STOP using VPN, embrace Zero-Trust networking!

Поділитися
Вставка
  • Опубліковано 26 гру 2024

КОМЕНТАРІ • 277

  • @urzaaaaa
    @urzaaaaa Рік тому +241

    "Stop using VPN and instead embrace this corporate commercial solution where you depend on third party infastructure." should be the title of this video. Let's be hones, this is advertisement, for commercial product, there is nothing wrong with VPNs.

    • @urzaaaaa
      @urzaaaaa Рік тому +30

      Really thinking about unsubscribing.

    • @redlinejoes
      @redlinejoes Рік тому

      That is partially accurate. I would have to disagree because there's a lot wrong with how VPNs get configured. The trust model is broken and VPNs are included in the inherent trust model. Zero Trust, not this fake zero trust from Twingate, but real self managed Zero Trust like application embedded Zero Trust from OpenZiti is necessary.

    • @christianlempa
      @christianlempa  Рік тому +23

      It is advertisement, but the ZTNA concept is relevant regardless of the product or service that’s shown in the video. Feel free to do whatever you want, but I hope you reconsider unsubscribe :)

    • @eaglefn4918
      @eaglefn4918 Рік тому

      You are completely right! This concept is stupid. Do not trust third party infrastructure. Of course, it is free and fast. Otherwise nobody would use it.

    • @r4ymaster
      @r4ymaster Рік тому

      ​@@urzaaaaaexactly this, me too, I would rather host my own vpn and not depend on some *insert flavor of the month* cloud solution.

  • @ImARichard
    @ImARichard Рік тому +265

    While I can appreciate the tech, for me, it seems like opting to use a third party service over a self managed VPN connection is just not better. It opens up another attack vector that you have no control over. You have to trust that the third party service, Twingate in this case, never makes a mistake. Hell, they don't even have to make a mistake, they just have to become a juicy enough target to be attacked by a good enough adversary and you become collateral damage.
    From a self hosting perspective one of the largest motivations to do it, aside from learning, was to stop depending on third party services because of how often they become compromised, or accidentally leak your data. VPN isn't a perfect solution of course, but routing all your access through a third party is not better, just different.
    I realize this is an advertisement but even still compared to your other sponsored videos this felt more like an empty marketing pitch than a video about cool technology.

    • @matt2817
      @matt2817 Рік тому +4

      Agreed. Twingate would become a target at some point. Clearly, Twingate would isolate each customer's service/resources but depending on what the attackers have access to (e.g. internal services, customer support tools), compromising Twingate customers might be trivial.

    • @EzhegAB
      @EzhegAB Рік тому +2

      Completely agree, 100%. Nothing exciting, but the beginning of the video was very intriguing.

    • @IngleseAngel
      @IngleseAngel Рік тому +1

      why are you using a similar profile picture than me? why?

    • @RAZR_Channel
      @RAZR_Channel Рік тому

      The methodology ( Zero-Trust ) itself is an contradiction… if we are going to bring trust down to absolute 0-Zero : that would include : TwinGate … which will probably fall in line with historical scandals such as Watergate / PizzaGate / Enron / Theranos. that aside this is a brutally overt 23 minute… pounding infomercial. Yet, I have a far better solution : tiny… Classified… Ads…

    • @farmeunit
      @farmeunit Рік тому

      The thing to remember is that they have teams of people working on their product versus some guy who’s job isn’t just security or VPNs. They likely have multiple jobs and simply can’t focus on everything at once. Not to mention budget, etc..

  • @GrishTech
    @GrishTech Рік тому +71

    I understand this is a sponsored video. I think the general audience will appreciate a follow up video comparing all the various solutions out there, such as zerotier, Tailscale, tinc, and why would you choose one over the other.

  • @Felix-ve9hs
    @Felix-ve9hs Рік тому +23

    So ZTNA is basically a VPN, but with all the hard work already done for you (dynamic dns, vpn server, firewall/nat rules) and the added ability to have security policies and policy enforcement.
    Authentication (strong password, certificates, 2FA) and authorization (firewall rules allow you to minimize what a VPN client has access to) are already there with VPN.
    ZTNA is something that sounds really nice for a corporate environment where users and resources are constantly changing.
    For a home lab or home network however, most users and services are pretty static, and having to trust and maintain the ZTNA service is just not worth it for me.

    • @peterbean410
      @peterbean410 Рік тому +2

      yeah, the whole thing ZTNA vs VPN is just BS really.

  • @THEMithrandir09
    @THEMithrandir09 Рік тому +41

    Non-opensource is such a big turnoff though..

