that?
Yea its a dislike from me.
A bit disappointed too.
Sorry if you think so
Why not use zerotier,,,,,,,,,,,,,,, if not using wireguard ???
Hi Christian, even if you can't host it yourself, it offers some very good and important approaches towards Zero Trust! Used correctly (at least 2 docker containers - as lxc and distributed across 2 of 3 Proxmox nodes, in a DMZ with dedicated firewall rules towards LAN networks and the Internet) this is a really good and secure solution for accessing services in your own area access homelab. Thank you for your time and this video 🙂
Thank you so much :)
Nope -> 3rd Party ≠ Zero Thrust.
Opens-> New attack vector.
@@niro1960 Please find out in more detail what zero trust means!
what about exit points? can twingate help me avoid geoblockings that Tailscale solves?
You could use it this way, however it’s not a tool to avoid geoblocking. It’s a tool to secure remote access to infrastructure
Hi Christian,
This is unrelated with the video, but as I know you self-host docker applications in your homelab, I would like to know how you deal with sqlite and multiple replicas. I followed your video about storage in Kubernetes and I am having issues with the database.
Thanks.
I know it's a sponsored video so I won't complain, but no way I would use something like that.
No worries :)
Has anyone tried to use the alias instead of the IP? I can't get it to work and I can't understand why.
Bro, you lost me at minute 15:50... Where did the linux come in ? Im on gaddam windows. Also what is vs code? Is It compatible with windows?
Thanks for info. Pretty cool concept.
Glad you liked it!
all the issues highlighted with vpn in this video are quite easy to address.
The 2 device limit put me off this for the home lab.
Where do you see a 2 device limit?
@@DominatorIII Settings > General...
2 devices per user
Upgrade to Teams for 5 devices per user
Thanks for the demo and info, have a great day
Thanks, you too!
So is it just another Tailscale/Headscale?
Make video on elastic search deployment on kubernetes
Go with elk stack
@@Raja-oi7xv do u have idea about that
anyone can use custom dns - pihole as DNS filter? I tried that is not work. going back tailscale
so basically its worst zerotiier/tailscale
Nah you got that wrong bro
Yeah, no thank you.
I roll my own solution that i have full control over.
Outsourcing your security is not my thing, but nice that you get some ad money
"Client is trusted as part of the internal network"
No they are not Plenty of classic VPNs have rules to allow specific users or user groups access to only the IPs and ports you specify, AND can enforce rules like active firewalls, valid device certificates etc.
The whole Zero Trust bs is confusing because it talks about classic VPN in a way that is often simply not true.
I did this deployment for about 5-6m ago. Working perfect for me.
Awesome :)
Nice video😊
Thanks 😊
not a good way to sponsor! I liked the clouflare tunneling considerations and the basic criticism that should permeate everything in IT. So the balance about risk/benefit should be our thought, not the title of your video! You should never say stop using vpn. Openvpn is a 21year old protocol full audited with with also hardened versions and widely used worldwide. Is just secure as should be. So, talk about the main point. What is more zero trusted? A self hosted opensource service with user in full control, or a corporate service with closed source software running inside your house? you cannot deleted this comment.
Thanks for you honest feedback
Cloud shall NOT touch my data.
I would *never* ditch VPNs for important services on my server.
Corporations can beg me for my money some more. Thanks, but no thanks.
What is the proper ways to secure tokens in the production? How do you not store them in clear text? I mean in the compose we can use environment variables defined in the .env file, but again, variables in .env are stored in clear text. Security in this way is acheaved by who exactly can read .env file. What is better solution? How to encrypt them and decrypt on the fly? You have to put description key somewhere. Thank you for all the help and hints I'll receive on this question.
There are multiple options, I'm still evaluating some for me. Currently, I'm using just environment variables that I pass through the session when I need them, but apparently it's not very convenient. Don't worry, I'll add this topic to the list of videos I'm going to do in the future!
This is within some of the worst videos on this channel. Explaining that using a third party server is more secure than your own VPN. Come on. It took me a few minutes to recognize that this whole video is an ad. This happened a few times now with these videos. I'll give you a last chance because mostly I like your channel, but if this is the way it'll be going in the future then I'm gone.
We are so worried about security and so bored managing VPN... So, we are outsourcing whole corporate entrance gates to some ... company because ... it's based in US 😂
Please get back that old level of quality to your videos. I'm really missing it.
Don't worry, I'll address some of the concerns in a special video today, we'll get back to it!
Skynet was the name of my wifi since I was living with my parents. 🤣
:D
Hey Christian, what is better in your opinion: Twingate or Tailscale?
Yes, give a company access to your LAN. What could go wrong.
this is good stuff. i’m interested in implementing this in my homelab environment. do you know what the upload limitations are for the free version? i want to use this as a proxy to my nextcloud instance.
Since the traffic is not flowing through their services there’s no other limitation than the ISP on client/server
Wir nutzen Zscaler. Aus Anwender Sicht, welcher produktiv arbeiten soll, ziemlich lästig und kontraproduktiv…. 👎🏻
Maybe test netmaker or netbird
I dont get it :/ is the data between the connector and client encrypted? how will the firewall work with encrypted data?
It is, the firewall will most likely just forward it because the connection is initiated from inside the network.
My question is: as the admin to all the internal services, I would need access to virtually everything. So with a giant winner-takes all account, how are these more secure from an account hijack? Assuming the bad actor meets the basic security requirements and gained access to my account managing my homelab, how am I safer?
Great and thanks.
Dont mind the ads because he is showing us tools that can be used in IT/homelab. It would be different if he was showing something unrelated.
Not sure why all the negativity. This video is great and Twingate is awesome
It's because we are trusting a third party company to access our infrastructure back home. And VPNs are not that bad or old school. Also its not the only TH-camr sharing these type of videos , so it seems twingate its filling everyone pocket with sponsors.
@gottahache thank you 😊
Unless im missing something or this was baked in after the fact....it clealry days "Advertisement" top right 🤷♂️🤷♂️🤷♂️
Please go read Project Zero Trust by George Finney.
i think it look like tailscale
Yeah, this is just simply a bad video. Instead of bashing VPN's, you should advertise it as a cool alternative. This should avoid most controversy that you're seeing now in the comments.
PAYWALL....So I Zero Trust IT...
Mate, I'm noooo way trusting a cloud service to VPN in my own network, I would rather self host all myself like I do wireguard and openvpn on my opnsense firewall
So, you can restrict routing on a vpn server instead.
It's just another VPN solution with routing restriction.
The posture checks and policies make it superior to VPN
Oh, looks just like Tailscale. A fork?
Nope xD
Headscale, folks.