As soon as I heard "the controller is managed by Twingate, its in their cloud" that was a solid NOPE for me. If I don't have full 100% self-hosted control then that's a solid pass for me.
watch the rest of the vid, look at how they handle authentication. Twingate REQUIRES third-party auth (google, github...etc) for you to connect to a resource. It's not self-hosted, but it's also not as "managed'" as you might think.
@ mmm... All I hear is "less risky, but risky nonetheless" the thing is that even law enforcement could have full access to your local network. Not that I hide anything but it's the basic principle of "don't leave your doors open to anyone" This is literally the equivalent of turning off your firewall.
This is absolutely NOT zero trust. In this scenario you have to trust twin gate and there are multiple points of failure. First is the fact that this is closed source software, if TG get compromised or otherwise do something untrustworthy, they can push a malicious update to this software and you would never know. This requires you to trust them. Another point of failure is the fact that TG have the auth tokens. So this requires you to trust them not to leak those. Calling this Zero Trust is damaging your credibility.
@@DjTonioRoffo but it's in your control: if you fd up that's on you. Trusting a centralized solution like this and you could find yourself at the mercy of "show me the man and I'll show you the crime" by simply saying "the wrong thing" on the internet and activating the "online safety bill" on you.
Nowadays most websites are already end to end encrypted via HTTPS/TLS similar to VPN's, therefore double encrypting the data is a waste of time and VPN fees, with slower speeds and higher latency. The only thing it's good for is hiding your location, but even a simple proxy can do that for about half the cost with a simpler setup, higher speeds, and lower latency while still encrypted via HTTPS/TLS. Also, a VPN server is a single point for an attack by bad hackers or state actors since all your connections are going through the same server.
@@BillAnt fully agreed. Using VPN as a safety measure to prevent a man-in-the-middle from listening your HTTP traffic is pointless as there's no pure HTTP traffic left nowadays. But it is just a single use case for VPN, very narrow one which got pedaled because of all those "Secured VPN service providers" wanted to sell their services. Why VPN as a technology appeared, first of all, is to connect together in a virtual private (and secured) network various hosts scattered across the globe, but all having access to internet.
You like "Zero trust", and that is great, but you choose to use software that it's not configured by yourself, you do not have access to the code and you "trust them" - what about "zero trust" part?Where is it lost? :) Come on Chuck... I like your videos, and they are educative a lot, but this video is misleading and someone who is new can trust you that this is "zero trust" connection but it's not... From my point of view this is not ok and you need to emphasize that this is NOT "zero trust" connection so people won't lose trust in you...
Hey Chuck!! I have been watching this channel for a very long time and since I've started watching this channel, I started studying for certifications. I have obtained A+ and Network+ but now I am ecstatic to share that I just passed my CCNA!! You and this channel were a massive part of that! Just wanted to say thank you! I love the content and I look forward to a whole lot more to come from you I'm sure.
Congrats man! :) I'm studying myself for the CCNA. Is there a reason why you started with Network+ before CCNA? I was under the impression that both certs broadly cover the same networking concepts, the difference being that CCNA focuses on Cisco solutions and is obviously more hands-on with the CLI configuration. Am I missing out by not taking Network+ before completing CCNA?
@@aldarion2222 I don't think your missing out. I took Network+ because I was new to everything and honestly it couldn't hurt in my case. It really made the transition to study for the CCNA much easier because I already knew most of the concepts of networking, now I just had to focus on CLI configurations and the different protocols associated with CCNA. It's my understanding too that CCNA carries more weight in the job market than Network+ but we shall see. I've added my CCNA cert to my resume and now going on the job hunt. Good luck with your studies!
@@SuperVexal Thank you! I was on Udemy quite a bit and I purchased the official cert guides. I also attended night classes at a tech school to get more hands on but packet tracer is great for simulating a network if getting hands on is not an option for you.
I know that Twingate sponsors this video, but I really value having control over my data. Therefore, I prefer Pritunl, because they have self-hosted option. Chuck, I think you should consider making a video about it. Congratulations on your video! P.S.: The benefit of the Twingate provide is the endpoint controls.
Like everyone else, I'm concerned too because it's not open source. An important point and strength of most self-hosted VPN applications are that they're open-source, so when you say "Managed" and a third-party server comes in between, personally, no matter how legit and reliable that company is, it's a red flag for me.
Yep, 0% trust on users, 100% trust on TwinGate. I've kinda heard of this concept a couple of times. It sounds interesting as tech though. Nice video as always :)
hmmmm yeah ... kinda reminds me of... Crowd Strike hahahahaa.... total global outage becasue everyone relied on them keeping the network running. Simple mistake like not running the update on a testnet first cost the world hundreds of billions of dollars in just 24 hours. Its the old homage "If you want something done right, Do it yourself-Zero Trust = Self protection". Who know what sort of back doors these guys put in there.
I think the bit about the client and connector talking directly to one another is technically incorrect. While the relay knows which IPs and ports the client and connector use (after NAT), you cannot have them connect to each other. That is because the NAT routers will only accept packets originating from the relay for those ports. So, in order to connect client and connector, the traffic has to be routed through the relay as a proxy. And while that traffic is probably encrypted, all of this is controlled by non-open software provided by Twingate. Thus, you essentially have to trust that Twingate is a. "not evil" and b. "stays secure". Also, the ressources that are being exposed are controlled via a cloud instance ("controller") and also, who may connect to them. You essentially delegate control over what can be accessed to Twingate, putting a remote control to your network in their hands (aka "firewall piercing"). Surely, nothing to worry about, huh?
What happens when Twingate's cloud/business inevitably gets hacked? What are the safeguards to ensure the hackers don't get access to everything we've provisioned access to using Twingate? I, too, would be much more excited if I could run an open source version so that I could host the controller and not be dependent of Twingate. Thanks much for the great content.
@@swallowedinthesea11 that is not always good logic to go by my friend... @Gato Libero is NOT wrong in anything they said. Not to mention the fact that this video watched like one giant Ad rather than an informational video. You should wonder why he tried to give you a legit reason as to why he made this video and uses the product while simultaneously advertising the very same product in an ad spot which he also supposedly came across by chance LMAO Yea OK
I find the solution could work better if they create an account with the public and private key authentication method to sign in, or they come up with something that they had hosted for us, but they cannot access it, only we had a key to unlock it.