    • @Felix-ve9hs
      @Felix-ve9hs Рік тому

      Zero Trust Network Access is really great ... unless when you don't know if you can trust the ZTNA provider.
      Just because a lot of big companies are using something, does not make it secure (remember SolarWinds?)

    • @LampJustin
      @LampJustin Рік тому +2

      Yeah totally and they don't even seem to support IPv6. At least their website doesn't hand out a Quad-A record. So much on them claiming to be the future

    • @Felix-ve9hs
      @Felix-ve9hs Рік тому

      @@LampJustin In their forum twingate said that they want to roll out IPv6 in the next release of the client, what was 3 months ago.

  • @matthiasbenaets
    @matthiasbenaets Рік тому +56

    I might be talking to a wall but whatever, and who asked? but... 4 out of the 5 latest videos have been just full video ads. I can't take any of the information provided at face value or serious in these case. especially since you try to educate in then. unsubbed for now. but I do appreciate the transparency.

    • @christianlempa
      @christianlempa  Рік тому +5

      Thanks for addressing this, I'm sorry you feel that way. I hope to have soon some changes in place that would bring you back to the channel.

    • @tuqe
      @tuqe Рік тому +4

      @@christianlempaI don’t mind when part of the video is sponsored, like “here is how you do this complicated thing that is a standard, then here is an open source package that is fine, and here is a shiny package that has a bunch of features (that just happens to have enterprise pricing)”

    • @PontschPauPau3451
      @PontschPauPau3451 Рік тому +3

      It happened to Nick Chapsas, the C# UA-camr, too. At one point not too long ago every single video of his was an ad about AI and some service his users should subscribe to. It's gotten to the point where even once-lauded UA-camrs like these are just becoming typical "influencers" that just shill products. I've unsubscribed as well.

    • @kice
      @kice Рік тому

      In my opinion, anything can be fully self-hosted, it will be fine to take the money. Because for us, end users, we don’t want to depend on a not proven technology. Also SaaS startups can only survive by targeting enterprises, not us.

  • @yaroslavurshu2732
    @yaroslavurshu2732 Рік тому +29

    It is ADs?

  • @jaxxarmstrong
    @jaxxarmstrong Рік тому +96

    The whole goal to get more secure is to actually minimize the use of 3rd party solutions where you have no real control how your data is being handled or monitored. In this case a self-hosted VPN solution would be much more secure, even if it involves opening up a firewall port for it. You know better, Christian. This pure advertisement hurt your image more than you'd like.

    • @canadianwildlifeservice8883
      @canadianwildlifeservice8883 Рік тому +4

      I also think the message here was that a self-hosted VPN can be more secure if you know what you're doing. But having to create a plethora of firewall rules, VLANS, ect. is a a lot of work. Basically these cloud services create a backdoor to your home network. I mean, whether something is a cloud service, or a remote access trojan is purely based on how it's used and by whom. I personally would not feel comfortable with a backdoor being planted on all my devices just so I can access them "securely". But of course it's not really a backdoor, but a cloud tunnel, but it's really just semantics at this point..

    • @Gnanmankoudji
      @Gnanmankoudji Рік тому +10

      I confess I'm rather confused by all this Zero-Trust concept. If the principle of Zero-Trust is to add layers where you have to add another trusted third parties, there's something I don't understand.
      My VPN runs by myself, and I already have to trust the code, which may be open source but isn't infallible, and I also have to trust the hardware that runs it, which isn't infallible either, but it's the best I can do to accept a minimum number of trusted third parties.
      Zero-Trust just seems like a marketing term to me since it is often used by third parties that you have to trust...

    • @B20C0
      @B20C0 Рік тому +3

      @@Gnanmankoudji Zero trust done right is essentially just an added layer of security. You just mistrust devices and users in general no matter the network and implement solutions like MFA, enforce devide policies etc.
      There's even self hosted open source solutions for that. But you are right, it has become a buzz word of some sort. The underlying principles should be common sense by now.

    • @giux900
      @giux900 Рік тому +1

      openvpn runs wuth no port open on 1194, there is a dedicated tls-auth channel that reply only to authenticated packets, this put your vpn port to not reply any portscan. Is just stealthed.

    • @farmeunit
      @farmeunit Рік тому

      You act like everyone that runs a home network is also a security professional…. Even “normal people” sometimes need a VPN, but aren’t experienced enough to keep it secure and functional. Not to mention easy. Look at Fortigate’s VPN vulnerabilities, for example.

