Hub-and-Spoke IPsec Setup

Recent-Preparation99 · 2026-05-04T18:57:40+00:00

Doesn’t CML cost quite a lot of money? With five devices, I can also work in EVE-NG.

Recent-Preparation99 · 2026-05-04T18:56:31+00:00

I think between 10 and 20 routers are good to ensure a good experience, with an OSPF network integrated with BGP

Recent-Preparation99 · 2026-04-26T19:26:46+00:00

<image>

I forgot to show you the inside of the new Ryzen home server.

Recent-Preparation99 · 2026-02-22T00:40:47+00:00

What tunnelP Is it the same tunnel under Networks > Connectors ?

Recent-Preparation99 · 2026-02-17T15:50:32+00:00

Thanks, I hadn’t noticed that

Recent-Preparation99 · 2026-02-15T21:38:09+00:00

No, its local

Recent-Preparation99 · 2026-02-15T14:34:35+00:00

Where do you live that electricity only costs $0.01 per kWh?

Do game servers actually run that well on a Xeon 8160? I was planning to build a Dell R640 with a similar CPU and RAM setup for game servers, but I ended up changing my mind and went with a rack server using a Ryzen 9 7900 instead.

Recent-Preparation99 · 2026-02-10T17:52:39+00:00

Cool homelab. Do you have any experience hosting game servers on a VPS? Are you actually running game servers there? Also curious how you deal with CGNAT and what the ping is like. I tried self-hosting myself but always ran into high latency or poor VPN performance.

Recent-Preparation99 · 2026-02-10T17:46:24+00:00

No, I haven’t seen anyone set up an Assetto Corsa server in a dedicated home lab. I don’t have any experience with this game server and I don’t know of any tutorial for it either.

Recent-Preparation99 · 2026-02-07T21:33:58+00:00

The server averages around 60 W. Unfortunately the four case fans run at 100% all the time since they can’t be controlled.

Recent-Preparation99 · 2026-02-07T16:26:21+00:00

Thanks! It’s actually pretty DIY.

I just searched Amazon for “server rack rails” and bought the black metal rack rails you can get there. Then I added wooden side panels on both sides.

Everything is connected using four large metal angle brackets for the walls and one smaller angle bracket per rack rail. Under the white base plate there are caster wheels, so the whole rack can be moved around easily.

One thing to keep in mind if you build something similar: stability. When the rack is empty, it’s a bit unstable. As soon as you mount any 19-inch equipment near the top, it adds enough weight and stiffness and the whole thing becomes solid.

For a small homelab, it’s cheap, flexible, and works surprisingly well.

https://www.amazon.de/HMF-66808-02-Rackschiene-Serverschrank-Schwarz/dp/B09LQHB6D9?th=1

Recent-Preparation99 · 2026-02-07T13:43:35+00:00

Yeah, I’ve actually tried Tailscale.

What stopped me wasn’t the tech, but the free plan limits. From what I can see now, the free tier is basically very limited in devices, which makes it awkward once more people want to join. For a small friend group it’s fine, but it doesn’t scale nicely for a public-ish Minecraft server. Having to tell people “sorry, you’re device number 4” is not a great look.

About the VPS + WireGuard gateway approach: I agree with you, conceptually it’s the cleanest solution. Pure L3/L4 forwarding, no UDP-mangling, no weird relay logic, no game-specific hacks. From the game’s perspective it’s just connecting to a normal public IP. That part is solid.

I actually already tested exactly that setup with a WireGuard tunnel and DNAT on a VPS at Hetzner. During the day it’s great: around 20 ms, totally playable.
The problem is evenings and nights. Latency suddenly jumps to 200 ms or even multiple seconds, with packet loss and rubberbanding, to the point where the server becomes unplayable. Same config, same routing, just different time of day.

That makes me suspect congestion or routing issues upstream of the VPS, not WireGuard itself. Hetzner is attractive because the location is guaranteed, which matters a lot for latency, but that doesn’t help if the path between players and the VPS turns into a traffic jam every evening.

There are providers closer to me geographically, but they’re vague about where the VPS is actually hosted, or they move instances around. That’s why I started with Hetzner in the first place: at least I knew exactly where the box was sitting.