First and foremost I want to say thank you for everything you have helped me with over the years. I moved to the us to take care of my mother niece and nephew a few years back. He would sit with me while I watched youtube from time to time and he always loved watching your channel. One of the funniest things he ever said was after I shaved and shortened my beard by better than half. You see he had met friends of mine and others who could give zz-top a run for their money. He was convinced, probably because of Dumbledore, that wisdom didn't come with age. No. The true measure of a man, his Knowledge and wisdom were dependent upon the quality of ones beard. Apparently the thicknesses was a measure of general knowledge. The more hair you had the more general knowledge you had. The length of ones beard was how you you determined seniority. Thick beard you knew about all kinds of different things. The longer the beard the more people should listen to you. Those were more or less the rules he came up with As I remember them. He asked me if you were really smart and I told him you were. He asked if you were as smart as me and I told him that you were so smart that you were teaching me things that I didn't know. He began calling you mister beard at that point. I told you all of that in order to get to this point. I decided I needed to get rid of some of the length of my beard. When my nephew saw me he was beside himself. He was upset because your beard was bigger than mine and He didn't want me to be a dummy so I had to grow it back. And I was going to have to watch more videos of yours because you taught me things and that of course wouldn't make it grow back faster since now I was stupid. I hope you got as big a laugh out of that as I did.
I know how this will go. At some point they will just remove the free tier entirely. Happened to like 5 different services I used in the past. First they allow you to sign up for free, then remove the free tier when you rely on their service, so you either have to pay up, or quickly search for a replacement.
That looks like a great piece of software, but I am becoming increasedly concerned with amount of network infrastructure that is beginning to operate on closed source SaaS models.
Oh, that ship has sailed a long time ago. Every business and their granddad's are running at least part of their stuff in Azure, Google, ... all running on a few dozens of highly concentrated server farms. The decentralized internet is gone.
0:49 Thats not a VPN weakness but a lack of OPSEC on your part. 1:36 Zero trust? Doubtful. Basically you allow in a 3rd party onto your network because of the cloud control plane. BTW on the backend they use good old VPN protocols. 1:44 You can do that without VPN or this no-name sw vendor, its called "having proper firewall rules". 1:57 Gimmick, simply having an AV and fw rules doesnt mean the machine isnt infected or boned by a hacker.......
VPN is perfectly securable... VPN connection should be to a firewalled VLAN. Then you can specify ACL on that VLAN that controls what the users can access.
Great review. Couple of thoughts. It's not zero trust if you're proxying with a third party. It's third-party trust at a minimum. More likely, it's third party (Twingate) plus whoever else is listening at the third-party relay; think NSA. Also, Twingate software appears to be closed-source. Again we'd have to trust that Twingate's software does only what they claim it does. That's a big camel to swallow if you're security conscious.
A split tunnel SSL VPN is a way better option - entirely self hosted and self configurable, and only the traffic that needs to go over the VPN does so (this negates the "everything goes through the VPN device" point that Chuck makes, only specific traffic that you define will go through it)- and their are products out there for this that also have ACLs etc. - I hate the idea of this going through a 3rd party service/server to access a private network.
@@NetworkChuck Great job trying to advertise the product more even though you know it is bad. Do you get more money if more people sign up for the service or something.
Pretty sure it’s just point to point with a pinned cert on the TLS tunnel. Also I’ve played around with split tunnel configs for all sorts of VPNs and Twingate is so much easier.
Nice technology. I wonder if this protocol will be abused. When a PC is behind NAT , a home router uses Port-NAT. A statefull firewall "expects" data on the inbound port. Since the TwinGate client installed on a PC behind a NAT. It is basicly a backdoor relayer (SOCK5 proxy) in your LAN environment. Why? External users can connect to other devices in your LAN. Oh well, it is a cool tech, but I hope IDS/IPS firewall can detect this kind of traffic in business environment. A employee can easily make backdoors in your network if you are not carefull. Thanks for the clip and explanation.
@@flaminbutt Issue is that's fine until the bad actor comes in with a raspberry pi or something and plugs it into an ethernet cable. Now .,... proper network security should prevent that (network segmentation, mac address port filtering, etc), but the potential is there for an improperly secured network.
I'm genuinely surprised that you don't already have a VPN setup. Also, for the concern about them having full network access can't you just use subnets to segregate the data and have the VPN only get you into a specific subnet? I mean, at my job the VPN I use won't let me access stuff in the accounting network.
Subnets don’t restrict ports. Even if you are restricted to a certain subnet you’d still have access to all ports. He references that. A VPN setup like that is far more complex. Plus you often can’t specify firewall rules on a per user or group basis. For example, sales can only access tbe inventory system on port 443. But IT users can access it on 443 and 22. It’s a simple concept but either impossible, difficult or expensive to implement in a traditional VPN.
I think the whole point of something like Twingate is that you don’t have to go through all the work of creating separate subnets, which are kind of a pain to set up and really hard to set up granular access. You can basically have one big flat network and then Twingate acts as a segregation layer. Pretty cool networking tech IMO
I'm rewatching this video cause I just passed my first Cisco certification and honestly want to thank you cause throughout all your content, you touch so many subjects that all were such great help to understand networking. So thanks man!
Almost everything is proprietary and everything allows data collection for law enforcement and for marketing. The whole security depends on the proprietary firm but anyway insiders can access anything on your device.
I use zerotier myself. It doesn't have the granular automatic control but it works for me and my (somewhat extended) family. I even use it to connect my cloud oracle servers with the rest of my network.
Zerotier is a godtier product! Free to use, setup in 5 min, no need to forward a single port in your insecure home router, and the speed is similar to LAN speed. Cant recommend that shit enough!
Back in my day (2004) , we used Hamachi. It 'kinda' did the same thing without the extra layers of security. Then it got sold off to Logmein (say no more) Great to see there are plenty of decent alternatives. Another great video Chuck, thankyou!
I was wondering about the difference between this, Cloudflare tunnels and Tailscale. The three of these seem pretty much the same to me - at least on the surface. Would like to know the differences.
@Not ReallyMe Tailscale uses wireguard, cloudflare uses http/2 and what network chuck mentioned uses QUIC. Cloudflare can use QUIC if you'd like but this one does it out of the box and is a little easier to configure. Tailscale let's you segregate your traffic if needed so not everything needs to touch your network. All 3 seem to be great to be honest. It comes down to what meets your needs.
They all have pretty good free tiers so just try them out to see what works better. Personally I find Twingate to be the easiest to use for narrow access to multiple different networks like Network Chuck describes in the video
We need someone to tell this guy about WireGuard and iptables. It's 10 lines of WireGuard's config and LITERALLY 5 rules of iptables. 2 minutes to get it up and you have full control of what's going inside the tunnel.
While this solution lacks the necessary security measures for implementation in large-scale or business networks, I must admit its enticing simplicity in terms of setup and operation. As someone with over a decade of experience as a network engineer with a proficiency in software development as well, I find myself pondering why I hadn't conceived of such a smart and user-friendly solution earlier. 😊
Kind'a sounds like a glorified VPN+Traefik+Fail2ban/auth middleware setup with a pretty UI and specific third party integrations. Twingate is literally the man in the middle and defeats the entire "zero trust" setup. I'm not touching this.