  • @johndroyson7921
    @johndroyson7921 Рік тому +8

    I understand why people are upset about the title and throwing shade at VPNs. But, you clearly stated that this was a sponsored video at the beginning. Honestly, if your goal is to start a career in IT, this is exactly the kind of product to start getting familiar with in your homelab environment. There are ways to secure a VPN without 3rd party services, but this is so much more convenient and easy.

  • @GrishTech
    @GrishTech Рік тому +15

    If twingate went completely open source with their client and control server, they would have an edge over something like tailscale. Twingate ACL's seem better than tailscale though. Tailscale at least keeps their client 100% open-source, which allows alternative control servers to be developed (such as headscale, which has contributions from tailscale developers who contributed on their own time).

  • @mambo7668
    @mambo7668 Рік тому +7

    sure, rely on a third party to route your traffic can you elaborate why vpn is not secure? this looks like advertising

    • @romayojr
      @romayojr Рік тому

      there's a huge advertisement watermark in the upper right corner of the video. he eplained why vpn is not secured anymore, the time stamps have titles that will help you find it

  • @Gnanmankoudji
    @Gnanmankoudji Рік тому +11

    I wouldn't dream of using another third party to carry all my most sensitive traffic. Advanced access control is good, but not like that in my opinion.

  • @kenklak
    @kenklak Рік тому +9

    I’m fine with this being sponsored. I can easily digest this valuable information and decide for myself what to use. Thanks for the info. Some people don’t think you should be able to eat.

  • @Mr.Jean-Paul
    @Mr.Jean-Paul Рік тому +6

    I use tailscale combined with tailnet lock and headscale, everything local and secure enough!

    • @yifeiren8004
      @yifeiren8004 Рік тому

      What is the tailgate?

    • @NatalieUoker
      @NatalieUoker Рік тому +1

      tailscale and headscale, but tailgate? is this some tool/application?

    • @yifeiren8004
      @yifeiren8004 Рік тому

      @@NatalieUoker I am also wondering what tailgate is. I can't find it through google 🙃

  • @odkdsjf
    @odkdsjf Місяць тому

    I am only 4:26 into the video, but I am going to assume this is like Hamachi, Zerotier, and TailScale. While there are certain situations where I have used all 3 previously mentioned, and still use TailScale, those services are not replacements for dedicated site-to-site business VPNs.

  • @cheebadigga4092
    @cheebadigga4092 Рік тому +8

    VPN is better. You're in control.

  • @Glatze603
    @Glatze603 Рік тому +2

    @christianlempa: I absolutely share your definition of Zero Trust (07:46), unfortunately most people don't really understand it, as you can see from many of the comments.

    • @christianlempa
      @christianlempa  Рік тому +2

      Thank you for highlighting this! It's such an important concept to understand, I think that needs more videos. :D

  • @urzaaaaa
    @urzaaaaa Рік тому +24

    Twingate Controller "provided on their servers" - no thank you.

    • @josephohare007
      @josephohare007 23 дні тому

      Are the controllers and relay on public addressing with open ports to receive the inbound connection requests?

  • @canadianwildlifeservice8883
    @canadianwildlifeservice8883 Рік тому +3

    At home I use the Sophos Firewall's openVPN server. I like to think that because it's enterprise-level that it is secure. If you use a long random password, keep the opvn import file safe, and ditch the auto-created firewall rule at the top that allows the VPN users to access everything, you can create a rule that only allows the VPN users to access only hosts/IPs on your network that you allow. This is how it has been done for years. In the video he states that VPN is not secure. Did something drastically change that makes it not secure anymore or this belief just fear mongering by these cloud providers?

    • @christianlempa
      @christianlempa  Рік тому

      There are some security issues highlighted in the video. Btw at Sophos we also have a Zero-Trust Network Access Solution :)

    • @canadianwildlifeservice8883
      @canadianwildlifeservice8883 Рік тому

      @@christianlempa Yes, I have heard that it will be included in the upcoming version 20 of Sophos Firewall. I will have to read more about it. I already like the 2FA that is mandatory in the firewall webadmin. I wish the SSL VPN used it as well.

    • @Andy-jz1zw
      @Andy-jz1zw Рік тому

      ​​@@canadianwildlifeservice8883If you mean a VPN with MFA via Sophos then it can be enabled.
      Maybe this is only at the enterprise level - never touched the personal one.
      Go into the admin portal and look under authentication. You can add mfa and also configure it to work from an AD group.
      User signs in then will get a qr code then can scan - they then sign in with username, password and mfa code right at the end of the password

  • @lochmatterthierry6487
    @lochmatterthierry6487 9 місяців тому +1

    twingate client works behind CGNAT without using static IP from sim-provider?😮

  • @androidgeeking
    @androidgeeking Рік тому +1

    So this is really to hide from ISP but to access remote devices securely? I couldn't access sites from my mobile phone I blocked in my ISP's network but I could on desktop. What gives?

  • @technik3r
    @technik3r Рік тому +1

    How does it compare to Teleport? Would like to see a video on these two: Teleport vs. Twingate.

  • @HenrikLarsson458
    @HenrikLarsson458 Рік тому +7

    The main issue for me here is the words "Stop using VPN" in this ad supported video. Do you really believe that? You make viewers doubt if your advice is sincere or not. Which will hurt all of your other videos as well. No it is not better/more secure than a self hosted open source VPN, just different.

    • @giux900
      @giux900 Рік тому +1

      Agree with you!

  • @X27WCP
    @X27WCP Рік тому +4

    i pass think my selfhosted vpn is pretty safe

  • @MrMcp76
    @MrMcp76 10 місяців тому +2

    Zerotrust is the way to go. VPNs provide no protection to your network once a bad actor gets on an end-user's system who is connected to your VPN. Ask me how I know 😞
    Great video .. regardless if it is a sponsored video or not

  • @Medalavi
    @Medalavi 11 місяців тому +1

    What is the benefit of Twingate vs Tailsclae or Perimeter81 which using WireGuard Connection?

    • @christianlempa
      @christianlempa  11 місяців тому +2

      You have to compare the features and find out what's important to you. Maybe I'll make a comparison video somewhere this year.

  • @Blivius92
    @Blivius92 Рік тому +12

    Hi Chris,
    Good video en some good explanation. I’m not going to use it though, I don’t want vpn going through third party networks.
    Also reconsider your advertisements. Some videos ago you explained why not to use cloudflare tunneling, and here we are talking about vpn trough third party networks.
    Just advertise something you really stand for :-)
    Don’t get me wrong though, just a tip :-)

    • @christianlempa
      @christianlempa  Рік тому

      Thanks! I appreciate your honest feedback :)

    • @giux900
      @giux900 Рік тому

      I had same thought, very critical and useful video about cloudflare tunneling (for that video i sub this channel) and now ''hey guys let 3th party go inside your network'' just because there is a bunch of money behind. I don't like that. Never sell your criticism and well disposed suspect for the good of money.

    • @kyberorg
      @kyberorg Рік тому +1

      That's exactly what I thought.

  • @animefreaks4738
    @animefreaks4738 Рік тому

    Tailscale vs Twingate. What should I use in 2023?

  • @yerunski
    @yerunski Рік тому +4

    The whole video has a watermark 'advertisement'. I'm skipping this one.

  • @NEVSTO
    @NEVSTO Рік тому +1

    Hi Chris, can Twingate be implemented onto pfsense firewall network? Thank you.

  • @DJRhinofart
    @DJRhinofart Рік тому +4

    A properly configured VPN implementation will have VPN clients come into a "Grey Zone" subnet, and then firewalls between the Grey Zone, and the Internal resources. Firewalls are not just for the Edges of the network. At my day-job we have probably around 100 Firewalls throughout our Corporate Network. Also between the Corporate, and High Security networks have different brand Firewalls.

  • @0ChAnTi
    @0ChAnTi Рік тому +2

    Hi Christian, for corporate environment and their employee user/devices this solution seems to provide nice features.
    But I see issues in other when service owner and user/device are not in such relation.
    I think you fall short to explain some details, from my point of view:
    - What about clients from coporation networks with equal high security structures?
    - Any user/client device needs to install the Twingate software as it seems to get access?
    - What are the requirements for the the clients at all?
    - Is a connection without the twingate agent possible?
    I am with you regarding the "least privilege principle" approach.
    And a session MFA authentication would allow me to verify the person,
    but to press a person to give up the freedom of device choice , I don´t see.

    • @christianlempa
      @christianlempa  Рік тому +2

      You always need to do a proper evaluation, if the solution is a good fit. The main goal of the video was to explain the differences between VPN and ZTNA, and how to easily implement this strategy with twingate.

  • @EnterTheVoid-
    @EnterTheVoid- 8 місяців тому

    Bro, you lost me at minute 15:50... Where did the linux come in ? Im on gaddam windows. Also what is vs code? Is It compatible with windows?

  • @blakrj
    @blakrj Рік тому +5

    @christianlempa - Perhaps you can provide an overview of your infrastructure setup? Simply picking 'frontend' in your case doesn't give much info (i.e. is this a renamed docker_default, or other custom). Can this talk to the main network? What about VLANs? In addition, how different is this to Cloudflare solution you warned about previously?

