geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/research/SearXNG-Architecture-Comparison.md
Geir Okkenhaug Jerstad aa607747c3 feat: added basic structure for searXNG and netdata
2025-07-02 12:45:23 +02:00

405 lines
12 KiB
Markdown
Raw Permalink Blame History

# SearXNG Networking Architecture Comparison
## Executive Summary
This document compares two networking architectures for SearXNG deployment in a home lab environment:
1. **Current Architecture**: SearXNG + Tailscale VPN + Internal Reverse Proxy
2. **Alternative Architecture**: SearXNG + Self-hosted WireGuard VPN + Tailscale Exit Node
Both solutions provide privacy and security, but with different trade-offs in complexity, control, maintenance, and features.
## Architecture Comparison
### Current Architecture: SearXNG + Tailscale + Internal Proxy
```
[Client Device]
↓ (Tailscale VPN - encrypted mesh)
[Home Lab Network]
↓ (Internal HTTP/HTTPS)
[SearXNG Service]
↓ (HTTP proxy requests)
[Internal Reverse Proxy]
↓ (Outbound NAT to internet)
[Search Engines]
```
### Alternative Architecture: WireGuard + Tailscale Exit Node
```
[Client Device]
↓ (Self-hosted WireGuard VPN)
[Home Lab Network]
↓ (Internal HTTP/HTTPS)
[SearXNG Service]
↓ (Direct or via local proxy)
[Reverse Proxy as Tailscale Exit Node]
↓ (Tailscale tunnel to internet)
[Search Engines]
```
## Detailed Analysis
### 1. Privacy & Anonymity
#### Current Architecture (Tailscale + Internal Proxy)
**Benefits:**
- ✅ Complete traffic isolation within home network
- ✅ No external VPN provider sees your search traffic
- ✅ Search engines see your reverse proxy's IP, not client IP
- ✅ Tailscale encrypted mesh network for client access
- ✅ Zero-log proxy configuration possible
**Limitations:**
- ⚠️ Depends on Tailscale service availability
- ⚠️ Tailscale company could theoretically see connection metadata
#### Alternative Architecture (WireGuard + Exit Node)
**Benefits:**
- ✅ Complete control over VPN infrastructure
- ✅ No third-party VPN service dependencies
- ✅ Search engines see Tailscale exit node IP
- ✅ Full traffic encryption with WireGuard
- ✅ Open-source VPN solution
**Limitations:**
- ⚠️ Search traffic still routes through Tailscale infrastructure
- ⚠️ More complex key management and client configuration
### 2. Security
#### Current Architecture
**Strengths:**
- 🔒 Tailscale's battle-tested security (WireGuard-based)
- 🔒 Network access controlled by Tailscale ACLs
- 🔒 Internal HTTP proxy reduces attack surface
- 🔒 Service-level IP restrictions (systemd)
- 🔒 Defense in depth with multiple layers
**Vulnerabilities:**
- 🚨 Single point of failure if Tailscale keys compromised
- 🚨 Dependency on Tailscale's infrastructure security
#### Alternative Architecture
**Strengths:**
- 🔒 Self-controlled WireGuard ensures no external dependencies
- 🔒 Tailscale exit node provides IP obfuscation
- 🔒 Full control over VPN server hardening
- 🔒 Can implement custom authentication/authorization
**Vulnerabilities:**
- 🚨 Self-managed security requires more expertise
- 🚨 Manual key rotation and certificate management
- 🚨 Potential for misconfiguration without managed service
### 3. Operational Complexity
#### Current Architecture
**Complexity Level:** 🟢 **Low-Medium**
**Setup Requirements:**
- Install Tailscale on devices (simple)
- Configure SearXNG service (NixOS module)
- Configure internal HTTP proxy (Squid/Nginx)
- Set firewall rules for internal access
**Ongoing Maintenance:**
- Tailscale handles device management
- Automatic key rotation and updates
- Monitor proxy and SearXNG services
- Regular NixOS system updates
**Time Investment:**
- Initial setup: 2-4 hours
- Monthly maintenance: 30 minutes
#### Alternative Architecture
**Complexity Level:** 🟡 **Medium-High**
**Setup Requirements:**
- Deploy and configure WireGuard server
- Generate and distribute client configurations
- Configure Tailscale exit node on reverse proxy
