For those who self host and use a VPN what do you have going on

Right now I use Tailscale to reach all my services when I’m outside my house and I pretty much keep it running all the time on my phone and laptop.

But with big companies invading our privacy and the FCC taking another turn, I’m finally thinking of trying out VPNs. The problem I’ve run into is that running a VPN with Tailscale can be tricky since Tailscale works as a VPN in its own right.

So for you self hosters using VPNs, what’s your setup?

edit

Wow, you all shared some awesome options, thanks for the replies. I have a lot to check out now.

I use Wireguard.

I have wg-easy set up for phones and most devices.

I also have a container ready to work as an SSH tunnel for network traffic if needed. (No password or sudo required)

Keegan said:
I have wg-easy set up for phones and most devices.

I also have a container ready to work as an SSH tunnel for network traffic if needed. (No password or sudo required)

Do you access everything through IPs or do you have a domain name you use? I’m trying to find out how to access services behind Wireguard/Tailscale/Zerotier without having to remember all those IPs :weary:.

@Alexis
Just get a cheap domain and set up DNS records. Cloudflare will do it for free if you don’t want to self host the DNS. No one should have to remember IPs.

Hunter said:
@Alexis
Just get a cheap domain and set up DNS records. Cloudflare will do it for free if you don’t want to self host the DNS. No one should have to remember IPs.

What do you point the DNS to? The Wireguard/Zerotier/Tailscale IP or the local IP of the device you’re connecting to?

@Alexis
Make records for both.

Hunter said:
@Alexis
Just get a cheap domain and set up DNS records. Cloudflare will do it for free if you don’t want to self host the DNS. No one should have to remember IPs.

Nobody should have to remember IPs.

Honestly if you set up your IPs smartly, it’s not too hard to remember them. The bigger issue is usually ports for me.

@Ariel
Honestly, if you smartly set your ports it’s not as hard to remember them. Please don’t stick with the default ports.

Dawson said:
@Ariel
Honestly, if you smartly set your ports it’s not as hard to remember them. Please don’t stick with the default ports.

That’s bad advice. Security through obscurity is not real security. Learn how to secure your stuff or don’t expose it online.

@Alexis
You can use local network IPs for DNS in a domain name and have it point to devices not accessible on the internet. The DNS will work as long as your client is online and connected to the same local network.

So you can set a subdomain to lead to something like 192.168.1.103 and access your hosted dashboard with links to other services. If you’re using Cloudflare, remember to turn off proxying for that entry.

@Alexis
I use nginx proxy manager with DNS challenge because I was behind a CGNAT before. I got a domain for about $5 a year.

My router uses AdGuard which directs traffic to my nginx instance.

Keegan said:
I have wg-easy set up for phones and most devices.

I also have a container ready to work as an SSH tunnel for network traffic if needed. (No password or sudo required)

Does wg-easy support subnet routing like Tailscale?

@Tarian
How do you mean? WireGuard handles routing. Tailscale is built on WireGuard, just so you know.

Tully said:
@Tarian
How do you mean? WireGuard handles routing. Tailscale is built on WireGuard, just so you know.

That’s true, I know Tailscale uses WireGuard but how do we enable subnet routing if we’re using wg-easy is what I’m asking.

@Tarian
I had to set this up recently; it’s a standard part of getting WireGuard running on your network. You need to enable IPv4 routing. Not sure what exactly I did, but Googling WireGuard IP for routing will get you the info you need.

@Tully
Does this guide cover what I need? https://www.stavros.io/posts/how-to-configure-wireguard/

I have my own domain on Cloudflare, using Cloudflare DDNS docker, and I run WireGuard on my MikroTik router.

Taliesin said:
I have my own domain on Cloudflare, using Cloudflare DDNS docker, and I run WireGuard on my MikroTik router.

You use WireGuard with Cloudflare DDNS? Are you behind a proxy?

@Drew
Not the OP, but I think they have a domain name that has a DNS A record pointing to their home IP (no proxy). Their WireGuard client connects to that. The DDNS updates the A record if the home IP changes.