  • @ewoks42
    @ewoks42 2 місяці тому

    what about exit points? can twingate help me avoid geoblockings that Tailscale solves?

    • @christianlempa
      @christianlempa  2 місяці тому

      You could use it this way, however it’s not a tool to avoid geoblocking. It’s a tool to secure remote access to infrastructure

  • @royitoroy
    @royitoroy Рік тому +1

    chris very good video thanks! i have a question i have a cgnat and i have my wordpress landing pages and many of my services exposed on the internet and for that i use a vps in linode with a wireguard and a nginx so; with this twingate i could expose my landing pages and services without using the vps nor wireguar nor nginx anymore?

  • @MR-vj8dn
    @MR-vj8dn Рік тому

    But why would you choose to use this service in the first place? I don’t get what it solves or even offers that isn’t there already, but with a proven track record.

  • @davidgadam
    @davidgadam 9 місяців тому +1

    It would be good if there is a demo show how to set up a DNS name, instead of ip address.

    • @christianlempa
      @christianlempa  9 місяців тому +1

      Good idea, maybe I'll cover DNS in a future video!

  • @joaopedroalbernaz
    @joaopedroalbernaz Рік тому

    Hey, there's a video on my 24 min AD, what's up with that?

  • @eaglefn4918
    @eaglefn4918 Рік тому +4

    I can not believe, that this is your opinion. You put a third party trojan in your network and explain it like the best thing ever. Did you watch this video yourself before publishing it? 😢

  • @milosand
    @milosand Рік тому +1

    What's the diference with cloudflare Zero trust? You have a video about the security issue of this service.
    Thanks for your videos.

    • @christianlempa
      @christianlempa  Рік тому +3

      There will be a comparison video in the future, just takes some time to prepare it

  • @danielberglv259
    @danielberglv259 Рік тому +3

    Seams awsome, but sadly like so many other services the client for Linux is something that seams to have been put together by an intern during a 30 minute break. It's always the same. Either a Linux client is missing or it may as well be. VPN may be an old way of doing this, but at least it has wide and tested platform support.

  • @Anavllama
    @Anavllama 2 місяці тому

    Why not use zerotier,,,,,,,,,,,,,,, if not using wireguard ???

  • @steveyg777
    @steveyg777 8 місяців тому

    Can you recommend a more zero configuration solution like twingate for normal people like myself who don't understand all the programming/Linux/docker garbage please?

  • @heaton922
    @heaton922 Рік тому

    anyone can use custom dns - pihole as DNS filter? I tried that is not work. going back tailscale

  • @yuanyowwu
    @yuanyowwu 5 місяців тому

    Thanks for info. Pretty cool concept.

  • @ilovestitch
    @ilovestitch Рік тому +2

    It sounds like this is a tool used for correcting issues caused only by verrrrryyyy poorly deployed VPNs and poorly configured firewalls...
    too much reliance on external servers, closed source, etc...'zero trust' just means 'trust us/our servers with all your data throughput' in this case. same issue with tailscale

  • @DigiDoc101
    @DigiDoc101 Рік тому +1

    My main problem with this product is that their android/iOS apps suck. I'll have to sign in every time I disconnect. With tailscale, it is a click away to toggle on/off. Very annoying!

  • @AnFv86
    @AnFv86 Рік тому

    Has anyone tried to use the alias instead of the IP? I can't get it to work and I can't understand why.

  • @hackingit
    @hackingit Рік тому

    It is secure alternative to VPNs.
    These days I am looking for VPNs that are undetectable by websites. I am trying to earn from microtasks but that is region specific and VPNs don't work.
    Can you suggest a solution?

  • @muralimenon2681
    @muralimenon2681 Рік тому +3

    With a VPN the client does not get access to all internal resources. You can configure so only a subnet or specific servers are accessible!

  • @chrisumali9841
    @chrisumali9841 9 місяців тому

    Thanks for the demo and info, have a great day

  • @davidiamyou
    @davidiamyou Рік тому

    So is it just another Tailscale/Headscale?

  • @gabe_0x
    @gabe_0x Рік тому +1

    If it's not free and open-source, then it's a waste of everyone's time.
    I'm happy to pay for bandwidth and hardware, but I will never trust a company with protecting my data.

  • @ask_carbon
    @ask_carbon Рік тому +2

    Yea its a dislike from me.
    A bit disappointed too.

  • @keywal
    @keywal Рік тому

    The 2 device limit put me off this for the home lab.

    • @DominatorIII
      @DominatorIII Рік тому

      Where do you see a 2 device limit?