- Set up proper routing and firewall rules
- Implement client key management system
**Ongoing Maintenance:**
- Manual WireGuard key rotation
- Client configuration updates
- Monitor VPN server performance
- Troubleshoot connectivity issues
- Maintain exit node Tailscale connection
**Time Investment:**
- Initial setup: 8-16 hours
- Monthly maintenance: 2-3 hours
### 4. Performance
#### Current Architecture
**Performance Characteristics:**
- 🚀 Single VPN hop (Tailscale)
- 🚀 Low latency for internal services
- 🚀 Mesh networking optimizes routes
- 🚀 HTTP proxy adds minimal overhead
- 📊 Bandwidth: ~95% of base connection
**Network Path:**
```
Client → Tailscale → Home Lab → Internet
(1 encryption layer, optimized routing)
```
#### Alternative Architecture
**Performance Characteristics:**
- 🐌 Double VPN tunneling overhead
- 🐌 Additional latency from two hops
- 🐌 More complex routing decisions
- 🐌 Potential bandwidth limitations
- 📊 Bandwidth: ~80-85% of base connection
**Network Path:**
```
Client → WireGuard → Home Lab → Tailscale Exit → Internet
(2 encryption layers, suboptimal routing)
```
### 5. Reliability & Availability
#### Current Architecture
**Availability Factors:**
- ✅ Tailscale has 99.9%+ uptime
- ✅ Redundant Tailscale infrastructure
- ✅ Local services independent of external connectivity
- ✅ Automatic failover and reconnection
- ⚠️ Single point of failure: Tailscale service
**Failure Scenarios:**
- Tailscale outage → No external access to SearXNG
- Internal proxy failure → No search functionality
- Home internet outage → Complete service loss
#### Alternative Architecture
**Availability Factors:**
- ✅ Self-hosted VPN eliminates external dependencies
- ✅ Can implement custom redundancy
- ⚠️ Requires more manual monitoring
- ⚠️ Two services must be operational (WireGuard + Tailscale)
**Failure Scenarios:**
- WireGuard server failure → No VPN access
- Tailscale exit node failure → No internet routing
- Either service down → Complete service loss
### 6. Cost Analysis
#### Current Architecture
**Financial Costs:**
- 💰 Tailscale Personal: Free (up to 3 users, 100 devices)
- 💰 Tailscale Teams: $6/user/month (for larger deployments)
- 💰 Infrastructure: Existing hardware
- 💰 **Total Monthly Cost: $0-18**
**Resource Costs:**
- Minimal CPU/RAM overhead
- Existing reverse proxy hardware
- No additional server requirements
#### Alternative Architecture
**Financial Costs:**
- 💰 WireGuard: Free (open source)
- 💰 Tailscale: Free for exit node functionality
- 💰 Infrastructure: Existing hardware
- 💰 **Total Monthly Cost: $0**
**Resource Costs:**
- Additional CPU for double encryption
- More complex monitoring requirements
- Higher administrative time investment
### 7. Scalability
#### Current Architecture
**Scaling Characteristics:**
- 📈 Easy device addition via Tailscale
- 📈 Automatic device discovery and connectivity
- 📈 Centralized access control via Tailscale admin
- 📈 Supports up to 100 devices on free plan
- 🔧 Service scaling through load balancers
#### Alternative Architecture
**Scaling Characteristics:**
- 📈 Manual client configuration for each device
- 📈 Custom automation required for device management
- 📈 Unlimited device support (self-hosted)
- 🔧 More complex load balancing setup
- 🔧 Requires custom device provisioning system
### 8. Compliance & Audit
#### Current Architecture
**Compliance Aspects:**
- 📋 Tailscale provides audit logs and compliance features
- 📋 Centralized access control and monitoring
- 📋 Professional support available for Teams plan
- 📋 SOC 2 Type II compliance (Tailscale)
#### Alternative Architecture
**Compliance Aspects:**
- 📋 Complete audit trail control (self-hosted logs)
- 📋 Custom compliance implementations required
- 📋 No third-party compliance dependencies
- 📋 Requires internal audit and monitoring systems
## Specific Use Case Analysis
### For Home Lab Environment
#### Current Architecture Advantages
1. **Rapid Deployment**: Get secure remote access in under an hour
