What setups do you have for self-hosting and using a VPN

Right now, I am using Tailscale to access all my services when I’m outside my home, and I keep it active all the time on my phone and laptop.

With all the big companies messing with privacy rules, I want to try VPNs. But, I found out that running a VPN along with Tailscale is tricky since Tailscale is a VPN too.

So to all you self-hosters using VPNs, what setup do you have?

edit

Thanks for all the great options you shared. I have a lot to look into now.

Wireguard.

I use wg-easy for phones and most devices.

I also have a container set up as an SSH tunnel for backup network traffic (no password or sudo required).

Blakely said:
I use wg-easy for phones and most devices.

I also have a container set up as an SSH tunnel for backup network traffic (no password or sudo required).

Do you use IPs to access everything, or do you have a domain you work with? I’m trying to find a way to access services behind WireGuard/Tailscale/Zerotier without struggling to remember all the IPs.

@Vale
Get a cheap domain and create DNS records. If you don’t want to self-host DNS, you can use Cloudflare for free. No one should have to memorize IPs.

Breck said:
@Vale
Get a cheap domain and create DNS records. If you don’t want to self-host DNS, you can use Cloudflare for free. No one should have to memorize IPs.

What would you direct the DNS to? The WireGuard/Zerotier/Tailscale IP or the local IP of the device you want to reach?

@Vale
Create records for both.

Breck said:
@Vale
Get a cheap domain and create DNS records. If you don’t want to self-host DNS, you can use Cloudflare for free. No one should have to memorize IPs.

No one should have to memorize IPs.

To be honest, if you set up your IPs smartly, it shouldn’t be too hard to remember them. The real issue is usually the ports, at least in my experience.

@Reed
To be honest, if you set up your ports well, it shouldn’t be hard to remember them. The real issue is always… No, I disagree. Use DNS. Set up a homepage. Use reverse proxies. It will save you headaches.

@Voss
I use all those methods too, and I’d always suggest them for user-friendliness. Still, you’ll want a memorable IP or a list of IPs handy in case your DNS server or reverse proxy fails.

@Reed
For me, the ports are 22, 80, 443, and 3306.

Winter said:
@Reed
For me, the ports are 22, 80, 443, and 3306.

It’s best to avoid using default ports like standard passwords.

Marcell said:

Winter said:
@Reed
For me, the ports are 22, 80, 443, and 3306.

It’s best to avoid using default ports like standard passwords.

That’s poor advice. Relying on obscurity isn’t the same as real security. Learn how to secure your stuff, or don’t put it on the internet.

@Vale
Just so you know, you can use local network IPs for DNS in the domain name, allowing it to point to devices that aren’t reachable online. As long as your client can access the internet and is on the same network as those devices, the DNS will resolve.

For instance, you could make a subdomain point to 192.168.1.103, which leads to your hosted dashboard containing links to your other services. If you use Cloudflare, you will need to turn off proxying for that entry.

@Vale
I use nginx proxy manager with DNS challenge because I used to be behind CGNAT. I paid about $5 a year for a domain.

Blakely said:
@Vale
I use nginx proxy manager with DNS challenge because I used to be behind CGNAT. I paid about $5 a year for a domain.

At least you have a valid license with MikroTik hardware.

Blakely said:
I use wg-easy for phones and most devices.

I also have a container set up as an SSH tunnel for backup network traffic (no password or sudo required).

Does wg-easy support subnet routing like Tailscale?

@Brynn
What do you mean? WireGuard supports routing. Tailscale is built using WireGuard, by the way.

Fynn said:
@Brynn
What do you mean? WireGuard supports routing. Tailscale is built using WireGuard, by the way.

That’s right; I know Tailscale uses WireGuard internally, but how do we enable subnet routing if we use wg-easy?

@Brynn
I just had to do this the other day, and it’s a very standard feature for setting up WireGuard on your network. You need to enable IPv4 routing. I’m not exactly sure what I did, but if you google WireGuard IP for routing, you’ll find the answers.