Don't forget this involves a trird party (that TwinGate cloud and software) in the middle of your connection. So Same as RemoteApp like TeamViewer then (TeamViewer server) stands in the middle. So don't talk trash telling it is more secure than VPN when it's truly not.
it sounds good, but still there is no guarantee that your third party vpn provider won't get hacked or sell your data. If I do care about my data, I would rather setup a wireguard server instead, as it's fast, secure, and fully under my control.
You said, "VPNs are old", but proxy servers are even older. They're the precursor to VPNs. Just had to point that out. Doesn't mean this method isn't effective.
Network Chuck must somehow be listening in to my device or something Hahaa. A couple weeks ago my company asked me to look into ticketing software.. he released a video on how to create your own. I just got asked about getting a VPN to use and then he releases this video. Love your videos man haha
@@NetworkChuck Ok, I just finished the video. It sounds like its a TLS session that does a port translation. This is actually something that is being implemented (or soon to be implemented) by more traditional network vendors.
Not going to lie, I did not expect that ending haha that got me good lol. WHAT ARE YOU DOING!? Videos are always awesome from you man. My personal opinion on VPNS: I majored in cybersecurity and I knew from the get go, you are only as secure as the product you use nothing more, and nothing less. This is good for probably 80% of the world. But the other 20% I feel are like me and never agreeed to it. My favorite way to access stuff from other places is 2 step VPN through a firewall. Yeah it can still get session hijacked (remember the golden rule, you are only secure as the product you use). But at the end of the day I technically am MFA'ed to my VPN and I can control what user through my dedicated VPN can use. I think I should mention that I use sonicwall, and I am not talking about your commercial VPN's I am talking about a business level one which is completely different than what most at home users will use.
I was thrown off the beginning of the video when he mentioned a VPN letting remote clients access the entire network when you're able to restrict client to client and subnet to subnet connectivity using firewall rules and ACLs. Additionally MFA can be achieved with DUO at no cost for lab users.
I’d love to see a nitty gritty comparison and performance test between Twingate, Tailscale, and ZeroTier. I’ve been using Zerotier for a long time but Twingate’s more modern security features might be what makes me switch.
I use zerotier and it's rules yet enabling access to the rest of network and managing access for specific ips per user would would be MUCH more difficult to achieve than in twingate.
I will demo this because I'm curious, but I will say right off the bat that I'm not wild about deploying anything that requires something in the external cloud to function. ¯\_(ツ)_/¯
The point of a VPN is to encrypt traffic. Depends on your use case. If you are at an airport, all your traffic is visible and unprotected. If I force my traffic through an encrypted tunnel, none of it is exposed to the public network. If you just want access to a resource and that is all you care about, this is great. If you are staying in a hotel or in the airport, I rather have the VPN
I want to trust you, but really you should explain (including the basics knowledge) why we could trust the connector. I watched the whole thing, pretty exciting, but I still have no proof on why the connector can be trusted/used with zero-trust.
Wouldn't it be easier to whitelist mac addresses on router? Then you can divide the network into pieces and assign access to devices in separate networks. Simple and effective.
@@mr.1055 I think so. As far as I know, the use of the white list gives the possibility of using wi-fi to people who are on it. If someone who is not on the list would be knocking, it would mean that he does not know the correct network settings. So we don't want such people on the wi-fi network. But if someone knows the MAC address of a computer that is allowed to use the network, the road to wi-fi is open. The MAC address itself and basing all protection on it, I admit, is a rather primitive idea. Which means you have to come up with something else. Just entering the wi-fi network does not mean taking control over all connected machines. It would be useful to do some recognition with Nmap which can be detected when you try to connect. In short, I am writing again that you are right because I would start to mess up too much. Regards. Ps I'm not from the US so what I wrote may be weird. Google helped me :-)
This really looks like Tailscale. The UI looks very similar down to the ordering of the menu items within the control panel. Sure there’s some nicer things that seem to just add UI wrappers on top of where Tailscale has ACLs defined as code. And with Tailscale, there’s also the OSS control plane Headscale that can be run with the native Tailscale programs/apps. Not really sure that Twingate is a better alternative for selfhosted or otherwise…
Yea it does seem similar to Tailscale. Interesting that the ordering of items on the menu is the same…. I wonder how much ‘inspiration’ they got from Tailscale lol
The weakest link is the reliance on a third party relay. This is NOT 0 trust, Chuck... You trust twingate to not be compromised, which is a lot worse than setting up a wireguard VPN (for example) that doesn't rely on third parties... Would you not agree?
Great video Chuck. I mean I love this product already. Couple weeks ago, we deployed something pretty similar to Twingate and was called Checkpoint Harmony Connect. It pretty much did the same thing and I had to set up a docker inside our internal vm farm. You’re awesome because now I understand how it works. Cheers man and keep these videos up
No way, why would I turn over the proxy/control of my network access to a third party in the cloud when I can easily deploy my own open VPN solution that I have 100 percent control over? And, there are only two parts, the server and the client. With open VPN on my pfSense firewall, I can control what users can go where and even get as granular as the permitting or denying access to tcp/udp ports. All open source and all under my control. Just sayin'
I just love how excited about Tech you are man! I am the SAME way, and I think we come from the same generation of IT pros. They just don't make em like you anymore. All these kids want to go straight into dev and make 200k/yr, and you are one of the FEW people that is Making SysAdmins Great Again. Thanks for all that you do.
@@robertb6276 ah, sure, but my problem with it is that “all the magic” seems to be done in the relays and controllers, so maybe an bad actor inside the company, or hacker, could have access to your stuff without your knowledge. Of course, pem certificates is a great way to go but you generate it on their site so… you know… I’m paranoid. lol.
Network Chuck used to be great for beginners. Took his time, explained everything, now way too fast. Sorry mate, not enough coffee is gonna make me wanna keep trying to keep up. Plenty of other channels that actually slow it down a bit to help out the new learners. Fyi, i am one of your older subscribers that did ask you to explain simpler steps way back when you were full fast forward trying to help us install pfsense. You never did get back to me. For what its worth, you were brilliant in your earlier days. Cheers
Interesting. I've been getting by with wireguard via my current firewall app for my remote access needs. My needs are very simple though, since they are just for myself. I find Wireguard is very fast at establishing connections, certainly faster than traditional ipsec or ssl vpn's, though it really needs work on the UI and could use a kill switch or toggle option. I'd certainly consider twingate if I could host my own controllers (the part that lives outside my firewall). With the way some companies change their policies regarding their customers I'd be wary of anyone having full control over the part in the middle that makes it all work. Sure, it is VERY convenient, but that puts them in a position of power to change the deal later without consent (insert clip of Darth Vader changing the deal here>. That and it is a single target for attack and a data breech would be a big problem (it stores info about your internal network, public ip's and your users after all). Something I'll bookmark for the future though.
I personally use TeamViewer which is a paid for service and software. But I would love to see an open-source version of the software you just described. I want to host the monitoring myself so I don't have to rely on an outside company. Excellent video! I will definitely be trying this out!