2. **Family-Friendly**: Easy to add family devices without technical knowledge
3. **Maintenance-Free**: Updates and key rotation handled automatically
4. **Professional Features**: Access controls, device management, audit logs
5. **Support**: Community and professional support available
#### Alternative Architecture Advantages
1. **Complete Control**: No external service dependencies
2. **Cost**: Zero recurring costs regardless of scale
3. **Privacy**: No metadata visible to any third party
4. **Customization**: Full control over VPN server configuration
5. **Learning**: Deeper understanding of VPN technologies
### Recommended Decision Matrix
| Priority | Current (Tailscale + Proxy) | Alternative (WireGuard + Exit) |
|----------|----------------------------|--------------------------------|
| **Ease of Use** | ⭐⭐⭐⭐⭐ | ⭐⭐ |
| **Privacy** | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| **Performance** | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ |
| **Reliability** | ⭐⭐⭐⭐ | ⭐⭐⭐ |
| **Cost (Long-term)** | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| **Learning Value** | ⭐⭐ | ⭐⭐⭐⭐⭐ |
| **Time Investment** | ⭐⭐⭐⭐⭐ | ⭐⭐ |
## Implementation Recommendations
### Stick with Current Architecture If
- You value simplicity and time efficiency
- You have family members or non-technical users
- You want professional-grade features without complexity
- You're satisfied with Tailscale's privacy model
- You need reliable, low-maintenance solution
### Consider Alternative Architecture If
- You want complete control over your privacy infrastructure
- You enjoy learning and implementing complex networking
- You have unlimited time for setup and maintenance
- You want zero recurring costs
- You're concerned about any third-party service dependencies
- You need to comply with strict data sovereignty requirements
### Hybrid Approach Option
A third option is to implement both architectures in parallel:
1. **Keep current Tailscale setup** for daily use and family access
2. **Add WireGuard option** for maximum privacy scenarios
3. **Use selective routing** based on security requirements
This provides flexibility while maintaining the benefits of both approaches.
## Migration Path (If Choosing Alternative)
### Phase 1: Prepare Infrastructure
1. Set up WireGuard server on dedicated hardware
2. Configure exit node functionality on reverse proxy
3. Test connectivity and performance
### Phase 2: Gradual Migration
1. Configure one test client with WireGuard
2. Verify SearXNG access and functionality
3. Monitor performance and stability
### Phase 3: Full Deployment
1. Generate client configurations for all devices
2. Distribute and configure clients
3. Decommission Tailscale (optional)
### Phase 4: Optimization
1. Fine-tune performance settings
2. Implement monitoring and alerting
3. Document procedures and troubleshooting
## Conclusion
The **current architecture (SearXNG + Tailscale + Internal Proxy)** is recommended for most home lab users because:
1. **Proven Reliability**: Battle-tested in production environments
2. **Time Efficiency**: Minimal setup and maintenance overhead
3. **Professional Features**: Access controls, audit logging, device management
4. **Performance**: Single VPN hop with optimized routing
5. **Support**: Professional support and large community
The **alternative architecture (WireGuard + Exit Node)** should be considered only if:
1. You have significant networking expertise and time
2. Complete control over infrastructure is a hard requirement
3. You want to learn advanced VPN technologies
4. You have specific compliance or sovereignty requirements
For most users, the current architecture provides the optimal balance of security, privacy, performance, and maintainability for a home lab environment.
Reference in a new issue View git blame Copy permalink