    • @keywal
      @keywal Рік тому

      ​@@DominatorIII Settings > General...
      2 devices per user
      Upgrade to Teams for 5 devices per user

  • @aelidrissi3584
    @aelidrissi3584 Рік тому +2

    We understand that ads are okay but please keep the good work on home lab / open source / learning / diy / fun. I have the feeling that this channel is drifting. Hope I am wrong.. and sorry if this was rude to say..

    • @Kevin-oj2uo
      @Kevin-oj2uo Рік тому +1

      Yeah it seems like UA-cam ads are not paying enough so they have to start accepting these sponsor videos. I don't like this trending because eventually it will become just for profit like Linus tech tips. I will prefer a video every month as an enthusiast.

    • @christianlempa
      @christianlempa  Рік тому

      I’ll release a video later this day to talk about some of this, hope that gives you some clarity on the topic.

  • @ashfaaqahamed3902
    @ashfaaqahamed3902 Рік тому +1

    Make video on elastic search deployment on kubernetes

  • @Glatze603
    @Glatze603 Рік тому +2

    @ALL: Self-hosting is a trend on a private level. Companies are now moving more than ever to the cloud and are therefore dependent on other companies (see Microsoft). Personally, I'm also a fan of hosting as many services as possible myself, but solutions like those from TG or CF are no less secure - on the contrary. The “big” companies in particular are in the spotlight and can least afford security breaches or poorly programmed security solutions. As far as these approaches are concerned, I believe that this solution is currently at the forefront when it comes to security and integrity.

    • @christianlempa
      @christianlempa  Рік тому +2

      Well said! As much as the self-hosting fans dislike security services... That's what the big boys use ;)

    • @mindenesvegyes8512
      @mindenesvegyes8512 Рік тому

      @@christianlempa aha.. said this after the big boys like lastpass hacked more times in row... don't be arrogant ;) I like your channel and learnt a lot but if you continue this "money hungry bitch" behavior and sell your soul for money (sponsors), instant unsub.

  • @dotcaodin
    @dotcaodin Рік тому +5

    That's so nice!! Thank you for sharing. I don't understand the complaint about Ads videos once they still bring value to the public. Sincerely, people are focus on bad things only.

    • @christianlempa
      @christianlempa  Рік тому

      Thank you 😊

    • @lukasyelle4708
      @lukasyelle4708 Рік тому +2

      @@christianlempa I agree, I like seeing the tech regardless if it’s an ad or not! Keep up the great work Christian! Quality content as always.

  • @freestudymusic550
    @freestudymusic550 10 місяців тому +1

    Nice video😊

  • @ebiscaia
    @ebiscaia Рік тому

    Hi Christian,
    This is unrelated with the video, but as I know you self-host docker applications in your homelab, I would like to know how you deal with sqlite and multiple replicas. I followed your video about storage in Kubernetes and I am having issues with the database.
    Thanks.

  • @klausdieter8283
    @klausdieter8283 Рік тому

    I dont get it :/ is the data between the connector and client encrypted? how will the firewall work with encrypted data?

    • @christianlempa
      @christianlempa  Рік тому +1

      It is, the firewall will most likely just forward it because the connection is initiated from inside the network.

  • @giux900
    @giux900 Рік тому +3

    not a good way to sponsor! I liked the clouflare tunneling considerations and the basic criticism that should permeate everything in IT. So the balance about risk/benefit should be our thought, not the title of your video! You should never say stop using vpn. Openvpn is a 21year old protocol full audited with with also hardened versions and widely used worldwide. Is just secure as should be. So, talk about the main point. What is more zero trusted? A self hosted opensource service with user in full control, or a corporate service with closed source software running inside your house? you cannot deleted this comment.

  • @tylersmith8662
    @tylersmith8662 Рік тому +1

    im curious how you come to the conclusion that "VPN is no longer secure"

  • @AbdulWahid1st
    @AbdulWahid1st Рік тому

    I have a different opinion regarding vpn not secure, especialIy in what u said about ‘client is trusted as part of intranet’. I think vpn is only as secure as how we secure our vpn servers. We should always expect many outside traffic coming from the vpn server, and configure our firewall accordingly. Most of all, aside from network provider, all my data and authentication are transmitted through my own servers.
    Don’t get me wrong, I love this zero trust concept, and I am using cloudflare tunnel, which I think exactly the same as what twingate doing, maybe, cmiiw. Which is my daily alternative to my vpn. And in terms of speed, I didn’t notice any differences, definitely depending on usage, whether to ssh or stream jellyfin.
    So which one you like, controlling access via your own firewall, or zero trust provider’s controller or dashboard or whatever.

