If it’s just for you, checkout Tailscale.
this post was submitted on 06 Dec 2025
66 points (97.1% liked)
Selfhosted
53539 readers
550 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Or netbird if you want something non US.
Tailscale is not American, it's Canadian 🍁
You're right, my bad.
Tailscale should work. It uses Wireguard and does some UDP fuckery to get around the firewall and NAT (including CGNAT). I can stream Jellyfin through it at 1080p native with no significant buffering, it'll work for music.
I run substreamer and tailscale to access my home navidrome. Works like a charm.
Another vote for Tailscale. I can be on my home network while away from home. I have no idea how it actually works, it seems like magic to me and I love it.
Wireguard point to point connection with automatic discovery and nat traversal using public hosts (or if you use headscale, a combination of personal and public hosts)
You should go read the blog post explaining how everything works! They basically pull out a shipping container of tricks to establish a connection when necessary. (Depends heavily on firewalls/NAT on the path)
I use a wireguard tunnel that connects to a cheap VPS and then configured a caddy reverse proxy on that VPS that makes my services available on the internet.
Question, do you also use the same domains for the local network as the remote connections? And if yes, are you just accepting the round trip to the VPS or do you have a shortcut to stay in the local network? Because, while I have an otherwise identical setup, I put caddy on the local server, so that I can eventually use local DNS to point to the local address
No, I use a second reverse proxy for my local network. For example, I can resolve navidrome either via my VPS using navidrome.mydomain.net or directly in my local network with the address navidrome.local.mydomain.net. I also configured the local caddy reverse proxy with a DNS provider module to get LetsEncrypt certificates for my local addresses.
There's something called NAT reflection that does a local lookup if the request originated in the internal network and avoids going via the external route. Some software for routers like ONPSense and/or PFSense support it (but I wouldn't be surprised if DD-WRT, Tomato, etc supported it as well (its been a while since I used them)).
It might work better of your DNS provider supports API based challenges vs traditional ACME challenges that might require you to still expose your IP/challenge ports with public DNS to get your certificates.
All my internal DNS has the option of SSL certs while my IP is not on any public DNS and it routes to the internal IPs with the above. Not sure how that would work with wireguard or tailacale/headscale, but I'm assuming they probably could complement nicely.
recommendations I’ve seen are Cloudflare
I know a lot here are not too comfortable with Cloudflare. However, the Cloudflare Tunnels/Zero Trust is a solid option.
As far as Cloudflare goes, setting up a tunnel requires you to have a domain set up with them
I purchased a domain from NamesCheap for less that $5 USD. Cloudflare doesn't require you to purchase a domain from them, however they do require that you use their nameservers for obvious reasons.
Baring all of that, Tailscale is solid as well.
For new people, for ongoing domain registrations people should also consider the renewal costs. There are some registrars with somewhat predatory pricing schemes that end up being very expensive long term (e.g. the trendy .io TLD).
Dot com and dot net are some of the most stable ones, even though they might not appear as such at first glance. Almost anything less costly on initial costs will cost you in some other way (might not offer whois privacy (.us iirc) or be limited to residents or people with legit business on that country (.ca) or have a mixed reputation with being labeled spam (.xyz - although I believe this last one has been kind of proactive in clearing that up).
Sorry to highjack the comment, but I wish someone had warned me to look, not all TLDs are administered the same.
That is a consideration. I've never really had any issues with anything I've purchased from NamesCheap, and I've used them for years. True, my less than $5 original cost will be $11 to renew but that seems to be the standard introductory pricing scheme most everyone uses. The domain name came with whois privacy included. I hear about PorkBun a lot, but I've never used them. I'm sure there are horror stories for NamesCheap and that seems to vary from person to person. However, it is good to be well informed before making your selection.
probably something with my ISP that I can’t really easily work around
I'd try and find out if you're behind a CG-NAT first, and whether you have IPv6 support. Some ISPs will turn off CG-NAT if you ask if that is the reason you haven't been able to get things working. Wireguard will then work properly which is a bit kinder on battery life with mobile devices in particular compared to Tailscale and Netbird (although both are improving in that regard).
I got put behind CGNAT. I had unused domain name, so I pointed it to free Oracle VPS, installed WG Quick on that and on my home server and voila - complete access for anything I want.
I use wireguard. One network is behind cgnat so i just get that client to connect outbound to the other client to initiate the tunnel (instead of trying to connect to IT) and it works just fine.
I did try tailscale once upon a time but it was so clunky and confusing for me...i just wanted to simply access my entire networks remotely without any overhead
i just get that client to connect outbound to the other client to initiate the tunnel
Is that something that has to be done on every connection?
Port forward/poke holes in firewall + dynamic DNS.
You could use PiVPN (you don't need to install it specifically on a Raspberry Pi -- this is just a handy all-in-one software solution). It supports both OpenVPN and Wireguard standards. Forward the relevant port in your router configuration, set up a single user for yourself in the VPN settings, and then connect via whichever client you prefer (OpenVPN if you use OVPN, or Wireguard if you use Wireguard).
I've used it before to access locally-hosted services from outside my home network and it gets the job done with fairly minimal setup.
Just a theory: There is a good chance that your provider does CG-NAT and that was the issue with OpenVPN. These would persist with wireguard,sadly, unless you solve them properly. (Which can be tricky). But just for the book: Running an Wireguard Container behind your router and have a port forwarded to it is an option. (But still needs CG NAT adressed)
Thaft leaves you with a few options:
-
Cloudflare: Imho a bad idea - it's evil, it's monopolistic and while it's "an easy way" it has its technical downsides. As you said a domain is still required.
-
Use a small VPS and run a wireguard tunnel and maybe pangolin as a reverse proxy on it.It has the benefit of being very flexible and once configured is fairly stable and it puts the security part outside your network. But it costs money unless you maybe make it work on oracle's free tier. I would still recommend using a cheap domain,though)
-
As others have mentioned: Tailscale/Zerotier/Netbird absolutely are an option if it's just for you. But they get nasty if it's for more people or larger deployments with tailscale and while netbird is far better it's less common and does require a domain as well. (Which,again,is not a bad idea to have)
I use https://github.com/slackhq/nebula. Maybe a little more work than tailscale, but I'm happy with it.
I have been thinking of this myself. I think what ill do eventually is dmz a headscale coordinator instance on an old raspi and then make that internet facing for my tailscale instances. But before running my own coordinator want to do is go over some NIST guidelines first to harden the raspi. I think starting with what you want to achive and build a threat model helps narrow options of implementation and cuts the noise.
I have set up WireGuard manually running on a home server. It’s not that hard to set up IMO but that definitely depends on your experience level.
Other than that I’d second Tailscale which is similar but easier to set up
I have limited budget but have mostly older gen Unifi gear and they have a built in feature they brand as Teleport that if I understand right uses Wireguard under the hood. Works great for my limited use cases.
pangolin is cool