I just spined up Twingate, my first disappointment is that its in conflict with NordVPN, when Im on the go protected by NordVPN, and I want connect back to my home, NordVPN suddenly turns off, so I may need to route my internet traffic through my home where can be my router connected to NordVPN, I hope I can workaround it, at least its nice thing to play around with, thanks for this amazing video. Actually on their website they list these consumer VPNs as incompatible (12th of July 2023): TunnelBear TunnelBlick NordVPN ExpressVPN PIA VPN (Private Internet Access) HMA VPN (HideMyAss)
This is interesting, but why should I ditch my VPN? If I am on a "public WiFi" connection with my laptop, I want to have my WiFi connection secured using an encrypted VPN connection.
Good Sir, you may have just solved a current issue my company is facing. The existing firewall doesn't allow granular rules for port forwarding (only forward IF FROM . This should help things SO much. Thanks for staying on top of things and sharing!
WTF thats a commercial 3rd party service and everything is closed source! Why would I ever use something like that to access my nicely private self hosted services. Whenever possible you should avoid using 3rd party services and a VPN server can quickly be set up via regular port forwarding and a open source VPN server like WireGuard.
"The relays, much like the controller, they're hosted inside Twin Gates network so you don't have to worry about it." It's exactly the stuff running in the cloud I worry about the most. Personally I'm fine with 3rd party-free SSH tunnels. I just miss UDP support.
Thank you NetworkChuck! I’m still learning IT and am hoping to get a help desk job soon I love your videos and they definitely make me believe I can achieve my career goals.
@@Bossa_Fenzi Yeah I can see that with all the remote work options that are popping up. I don’t care where my journey starts though I’ll apply for geek squad if I have to!
@@3Bajas I respect that, just keep the dream alive... have an end goal whether its ending up in cyber security or as a network engineer or software devops, have goal posts within your goal posts then you can ensure direction and focus... happiness is an unsolvable equation after all...
This is what a firewall you manage does. Literally down to the port, what they can access. I don’t need a third party to manage this for me. Run your own vpn man.
Someone needs to make an open source version so we can host the controller ourselves. I dont like twingate being in control of the controller
Agreed. Zero trust also means don’t trust controller when not self hosted.
ZeroTier is a good alternative to this. I think the only thing the OpenSource version lacks is a GUI, so if you're fine with CLI, it's a good option.
@@nobodyshomeuk I selfhost zerotier and use ztncui for a UI and it works great.
Zerotier or nebula would be go to option for this.
As soon as I heard "the controller is managed by Twingate, its in their cloud" that was a solid NOPE for me. If I don't have full 100% self-hosted control then that's a solid pass for me.
NEVER, and I mean NEVER, rely on a third party for access into your own network. If it's not selfhosted, there is nothing secure or reliable about it.
watch the rest of the vid, look at how they handle authentication. Twingate REQUIRES third-party auth (google, github...etc) for you to connect to a resource. It's not self-hosted, but it's also not as "managed'" as you might think.
@ mmm... All I hear is "less risky, but risky nonetheless"
the thing is that even law enforcement could have full access to your local network. Not that I hide anything but it's the basic principle of "don't leave your doors open to anyone"
This is literally the equivalent of turning off your firewall.
Yea, I also gave twingate and tailscale a pass. I don't want to rely on any 3rd party when accessing my network. 😗
@@NetworkChuck this wouldnt pass ISO 27001 in my book
Yeah this might not be a great option for your personal network, but I think for small businesses it’s hard to beat.
This is absolutely NOT zero trust. In this scenario you have to trust twin gate and there are multiple points of failure. First is the fact that this is closed source software, if TG get compromised or otherwise do something untrustworthy, they can push a malicious update to this software and you would never know. This requires you to trust them. Another point of failure is the fact that TG have the auth tokens. So this requires you to trust them not to leak those. Calling this Zero Trust is damaging your credibility.
I love that everyone is worried about it not being self hosted, it gives me hope
a lot of times, self hosted is not a secure as one might think. Errors in set-up, old firmwares, etc, etc.
@@DjTonioRoffo but it's in your control: if you fd up that's on you. Trusting a centralized solution like this and you could find yourself at the mercy of "show me the man and I'll show you the crime" by simply saying "the wrong thing" on the internet and activating the "online safety bill" on you.
@@ShaferHart are you in the reality of today's IT solutions? Do you run everything locally? It's just not possible anymore.
Nowadays most websites are already end to end encrypted via HTTPS/TLS similar to VPN's, therefore double encrypting the data is a waste of time and VPN fees, with slower speeds and higher latency. The only thing it's good for is hiding your location, but even a simple proxy can do that for about half the cost with a simpler setup, higher speeds, and lower latency while still encrypted via HTTPS/TLS. Also, a VPN server is a single point for an attack by bad hackers or state actors since all your connections are going through the same server.
@@BillAnt fully agreed. Using VPN as a safety measure to prevent a man-in-the-middle from listening your HTTP traffic is pointless as there's no pure HTTP traffic left nowadays. But it is just a single use case for VPN, very narrow one which got pedaled because of all those "Secured VPN service providers" wanted to sell their services. Why VPN as a technology appeared, first of all, is to connect together in a virtual private (and secured) network various hosts scattered across the globe, but all having access to internet.
You like "Zero trust", and that is great, but you choose to use software that it's not configured by yourself, you do not have access to the code and you "trust them" - what about "zero trust" part?Where is it lost? :) Come on Chuck... I like your videos, and they are educative a lot, but this video is misleading and someone who is new can trust you that this is "zero trust" connection but it's not... From my point of view this is not ok and you need to emphasize that this is NOT "zero trust" connection so people won't lose trust in you...
On point
"It's easy, it's the NEW way."
me: "alright"
"so you need to register for their cloud"
me: "aright imma head out"
I wonder what that top secret project was...
Also your editors did a pretty big brain move saving you money by downloading more RAM!
hello there, funny to see you again
Oh nothing, he's just building his own Stargate in his basement! ;)
Jeff, save us... Explain the guy this is just a fancy VPN controled by a 3rd party with ACL! xD.
Here before this blows up
What is your opinion? Waiting for on your channel
Hey Chuck!! I have been watching this channel for a very long time and since I've started watching this channel, I started studying for certifications. I have obtained A+ and Network+ but now I am ecstatic to share that I just passed my CCNA!! You and this channel were a massive part of that! Just wanted to say thank you! I love the content and I look forward to a whole lot more to come from you I'm sure.
Congrats man! :) I'm studying myself for the CCNA. Is there a reason why you started with Network+ before CCNA? I was under the impression that both certs broadly cover the same networking concepts, the difference being that CCNA focuses on Cisco solutions and is obviously more hands-on with the CLI configuration. Am I missing out by not taking Network+ before completing CCNA?
