Skip to content

Add 'Remote Access (VPN)' user-guide page #15

Description

@mairas

Why

The dominant motivation for HaLOS's multi-hostname support is "access the device from a network other than the LAN it's plugged into" — typically over a VPN. The mechanics exist (per-hostname Authelia cookies, per-hostname OIDC redirect_uris, path-only Traefik routing), but there is no user-facing page that pulls them together into a task-oriented "I want to access HaLOS away from home" workflow. Today an operator has to read three architecture docs and a hostnames.conf comment block to assemble the picture.

Proposed page

Location: docs/user-guide/remote-access-vpn.md, listed in mkdocs.yml nav after Networking in the User Guide.

Outline:

  1. Why VPN access — short framing: ssh works, but Cockpit/Homarr/Signal K behind SSO need an OIDC bounce, and the OIDC issuer is *.local by default, which doesn't resolve over most VPNs.
  2. The name-resolution requirement — the device needs at least one hostname that resolves to its IP both from the LAN and from the VPN. The page should explain why this is unavoidable (single-issuer OIDC constraint, brief) and what the failure mode looks like (browser shows DNS error when clicking Login).
  3. Recipe: Tailscale (recommended) — easiest because MagicDNS gives every device a name that resolves from anywhere on the tailnet without extra DNS setup. Worked example: install Tailscale, get halosdev.<tailnet>.ts.net, add it to /etc/halos/hostnames.conf as the first line, sudo systemctl restart halos-core-containers.service, verify by browsing from a Tailscale-connected client.
  4. Recipe: WireGuard + split-horizon DNS — for users running their own VPN. Same shape, but the user is responsible for ensuring the chosen hostname resolves on both networks (e.g., dnsmasq sidecar on the WireGuard server, internal DNS A record). Less hand-holding than Tailscale.
  5. Recipe: /etc/hosts on each client — the escape hatch. Not recommended but documented because it always works.
  6. Gotchas:
    • DoH (Firefox, mobile browsers): the browser's resolver may bypass the VPN's DNS entirely. Test from the actual client browser, not just nslookup.
    • Mobile clients on cellular: Tailscale works; raw WireGuard requires the client to be configured with the VPN's DNS.
    • mDNS does not cross VPN tunnels by default (and shouldn't be made to — mDNS reflection has its own footguns).
  7. Verifying it worksnslookup halosdev.<vpn-name> from a VPN client, then full browser login flow, then check that the URL bar stays on the VPN hostname end-to-end (not just the Authelia bounce).
  8. Reverting — move ${hostname}.local back to the first line in hostnames.conf, restart. Active OIDC sessions will need to re-authenticate (cookies are scoped to the old canonical).

Cross-links to add

  • user-guide/networking.md → "For remote access over a VPN, see Remote Access (VPN)."
  • architecture/sso.md → "The single-issuer constraint shapes how VPN access works in practice — see Remote Access (VPN)."

Out of scope (separate issues if wanted)

  • Documenting hostnames.conf syntax exhaustively (the in-file comments already do a decent job; could be promoted to a Reference page later).
  • Tailscale subnet routes vs. direct device-on-tailnet trade-offs (audience overlap is small enough to defer).

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions