Presley said:
I just use Headscale self-hosted.
Does Headscale need port forwarding? I can’t run Wireguard since my ISP does not allow port forwarding.
Presley said:
I just use Headscale self-hosted.
Does Headscale need port forwarding? I can’t run Wireguard since my ISP does not allow port forwarding.
Yes, but I suggest getting a free tier VPS to host it and then VPN from your device to the VPS. This way, you connect to the public IP of the VPS and don’t need to worry about port forwarding on your local network.
Presley said:
I just use Headscale self-hosted.
That’s a good idea!
I only route what needs a VPN.
I initially had the VPN and policy-based routing set on my OpenWRT router. With PBR, you can choose source IPs, target IPs, and ports for routing.
Now I’ve moved the setup to an OpenWRT container.
@Bret
[deleted]
Birch said:
@Bret
[deleted]
My bad for forgetting the rule, but thanks for reminding me 
If you aren’t managing the VPN, I don’t see much benefit to privacy. You’re just moving the problem around.
Turn on a VPN or set up a cloud VM, then install wgeasy (WireGuard) there.
Justice said:
If you aren’t managing the VPN, I don’t see much benefit to privacy. You’re just moving the problem around.
Turn on a VPN or set up a cloud VM, then install wgeasy (WireGuard) there.
I’d rather have my traffic go to someone in the Netherlands who claims not to log my info, is audited, and seems trustworthy compared to an ISP that’s fighting for the ability to harvest and sell my data, which they are winning.
But for your second point, simple devices like iPhones only allow one VPN at a time.
Wireguard all day. It’s easy and very strong.
Using Wireguard through Firewalla.
Wireguard is my choice. Any service needing a domain name goes through a Cloudflare tunnel.
I use Tailscale with a Mullvad exit node ($5 a month for five Tailscale devices) and that works well for me. 
Chao said:
I use Tailscale with a Mullvad exit node ($5 a month for five Tailscale devices) and that works well for me.
I have Mullvad. How does Tailscale work with an exit node?
Chao said:
I use Tailscale with a Mullvad exit node ($5 a month for five Tailscale devices) and that works well for me.
I have Mullvad. How does Tailscale work with an exit node?
https://immich.kareem.one/share/7coRAr8EEdHGV3NKa8iw7XAYwcdItPujMaXhD-xNZYACezcBjXBC5–bjXls13CW-1c
Unfortunately, I don’t think you can directly use Mullvad.net’s subscription in Tailscale. You need to subscribe through Tailscale as it appears to be a sub-feature.
After whitelisting the device(s), you can switch countries from the Tailscale client app.
@Chao
Thanks for the heads up!
I have WireGuard on a Raspberry Pi. I prefer to keep the Pi-hole and VPN separate from my other services.
Using Unifi Teleport and RealVNC depending on what I’m doing.
When I just surf the internet through my home ISP, I use Teleport. When I want to access a machine for work, I use RealVNC.
As one of the maintainers, I’m biased, but I run an Oracle Free VPS where I have an OpenZiti controller/router. Occasionally, I use Zrok for temporary public file sharing.
I use the IPSEC VPN on my Fortinet FG-91G router.
I have both IPv4 and IPv6 assigned to the router WAN port.
My IPv4 is behind CGNAT, so I use a Hetzner VPS to proxy the VPS IPv4 address to my WAN IPv6 address.
My router has FortiTokens for MFA, and the firewall rules let me control access to different VLANs and services.
@Vin
Same setup, but no CGNAT and using an 80F model.
Use Traefik internally.
I avoid admin access on my WAN interface.