@@aldarion2222 I don't think your missing out. I took Network+ because I was new to everything and honestly it couldn't hurt in my case. It really made the transition to study for the CCNA much easier because I already knew most of the concepts of networking, now I just had to focus on CLI configurations and the different protocols associated with CCNA. It's my understanding too that CCNA carries more weight in the job market than Network+ but we shall see. I've added my CCNA cert to my resume and now going on the job hunt. Good luck with your studies!
Looks like very long add...
@@Charles-ow3fo What did you use to study? I want to get both certs this year I have some experience just want to reinforce, and congrats on CCNA!
@@SuperVexal Thank you! I was on Udemy quite a bit and I purchased the official cert guides. I also attended night classes at a tech school to get more hands on but packet tracer is great for simulating a network if getting hands on is not an option for you.
I know that Twingate sponsors this video, but I really value having control over my data. Therefore, I prefer Pritunl, because they have self-hosted option. Chuck, I think you should consider making a video about it. Congratulations on your video!
P.S.: The benefit of the Twingate provide is the endpoint controls.
why not tailscale
@@bensavage6389it’s just WireGuard which is still a vpn
@@bensavage6389same issue with controller ?
@@rafal9ck817 why not headscale?
Like everyone else, I'm concerned too because it's not open source. An important point and strength of most self-hosted VPN applications are that they're open-source, so when you say "Managed" and a third-party server comes in between, personally, no matter how legit and reliable that company is, it's a red flag for me.
Same here
Yep, 0% trust on users, 100% trust on TwinGate. I've kinda heard of this concept a couple of times. It sounds interesting as tech though.
Nice video as always :)
hmmmm yeah ... kinda reminds me of... Crowd Strike hahahahaa.... total global outage becasue everyone relied on them keeping the network running. Simple mistake like not running the update on a testnet first cost the world hundreds of billions of dollars in just 24 hours. Its the old homage "If you want something done right, Do it yourself-Zero Trust = Self protection". Who know what sort of back doors these guys put in there.
I think the bit about the client and connector talking directly to one another is technically incorrect. While the relay knows which IPs and ports the client and connector use (after NAT), you cannot have them connect to each other. That is because the NAT routers will only accept packets originating from the relay for those ports.
So, in order to connect client and connector, the traffic has to be routed through the relay as a proxy. And while that traffic is probably encrypted, all of this is controlled by non-open software provided by Twingate. Thus, you essentially have to trust that Twingate is a. "not evil" and b. "stays secure".
Also, the ressources that are being exposed are controlled via a cloud instance ("controller") and also, who may connect to them. You essentially delegate control over what can be accessed to Twingate, putting a remote control to your network in their hands (aka "firewall piercing"). Surely, nothing to worry about, huh?
What happens when Twingate's cloud/business inevitably gets hacked? What are the safeguards to ensure the hackers don't get access to everything we've provisioned access to using Twingate? I, too, would be much more excited if I could run an open source version so that I could host the controller and not be dependent of Twingate. Thanks much for the great content.
Yeah, and it will get hacked. These types of services are prone to hacking because of the type of service it is...a back door to your network.
@@gatolibero8329 Chuck has 3 million subs! I believe him rather than a random with zero subs!
Edit: Please stop computer Internet bullying me 🙁
@@swallowedinthesea11 that is not always good logic to go by my friend... @Gato Libero is NOT wrong in anything they said. Not to mention the fact that this video watched like one giant Ad rather than an informational video. You should wonder why he tried to give you a legit reason as to why he made this video and uses the product while simultaneously advertising the very same product in an ad spot which he also supposedly came across by chance LMAO Yea OK
I find the solution could work better if they create an account with the public and private key authentication method to sign in, or they come up with something that they had hosted for us, but they cannot access it, only we had a key to unlock it.
@@swallowedinthesea11 the only problem is, they paid him to advertise it
First and foremost I want to say thank you for everything you have helped me with over the years. I moved to the us to take care of my mother niece and nephew a few years back. He would sit with me while I watched youtube from time to time and he always loved watching your channel. One of the funniest things he ever said was after I shaved and shortened my beard by better than half. You see he had met friends of mine and others who could give zz-top a run for their money. He was convinced, probably because of Dumbledore, that wisdom didn't come with age. No. The true measure of a man, his Knowledge and wisdom were dependent upon the quality of ones beard. Apparently the thicknesses was a measure of general knowledge. The more hair you had the more general knowledge you had. The length of ones beard was how you you determined seniority. Thick beard you knew about all kinds of different things. The longer the beard the more people should listen to you.
Those were more or less the rules he came up with As I remember them.
He asked me if you were really smart and I told him you were. He asked if you were as smart as me and I told him that you were so smart that you were teaching me things that I didn't know.
He began calling you mister beard at that point.
I told you all of that in order to get to this point. I decided I needed to get rid of some of the length of my beard. When my nephew saw me he was beside himself. He was upset because your beard was bigger than mine and He didn't want me to be a dummy so I had to grow it back. And I was going to have to watch more videos of yours because you taught me things and that of course wouldn't make it grow back faster since now I was stupid.
I hope you got as big a laugh out of that as I did.
I know how this will go. At some point they will just remove the free tier entirely. Happened to like 5 different services I used in the past.
First they allow you to sign up for free, then remove the free tier when you rely on their service, so you either have to pay up, or quickly search for a replacement.
Truth... that business model grinds my gears.
I guess that’s where the coffee comes in. just want to know what equal parts meth and angel dust I need to procure 😌
Yes, this is the common practice used by most businesses at present.
That looks like a great piece of software, but I am becoming increasedly concerned with amount of network infrastructure that is beginning to operate on closed source SaaS models.
SaaS, nore like SuuS.
I'll see my way out...
This is a saas model don't go for it
Oh, that ship has sailed a long time ago. Every business and their granddad's are running at least part of their stuff in Azure, Google, ... all running on a few dozens of highly concentrated server farms. The decentralized internet is gone.
@@breakfast7595 nah bro I'm stealing that lol
0:49 Thats not a VPN weakness but a lack of OPSEC on your part.
1:36 Zero trust? Doubtful. Basically you allow in a 3rd party onto your network because of the cloud control plane. BTW on the backend they use good old VPN protocols.
1:44 You can do that without VPN or this no-name sw vendor, its called "having proper firewall rules".
1:57 Gimmick, simply having an AV and fw rules doesnt mean the machine isnt infected or boned by a hacker.......
Holy grail of an answer :)
underrated comment!
Yes I don't like OTHER people having access to my files. All the issues with "cloud" saving. Pass.
VPN is perfectly securable... VPN connection should be to a firewalled VLAN. Then you can specify ACL on that VLAN that controls what the users can access.
ACL on that VLAN? Can you explain what that means? What is ACL?
@@lorcster6694 access control list. Basically firewall rules
@Evan ah OK thanks.
Spoken like an IT Guru.
@@lorcster6694 Access Control List
You're so good at explaining what is quite complex in a simple way. Love it!
no kidding, it takes genious level to do this. !