  • @schossel
    @schossel Рік тому +3

    This is within some of the worst videos on this channel. Explaining that using a third party server is more secure than your own VPN. Come on. It took me a few minutes to recognize that this whole video is an ad. This happened a few times now with these videos. I'll give you a last chance because mostly I like your channel, but if this is the way it'll be going in the future then I'm gone.

  • @mvaldes
    @mvaldes Рік тому +107

    This is an ads channel now 😂

    • @christianlempa
      @christianlempa  Рік тому +14

      😢

    • @nicholasbackwell1869
      @nicholasbackwell1869 Рік тому +21

      @mvaldes - I presume by that comment you don't run your own business.
      I can understand as a consumer why you might feel that way but as anyone in the IT industry might be able to observe, the world is constantly changing and learning theory only goes so far when it comes to tech. I'm sure Christian does a lot of testing and quality control to make his videos which is why he's a popular UA-camr which is more to say then you or me.
      I'd also like to point out I'm not the only enthusiast that simply likes shiny new toys/tools/equipment... Only examples but any enthusiast in automotive buying car parts or tradesman buying Milwaukee, Klein or whatever else you fancy I'm sure can understand.
      As anyone who gets up everyday to make a living for themselves why wouldn't you want to get paid for your work? I mean unless your sponsoring Christian?

    • @immortalmyth5685
      @immortalmyth5685 Рік тому +5

      Getting money from youtube or your works always is a nice thing. If no one donate or sponsor him how can he keep up this channel?
      But i would like chris give some caption or tell about sponsor. So i can decide to watch to the end of video or not

    • @nicholasbackwell1869
      @nicholasbackwell1869 Рік тому

      ​@@immortalmyth5685 there's an "advertisement" disclaimer in the top right corner of the video and he mentions the video was made possible because of Twingate at like 45 seconds into the video.... it's about as much notice as you get from a coffee cup "Caution! It's hot"

    • @Andy-jz1zw
      @Andy-jz1zw Рік тому +7

      What's wrong with ads?
      It's relevant with the content and I would've thought for most of us, its fun to play about with this stuff.

  • @MrZiemwit
    @MrZiemwit Рік тому +4

    so basically its worst zerotiier/tailscale

  • @MarkoKukovec
    @MarkoKukovec Рік тому

    What is the proper ways to secure tokens in the production? How do you not store them in clear text? I mean in the compose we can use environment variables defined in the .env file, but again, variables in .env are stored in clear text. Security in this way is acheaved by who exactly can read .env file. What is better solution? How to encrypt them and decrypt on the fly? You have to put description key somewhere. Thank you for all the help and hints I'll receive on this question.

    • @christianlempa
      @christianlempa  Рік тому +1

      There are multiple options, I'm still evaluating some for me. Currently, I'm using just environment variables that I pass through the session when I need them, but apparently it's not very convenient. Don't worry, I'll add this topic to the list of videos I'm going to do in the future!

  • @markandrow4010
    @markandrow4010 Рік тому

    Great and thanks.

  • @SHSolutions
    @SHSolutions Рік тому

    Wir nutzen Zscaler. Aus Anwender Sicht, welcher produktiv arbeiten soll, ziemlich lästig und kontraproduktiv…. 👎🏻

  • @MrBarto95
    @MrBarto95 Рік тому

    Maybe test netmaker or netbird

  • @ITViking
    @ITViking Рік тому +1

    "Client is trusted as part of the internal network"
    No they are not Plenty of classic VPNs have rules to allow specific users or user groups access to only the IPs and ports you specify, AND can enforce rules like active firewalls, valid device certificates etc.
    The whole Zero Trust bs is confusing because it talks about classic VPN in a way that is often simply not true.

  • @YannMetalhead
    @YannMetalhead Рік тому

    I know it's a sponsored video so I won't complain, but no way I would use something like that.

  • @Glatze603
    @Glatze603 Рік тому +1

    Hi Christian, even if you can't host it yourself, it offers some very good and important approaches towards Zero Trust! Used correctly (at least 2 docker containers - as lxc and distributed across 2 of 3 Proxmox nodes, in a DMZ with dedicated firewall rules towards LAN networks and the Internet) this is a really good and secure solution for accessing services in your own area access homelab. Thank you for your time and this video 🙂

    • @christianlempa
      @christianlempa  Рік тому +2

      Thank you so much :)

    • @niro1960
      @niro1960 Рік тому

      Nope -> 3rd Party ≠ Zero Thrust.
      Opens-> New attack vector.

    • @Glatze603
      @Glatze603 Рік тому

      @@niro1960 Please find out in more detail what zero trust means!