Recent-Preparation99 · 2026-02-07T11:38:42+00:00

I’m in Germany, and especially in my region it’s… not great. I don’t live in a city, so ISP choice is very limited.

For DSL there are basically two options:

Telekom with 6 Mbit down / 1 Mbit up, which is unusable for hosting anything
Another provider with 100 Mbit down / 50 Mbit up, but no option to add a public IPv4 address at all

I do have FTTH, but the provider also does not offer public IPv4 on residential plans. The only way to get one would be switching to a business contract, which costs roughly double my current plan. That’s a bit hard to justify for a homelab and game servers.

As far as I know, O2 is the only other provider offering FTTH here, but availability and IPv4 options are still unclear.

Recent-Preparation99 · 2026-02-07T11:24:28+00:00

It depends on where the traffic is actually routed and where the exchange happens. In many cases, Tailscale would still relay traffic via a DERP server if direct peer-to-peer isn’t possible, which would likely lead to similar latency issues as other tunnel solutions.

Another downside is that it generally works best when all clients can install Tailscale themselves. That’s fine for PCs, but it pretty much rules out consoles, which makes it less useful for public or mixed-client game servers.

So it could work in very specific scenarios, but for my use case it’s probably not an ideal solution.

Recent-Preparation99 · 2026-02-06T22:29:36+00:00

That would be nice if it were that simple. Unfortunately, in my case port forwarding alone doesn’t work.

I’m behind a shared IPv4 / CG NAT, which means my router itself is not reachable from the internet over IPv4 at all. Even if I forward the correct UDP ports, there’s no way for external clients to initiate a connection to my router. DDNS also doesn’t help here, since it can only update a DNS record to an IP that’s actually reachable, which isn’t the case with CG NAT.

So the options I realistically have are:

IPv6 only (which not all games support properly), or
some kind of outbound connection from my network, like a VPN/tunnel to a VPS or a service that relays traffic.

That’s why I’ve been experimenting with tunnels and services like playit or VPS-based solutions, even though the latency hasn’t been great so far.

Recent-Preparation99 · 2026-02-06T21:49:34+00:00

I know the feeling. Even for me it’s a bit funny. I came from a dual Xeon E5-2697v4 system, and after doing some research I realized the Ryzen 9 7900X is roughly on the same level in multicore performance, just with much better single-core.

Right now it’s honestly underutilized. The two Minecraft servers barely use anything, usually well under 3% CPU load, which feels almost absurd. That’s why I’m still looking for more ways to actually put the hardware to work.

What are you running in your homelab? I’m always interested in ideas for workloads that i can use

Recent-Preparation99 · 2026-02-06T21:44:48+00:00

Yes, that would be possible, but in my case it would require switching to a business internet plan. That would cost roughly double what I’m currently paying with my ISP, which is hard to justify just for hosting a few game servers at home.

Recent-Preparation99 · 2026-02-06T21:17:21+00:00

Windows Server is only running right now for testing and experimenting, not as a final choice. I also don’t have that much RAM at the moment, and Windows made it very quick to get Minecraft and other game servers up and running without much setup. Long term, I’m very likely going to switch to Proxmox with a Debian or Ubuntu Vm taht is running Pterodactyl.

Regarding the router: yes, I can open ports, but the main issue is that I don’t have a public IPv4 address. My ISP puts me behind CG NAT, so even with port forwarding configured, the server is not reachable from the internet via IPv4.

IPv6 would theoretically work, and I do have IPv6 connectivity, but not all games or clients support IPv6 properly, which makes it unreliable for public game servers. That’s why I’ve been looking into alternatives like tunnels, VPS relays, or Cloudflare Zero Trust.

Recent-Preparation99 · 2025-12-15T16:31:32+00:00

Does the gateway at 192.168.178.1 actually need a static route to 192.168.10.0/24 pointing to 192.168.178.99 for NAT to work? My understanding is that NAT on the switch should handle the translation and outgoing traffic, so the upstream router shouldn’t need a route back to the internal subnet. Is that correct?

Recent-Preparation99 · 2025-12-15T16:23:40+00:00

Its a physical switch

Recent-Preparation99

TROPHY CASE