( He still needs to have coffee giveaways though )
Great review. Couple of thoughts. It's not zero trust if you're proxying with a third party. It's third-party trust at a minimum. More likely, it's third party (Twingate) plus whoever else is listening at the third-party relay; think NSA. Also, Twingate software appears to be closed-source. Again we'd have to trust that Twingate's software does only what they claim it does. That's a big camel to swallow if you're security conscious.
A split tunnel SSL VPN is a way better option - entirely self hosted and self configurable, and only the traffic that needs to go over the VPN does so (this negates the "everything goes through the VPN device" point that Chuck makes, only specific traffic that you define will go through it)- and their are products out there for this that also have ACLs etc. - I hate the idea of this going through a 3rd party service/server to access a private network.
Your traffic (data) isn't going through Twingate. They simply facilitate a peer-to-peer connection.
@@NetworkChuck Great job trying to advertise the product more even though you know it is bad. Do you get more money if more people sign up for the service or something.
@@NetworkChuck Yeah, I thought you explained NAT traversal really well.
Pretty sure it’s just point to point with a pinned cert on the TLS tunnel.
Also I’ve played around with split tunnel configs for all sorts of VPNs and Twingate is so much easier.
For some business use cases, SaaS infrastructure is an acceptable risk.
Nice technology. I wonder if this protocol will be abused. When a PC is behind NAT , a home router uses Port-NAT. A statefull firewall "expects" data on the inbound port. Since the TwinGate client installed on a PC behind a NAT. It is basicly a backdoor relayer (SOCK5 proxy) in your LAN environment. Why? External users can connect to other devices in your LAN. Oh well, it is a cool tech, but I hope IDS/IPS firewall can detect this kind of traffic in business environment. A employee can easily make backdoors in your network if you are not carefull. Thanks for the clip and explanation.
Exactly my thoughts...no trust to VPN, but install a third party backdoor is ok.
It’s running on higher layers, so just block the process from running and you’re good.
Your comment is the very reason we segment networks using subnets. Keep all the critical infrastructure off the access network.
@@flaminbutt Issue is that's fine until the bad actor comes in with a raspberry pi or something and plugs it into an ethernet cable. Now .,... proper network security should prevent that (network segmentation, mac address port filtering, etc), but the potential is there for an improperly secured network.
@Brent Burroughs Issue is they tried that at my university, stunnel got around it with relative ease.
I'm genuinely surprised that you don't already have a VPN setup. Also, for the concern about them having full network access can't you just use subnets to segregate the data and have the VPN only get you into a specific subnet? I mean, at my job the VPN I use won't let me access stuff in the accounting network.
He probably does have a VPN set up. This whole video is just a big ad anyway,
Subnets don’t restrict ports. Even if you are restricted to a certain subnet you’d still have access to all ports. He references that. A VPN setup like that is far more complex. Plus you often can’t specify firewall rules on a per user or group basis. For example, sales can only access tbe inventory system on port 443. But IT users can access it on 443 and 22. It’s a simple concept but either impossible, difficult or expensive to implement in a traditional VPN.
@@BDTech-yi6ub exactly - you can do *some* of these access restrictions by doing a bunch of network munching but Twingate makes it so much easier.
I think the whole point of something like Twingate is that you don’t have to go through all the work of creating separate subnets, which are kind of a pain to set up and really hard to set up granular access. You can basically have one big flat network and then Twingate acts as a segregation layer. Pretty cool networking tech IMO
@@BDTech-yi6ub Sophos XG you can do policy based routing for users and groups
I'm rewatching this video cause I just passed my first Cisco certification and honestly want to thank you cause throughout all your content, you touch so many subjects that all were such great help to understand networking. So thanks man!
Great idea to use a proprietary service 'never heard of' as the single point into every aspect of your network!
🤣
Almost everything is proprietary and everything allows data collection for law enforcement and for marketing. The whole security depends on the proprietary firm but anyway insiders can access anything on your device.
@@dangbro not everything
@@deality 'Almost everything ' was the key words I used.
I use zerotier myself. It doesn't have the granular automatic control but it works for me and my (somewhat extended) family. I even use it to connect my cloud oracle servers with the rest of my network.
Zerotier is a godtier product! Free to use, setup in 5 min, no need to forward a single port in your insecure home router, and the speed is similar to LAN speed. Cant recommend that shit enough!
I love it when Chuck says something is easy, and then in about 60 seconds into the process my eyes start glazing over. 🤣
Hey there,👆🏾 leave me a message
Thanks for commenting 💚
same here too about 5 minutes in for me of none stop keyboard tapping I like batch and script files, 🙂
This is the best thumbnail you've ever made for a video.
Also need to hit the notifications bell. I was subscribed for months and just realized I have to turn on notifications.
Back in my day (2004) , we used Hamachi. It 'kinda' did the same thing without the extra layers of security. Then it got sold off to Logmein (say no more)
Great to see there are plenty of decent alternatives. Another great video Chuck, thankyou!
It's not a great video its just an ad,
I used Hamachi to allow people to connect to the private World of Warcraft server I used to run way back when. Super easy to get people connected.
Hamachi... Now that is a name I haven't heard in a long time.
@@heavyq I remember trying to play Age of Empires 2 over Hamachi. Every single time we'd make it way into a game then disconnect and corrupt the game.
We played Minecraft on hamachi when we were like 12-14! There also was Tungle
A David Bombal and a NetwrokChuck video on the same day? TODAY IS MY LUCKY DAY
The thumbnail is pure art 😂
I've been on a NetworkChuck geek binge today. Thanks Chuck!!
To be honest, i never ever understand what are you talking about but i always love to watch you describing your content ❤❤
This is almost like a middle ground between cloudflares secure tunnel and tailscale. Thanks for actually explaining how this works.
I was wondering about the difference between this, Cloudflare tunnels and Tailscale. The three of these seem pretty much the same to me - at least on the surface. Would like to know the differences.
@Not ReallyMe Tailscale uses wireguard, cloudflare uses http/2 and what network chuck mentioned uses QUIC. Cloudflare can use QUIC if you'd like but this one does it out of the box and is a little easier to configure. Tailscale let's you segregate your traffic if needed so not everything needs to touch your network. All 3 seem to be great to be honest. It comes down to what meets your needs.
They all have pretty good free tiers so just try them out to see what works better. Personally I find Twingate to be the easiest to use for narrow access to multiple different networks like Network Chuck describes in the video
Yeah Twingate looks kind of like the Goldilocks option for me. Really easy to set up but has way more complete controls than Cloudflare and Tailscale.
Your production values are killer. The live overlay is amazing. Would love to know how you do that. :)
We need someone to tell this guy about WireGuard and iptables.
It's 10 lines of WireGuard's config and LITERALLY 5 rules of iptables.
2 minutes to get it up and you have full control of what's going inside the tunnel.
He probablty knows but the video is an ad and is trying to sell you the product.
@@June26A7 i mean yeah, but saying about "end of vpns" in era of simplest and fastest vpn proticol is nonsense I guess
@@rpower9255 As long as the nonsense gets people to buy the product i doesn't matter the the sponser
While this solution lacks the necessary security measures for implementation in large-scale or business networks, I must admit its enticing simplicity in terms of setup and operation. As someone with over a decade of experience as a network engineer with a proficiency in software development as well, I find myself pondering why I hadn't conceived of such a smart and user-friendly solution earlier. 😊
it's still controled by a site that may or may not be around in the future ..idk it semmed a tad advanced for me ..and it seems creepy
End of VPNs, because my sponsor is great lmao
Kind'a sounds like a glorified VPN+Traefik+Fail2ban/auth middleware setup with a pretty UI and specific third party integrations. Twingate is literally the man in the middle and defeats the entire "zero trust" setup. I'm not touching this.
Don't forget this involves a trird party (that TwinGate cloud and software) in the middle of your connection. So Same as RemoteApp like TeamViewer then (TeamViewer server) stands in the middle. So don't talk trash telling it is more secure than VPN when it's truly not.
Threw away VPN after fighting with configuration issues for months and this works so much better!!
it sounds good, but still there is no guarantee that your third party vpn provider won't get hacked or sell your data. If I do care about my data, I would rather setup a wireguard server instead, as it's fast, secure, and fully under my control.
I installed twingate, but right after a restart, I can't open windows anymore. I'm troubleshooting as I'm typing this.
😂
You said, "VPNs are old", but proxy servers are even older. They're the precursor to VPNs. Just had to point that out. Doesn't mean this method isn't effective.
Yea at least Tailscale uses Wireguard
your the best, I learn a lot in all your videos, keep rocking
Thanks Network Chuck… great explanation, easy to understand… thanks for helping me stay up to date!
Network Chuck must somehow be listening in to my device or something Hahaa. A couple weeks ago my company asked me to look into ticketing software.. he released a video on how to create your own. I just got asked about getting a VPN to use and then he releases this video. Love your videos man haha
Could you make a video on how to host your own VPN locally, and as simply as possible?
Seems like twingate is either using TLS sessions OR its actually a traditional VPN under the hood with some ZTNA security features.
keep watching. I deep dive a little on how it works.
@@NetworkChuck Ok, I just finished the video. It sounds like its a TLS session that does a port translation. This is actually something that is being implemented (or soon to be implemented) by more traditional network vendors.
Man, what a discovery this has been. Excellent video!
If I hear one more UA-camr tell people to get a VPN to watch Netflix from another country I’m going to cry :(
Im so glad I found this channel! Thanks Mr. NetworkChuck for providing great instruction, and excellent videos!
Not going to lie, I did not expect that ending haha that got me good lol. WHAT ARE YOU DOING!? Videos are always awesome from you man. My personal opinion on VPNS:
I majored in cybersecurity and I knew from the get go, you are only as secure as the product you use nothing more, and nothing less. This is good for probably 80% of the world. But the other 20% I feel are like me and never agreeed to it. My favorite way to access stuff from other places is 2 step VPN through a firewall. Yeah it can still get session hijacked (remember the golden rule, you are only secure as the product you use). But at the end of the day I technically am MFA'ed to my VPN and I can control what user through my dedicated VPN can use. I think I should mention that I use sonicwall, and I am not talking about your commercial VPN's I am talking about a business level one which is completely different than what most at home users will use.
I was thrown off the beginning of the video when he mentioned a VPN letting remote clients access the entire network when you're able to restrict client to client and subnet to subnet connectivity using firewall rules and ACLs. Additionally MFA can be achieved with DUO at no cost for lab users.
I’d love to see a nitty gritty comparison and performance test between Twingate, Tailscale, and ZeroTier. I’ve been using Zerotier for a long time but Twingate’s more modern security features might be what makes me switch.
It would be awesome, I am also interested in that comparison as I am using ZeroTier but until now I haven't heard about other alternatives like this.
I like Tailscale better.
I use zerotier and it's rules yet enabling access to the rest of network and managing access for specific ips per user would would be MUCH more difficult to achieve than in twingate.
I will demo this because I'm curious, but I will say right off the bat that I'm not wild about deploying anything that requires something in the external cloud to function. ¯\_(ツ)_/¯
The point of a VPN is to encrypt traffic. Depends on your use case. If you are at an airport, all your traffic is visible and unprotected. If I force my traffic through an encrypted tunnel, none of it is exposed to the public network. If you just want access to a resource and that is all you care about, this is great. If you are staying in a hotel or in the airport, I rather have the VPN
Great video and great product! Love how enthusiastic you are talking about it haha
I want to trust you, but really you should explain (including the basics knowledge) why we could trust the connector.
I watched the whole thing, pretty exciting, but I still have no proof on why the connector can be trusted/used with zero-trust.
Wouldn't it be easier to whitelist mac addresses on router? Then you can divide the network into pieces and assign access to devices in separate networks. Simple and effective.
I am no expert, but wouldn't you then be vulnerable to Mac spoofing?
@@mr.1055 Yes you would !
@@mr.1055 I think so. As far as I know, the use of the white list gives the possibility of using wi-fi to people who are on it. If someone who is not on the list would be knocking, it would mean that he does not know the correct network settings. So we don't want such people on the wi-fi network. But if someone knows the MAC address of a computer that is allowed to use the network, the road to wi-fi is open. The MAC address itself and basing all protection on it, I admit, is a rather primitive idea. Which means you have to come up with something else. Just entering the wi-fi network does not mean taking control over all connected machines. It would be useful to do some recognition with Nmap which can be detected when you try to connect. In short, I am writing again that you are right because I would start to mess up too much. Regards. Ps I'm not from the US so what I wrote may be weird. Google helped me :-)
lol that sounds way more complicated than what Network Chuck does with Twingate
@@krotson6767 Thank you for your clarification! So in the end, a whitelist is not a viable alternative.
This really looks like Tailscale. The UI looks very similar down to the ordering of the menu items within the control panel. Sure there’s some nicer things that seem to just add UI wrappers on top of where Tailscale has ACLs defined as code. And with Tailscale, there’s also the OSS control plane Headscale that can be run with the native Tailscale programs/apps. Not really sure that Twingate is a better alternative for selfhosted or otherwise…
Yea it does seem similar to Tailscale. Interesting that the ordering of items on the menu is the same…. I wonder how much ‘inspiration’ they got from Tailscale lol
My brother, THANKS for sharing this USEFUL SOLUTION! =)
I'm gonna try it myself TODAY
The weakest link is the reliance on a third party relay. This is NOT 0 trust, Chuck... You trust twingate to not be compromised, which is a lot worse than setting up a wireguard VPN (for example) that doesn't rely on third parties... Would you not agree?