  • @quangnam10
    @quangnam10 Рік тому

    i think it look like tailscale

  • @igordokic
    @igordokic Рік тому

    Hey Christian, what is better in your opinion: Twingate or Tailscale?

  • @icheema3671
    @icheema3671 Рік тому +1

    all the issues highlighted with vpn in this video are quite easy to address.

  • @milutinnikolic7681
    @milutinnikolic7681 Рік тому

    I did this deployment for about 5-6m ago. Working perfect for me.

  • @Douglas_Gillette
    @Douglas_Gillette Рік тому +2

    ‘Zero trust’ is marketing BS. It is simply implementing least privilege and re authentication after a period of time. This has been a common and valuable security strategy for a very long time.

  • @theosky7162
    @theosky7162 Рік тому

    Cloud shall NOT touch my data.

  • @bastelwastel8551
    @bastelwastel8551 Рік тому

    Yeah, no thank you.
    I roll my own solution that i have full control over.
    Outsourcing your security is not my thing, but nice that you get some ad money

  • @romayojr
    @romayojr Рік тому +1

    this is good stuff. i’m interested in implementing this in my homelab environment. do you know what the upload limitations are for the free version? i want to use this as a proxy to my nextcloud instance.

    • @christianlempa
      @christianlempa  Рік тому +2

      Since the traffic is not flowing through their services there’s no other limitation than the ISP on client/server

  • @LMLecho
    @LMLecho 6 місяців тому

    Unless im missing something or this was baked in after the fact....it clealry days "Advertisement" top right 🤷‍♂️🤷‍♂️🤷‍♂️

  • @trendingtopicresearch9440
    @trendingtopicresearch9440 Рік тому +1

    Yes, give a company access to your LAN. What could go wrong.

  • @jimmayx
    @jimmayx 11 місяців тому

    My question is: as the admin to all the internal services, I would need access to virtually everything. So with a giant winner-takes all account, how are these more secure from an account hijack? Assuming the bad actor meets the basic security requirements and gained access to my account managing my homelab, how am I safer?

  • @redlinejoes
    @redlinejoes Рік тому

    Please go read Project Zero Trust by George Finney.

  • @RubenMPSRZ
    @RubenMPSRZ Рік тому

    Skynet was the name of my wifi since I was living with my parents. 🤣

  • @gerbrand5980
    @gerbrand5980 Рік тому +1

    Yeah, this is just simply a bad video. Instead of bashing VPN's, you should advertise it as a cool alternative. This should avoid most controversy that you're seeing now in the comments.

  • @80robina
    @80robina Рік тому

    Mate, I'm noooo way trusting a cloud service to VPN in my own network, I would rather self host all myself like I do wireguard and openvpn on my opnsense firewall

  • @MyAeroMove
    @MyAeroMove Рік тому

    We are so worried about security and so bored managing VPN... So, we are outsourcing whole corporate entrance gates to some ... company because ... it's based in US 😂
    Please get back that old level of quality to your videos. I'm really missing it.

    • @christianlempa
      @christianlempa  Рік тому +1

      Don't worry, I'll address some of the concerns in a special video today, we'll get back to it!

  • @altaccount648
    @altaccount648 Рік тому +1

    I would *never* ditch VPNs for important services on my server.
    Corporations can beg me for my money some more. Thanks, but no thanks.

  • @rushank2112
    @rushank2112 9 місяців тому

    I would have not promoted this. Thanks for the efforts!

  • @Simonkenteriksson
    @Simonkenteriksson Рік тому

    Great video :)

  • @GottaHache
    @GottaHache Рік тому

    Not sure why all the negativity. This video is great and Twingate is awesome

    • @Kevin-oj2uo
      @Kevin-oj2uo Рік тому +2

      It's because we are trusting a third party company to access our infrastructure back home. And VPNs are not that bad or old school. Also its not the only UA-camr sharing these type of videos , so it seems twingate its filling everyone pocket with sponsors.

    • @christianlempa
      @christianlempa  Рік тому

      @gottahache thank you 😊

  • @ohiosuave
    @ohiosuave Рік тому

    PAYWALL....So I Zero Trust IT...

  • @StaffyDoo
    @StaffyDoo 6 місяців тому

    Headscale, folks.

  • @jrjrjrjdhdjs
    @jrjrjrjdhdjs Рік тому

    Dont mind the ads because he is showing us tools that can be used in IT/homelab. It would be different if he was showing something unrelated.

  • @tblds
    @tblds 11 місяців тому

    So, you can restrict routing on a vpn server instead.
    It's just another VPN solution with routing restriction.

    • @christianlempa
      @christianlempa  11 місяців тому +1

      The posture checks and policies make it superior to VPN