Great video Chuck. I mean I love this product already. Couple weeks ago, we deployed something pretty similar to Twingate and was called Checkpoint Harmony Connect. It pretty much did the same thing and I had to set up a docker inside our internal vm farm. You’re awesome because now I understand how it works. Cheers man and keep these videos up
"The controller is managed by Twingate, its in their cloud" - Yeh no thanks. Good video though
I’ll for sure use this but I think vpn is here to stay. I don’t think I trust twingate that much for it to be the only way to my homelab.
Same, I'm not tossing my vpn for anything.
No way, why would I turn over the proxy/control of my network access to a third party in the cloud when I can easily deploy my own open VPN solution that I have 100 percent control over? And, there are only two parts, the server and the client. With open VPN on my pfSense firewall, I can control what users can go where and even get as granular as the permitting or denying access to tcp/udp ports. All open source and all under my control. Just sayin'
After he said "everything I teach requires coffee" I, actually stopped, put the pot on, and waited till my coffee was done. lol. your awesome
I just love how excited about Tech you are man! I am the SAME way, and I think we come from the same generation of IT pros. They just don't make em like you anymore. All these kids want to go straight into dev and make 200k/yr, and you are one of the FEW people that is Making SysAdmins Great Again. Thanks for all that you do.
I’m a bit unease with controller being hosted on a private cloud . Specially if are the ones running the “firewall rules” created.
Agreed, but you could always implement a firewall on your side between the Connector and your network.
@@robertb6276 ah, sure, but my problem with it is that “all the magic” seems to be done in the relays and controllers, so maybe an bad actor inside the company, or hacker, could have access to your stuff without your knowledge. Of course, pem certificates is a great way to go but you generate it on their site so… you know… I’m paranoid. lol.
Network Chuck used to be great for beginners. Took his time, explained everything, now way too fast. Sorry mate, not enough coffee is gonna make me wanna keep trying to keep up. Plenty of other channels that actually slow it down a bit to help out the new learners. Fyi, i am one of your older subscribers that did ask you to explain simpler steps way back when you were full fast forward trying to help us install pfsense. You never did get back to me. For what its worth, you were brilliant in your earlier days. Cheers
Agree he does talk fast like he is wired on that coffee. You could try playing the video at 0.75 or 0.5 speed, might help some.
I was expecting to him say "today’s sponsor nord vpn.."😂
Chuck, you need to do a vid, just back handsprings. Your pep is enthusiastic and rubs off. Great vid!
You made me get myself into loving hacking and network. You are amazing man!
Security is so tight now everywhere. There is nothing to hack. Hacking ended in 2000.
@@jw200 BRO THAT IS NOT TRUE WHATSOEVER
@@jw200 I can tell by your comment that cybersecurity is not for you buddy lol
Interesting. I've been getting by with wireguard via my current firewall app for my remote access needs. My needs are very simple though, since they are just for myself. I find Wireguard is very fast at establishing connections, certainly faster than traditional ipsec or ssl vpn's, though it really needs work on the UI and could use a kill switch or toggle option.
I'd certainly consider twingate if I could host my own controllers (the part that lives outside my firewall). With the way some companies change their policies regarding their customers I'd be wary of anyone having full control over the part in the middle that makes it all work. Sure, it is VERY convenient, but that puts them in a position of power to change the deal later without consent (insert clip of Darth Vader changing the deal here>. That and it is a single target for attack and a data breech would be a big problem (it stores info about your internal network, public ip's and your users after all). Something I'll bookmark for the future though.
I personally use TeamViewer which is a paid for service and software. But I would love to see an open-source version of the software you just described. I want to host the monitoring myself so I don't have to rely on an outside company.
Excellent video! I will definitely be trying this out!
VNC is free too
+1 to those who immediately reacted to the weakness of someone else handling control of your network access. That's a huge no go, Chuck.
I loved the intro video music, was on point bro 👌
Lol, you've been hacked!
Now I wonder if my company would let me implement this…😈
I hope not lol
I don't.
@@AlfredNobel-u1u 😂😂😂
My company uses it - works great!
bloody hope they don't. You'd have your entire career questioned if you did something so stupid
The best "VPN" I ever did use.
Big thanks for sharing this !
I just spined up Twingate, my first disappointment is that its in conflict with NordVPN, when Im on the go protected by NordVPN, and I want connect back to my home, NordVPN suddenly turns off, so I may need to route my internet traffic through my home where can be my router connected to NordVPN, I hope I can workaround it, at least its nice thing to play around with, thanks for this amazing video.
Actually on their website they list these consumer VPNs as incompatible (12th of July 2023):
TunnelBear
TunnelBlick
NordVPN
ExpressVPN
PIA VPN (Private Internet Access)
HMA VPN (HideMyAss)
Drinking coffee in an transparent cup...
You're a psychopath! What a madman! My entire body shivered when I realized that!
Is there a self hosted version of this product? It is not fully zero trust if I have to trust twingate.
the thumbnail of this vis is brilliant lmfao i havent laughed out loud like that in awhile
You have solved problem I've had for 12 months. Thanks so much xx
This is interesting, but why should I ditch my VPN? If I am on a "public WiFi" connection with my laptop, I want to have my WiFi connection secured using an encrypted VPN connection.
Bro out here swinging around his coffee like a baby seal. Its quite impressive how he doesn't spill it.
it just works..... whenever i hear that it brings back memories :))))
It just works!!! Installed on a Raspberry Pi 2B and its works!!!
Good Sir, you may have just solved a current issue my company is facing. The existing firewall doesn't allow granular rules for port forwarding (only forward IF FROM . This should help things SO much. Thanks for staying on top of things and sharing!
Great video man!
WTF thats a commercial 3rd party service and everything is closed source! Why would I ever use something like that to access my nicely private self hosted services. Whenever possible you should avoid using 3rd party services and a VPN server can quickly be set up via regular port forwarding and a open source VPN server like WireGuard.
I literally hate you networkchuck. You are making so much work for me.
"The relays, much like the controller, they're hosted inside Twin Gates network so you don't have to worry about it."
It's exactly the stuff running in the cloud I worry about the most.
Personally I'm fine with 3rd party-free SSH tunnels. I just miss UDP support.
Who hit the like button the coffee break 🤣 Just feels right. Great content.❤
Thank you NetworkChuck! I’m still learning IT and am hoping to get a help desk job soon I love your videos and they definitely make me believe I can achieve my career goals.
aww cute :) desk job is getting harder to get into nowa days so good luck, also your competition is mainly from Asia
@@Bossa_Fenzi Yeah I can see that with all the remote work options that are popping up. I don’t care where my journey starts though I’ll apply for geek squad if I have to!
@@3Bajas I respect that, just keep the dream alive... have an end goal whether its ending up in cyber security or as a network engineer or software devops, have goal posts within your goal posts then you can ensure direction and focus... happiness is an unsolvable equation after all...
This is what a firewall you manage does. Literally down to the port, what they can access. I don’t need a third party to manage this for me. Run your own vpn man.
Finally a great thumbnail for your video.