this post was submitted on 26 Oct 2024
34 points (94.7% liked)

Selfhosted

39922 readers
510 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

So I'm just being introduced to the concept of using a VPN or something like Tailscale to access one's services, instead of opening the services directly to the web, but I'm thinking for streaming purposes or just accessing your services on the run, isn't it an annoyance having to connect to your home network all the time? Or do you keep the VPN running on your phone for example? What if you use a VPN provider for privacy purposes, wouldn't one need to then switch VPN connection?

top 28 comments
sorted by: hot top controversial new old
[–] [email protected] 32 points 1 week ago (1 children)

I keep it running always. Partly to access stuff at home, and party to get the ad-blocking from pihole.

Do not expose stuff unless you fully understand the security risks

[–] [email protected] 4 points 1 week ago (3 children)

How's the power draw on mobile devices?

[–] [email protected] 8 points 1 week ago

Not noticeable with always-on Tailscale with the default split-tunnel mode. That is when Tailscale is only used to access Tailscale machines and everything else is routed via the default route.

[–] [email protected] 7 points 1 week ago (1 children)

Its not bad using the official wireguard app. Its definitely noticable. On the android battery screen it'll show around 5% after a full day of use and it on always

[–] [email protected] 4 points 1 week ago

I'd consider 5% to be trivial, for what it does.

My battery consumption really depends on how much traffic I send over it.

[–] [email protected] 6 points 1 week ago

For the last 10 days tailscale clocked 1% battery on my phone. I honestly didn’t even consider turning it off for battery savings.

[–] [email protected] 20 points 1 week ago

isn’t it an annoyance having to connect to your home network all the time?

It's less annoying than the gnawing fear that my network might be an easy target for attackers.

[–] [email protected] 8 points 1 week ago (2 children)

For an external VPN like mullvad, I run my own proxy. Again it's only available from my VPN or inside my network.

It uses socks5 and gluetun docket containers and in apps that support proxies, I can add my proxy to it and it'll route that traffic through the paid VPN.

Or, a work profile (see shelter) or androids new private spaces. If you have private spaces, it uses a seperate network. So if you have a VPN installed outside the private space, it won't work on apps inside the space. So, what you could do is have a paid VPN inside private spaces, and use it and a web browser or whatever there, and use your server's VPN outside the private space.

Lmk if you want any of my docker composes

[–] [email protected] 2 points 1 week ago

Very interesting. Didn't know this was a possibility. I don't need anything now but thanks for offering, might get back to you

[–] [email protected] 1 points 1 week ago (1 children)

This sounds very interesting. I always wondered if I could use a paid VPN together with Tailscale or Netbird. But I'm not sure I understood how you set this up. And what are Android private spaces?

[–] [email protected] 2 points 1 week ago (1 children)

I have gluetun+socks5 containea running, then in an app, I put in localip:port into a proxy field. Then that app will use that connection for internet. Browsers on desktop also support proxies. So if you want a specific browser to always use the VPN, this is a very simple way to do that.

https://source.android.com/docs/security/features/private-space

[–] [email protected] 1 points 6 days ago (1 children)

Thank you for pushing me into the rabbit hole. But gluetun already has a socks proxy server built in, if I read that correctly on their github.

[–] [email protected] 2 points 6 days ago

Oh fascinating. I'll have to look into that

[–] [email protected] 8 points 1 week ago (1 children)

How annoying is it to connect to VPN/use Tailscale

I think it’s very important to separate a random “VPN” solution to using Tailscale.

instead of being able to access the service directly?

Focusing on Tailscale. Who turns off Tailscale? It is “directly” connecting to your service or app or whatever. That’s the whole point.

[–] [email protected] 3 points 1 week ago (2 children)

Probably just me that's confused. I thought Tailscale was similar to WireGuard but much easier to set up. So one connects to the services directly, and not just the general home network (like a VPN) where you then enter whatever address you need to access the service?

[–] [email protected] 7 points 1 week ago* (last edited 1 week ago) (1 children)

Tailscale is wireguard (it uses the wireguard protocols, even says so on the box), just with a centralized resolver to make things easier to setup and manage.

I'm not sure what you're saying with the rest of your comment, as Tailscale is a mesh network, not a VPN as most people think of it.

It encrypts your traffic, but only into the network of which your device is a member. You can't even see any devices, or networking, outside the Tailscale network, unless a device is configured as a Subnet router. Then you can see devices in the network which the Subnet Router links together.

For example, you have 3 machines, a laptop on mobile data, and 2 desktops on your home LAN. One desktop and the laptop have Tailscale, they can communicate over Tailscale to each other, but the laptop cannot connect to the second desktop because it's on a different network, since there's no routing between Tailscale and your home LAN.

You then configure Subnet Routing on the desktop that has Tailscale, now your laptop can connect o any device on the home LAN, so long as the desktop is running and Tailscale is up.

Think of mesh networks as Virtual LANs in software, configurable on each device (mostly, sort of). Twenty years ago Hamachi was the go-to for this, it was brilliant, and much easier to use than today's mesh networks, just far less capable/manageable/configurable.

[–] [email protected] 2 points 1 week ago (1 children)

Great explanation, thank you! Hamachi brings back memories haha

[–] [email protected] 2 points 1 week ago

It still exists! (Or did about a year ago).

When I got my first Android (2009 ish), I searched high and low for a way to run Hamachi on it. There have been solutions, but always clumsy and difficult to implement.

I miss Hamachi, it was so simple to use.

[–] [email protected] 5 points 1 week ago

It can be just like you've said. You can also run tailscale directly on the system hosting a service and access it directly over the tailscale network.

[–] [email protected] 6 points 1 week ago
[–] [email protected] 5 points 1 week ago

Sucks a high hard one if you plan for others to use your services too. If it's just you it's not that annoying

[–] [email protected] 5 points 1 week ago* (last edited 1 week ago)

I think the part you’re missing (and others haven’t addressed) is that you don’t send 100% of your traffic to one endpoint (much like how most use VPNs). You can route different things to different places.

For example, I’m in the US and have two Tailscale exit nodes. Both are located on VPS machines in the US, but one sends traffic down a double-hop VPN back out into the US, the other does the same but to Switzerland. My “default” route is through Switzerland (better privacy laws) but I am forced to route some things through the US exit node due to websites that won’t work outside the US. For my personal devices, traffic routes directly to them via WireGuard tunnels.

In addition, my wife doesn’t care about blocking everything that I do (social media, tracking) but her phone still needs to update sensors in Home Assistant. She can choose not to use the exit nodes but can still communicate with our nodes on Tailscale. She also uses it to print documents at home from her laptop while she’s at work.

Recently I was waiting in a hospital with public (unsafe) WiFi that blocked UDP traffic, but Tailscale does some magic that will relay traffic via TLS. I was able to access services at home with a 20ms latency. The tech is very, very nice to have.

[–] [email protected] 4 points 1 week ago

Use Tailscale, for the most part it's pretty transparent. As long as all the magic DNS stuff is setup correctly, I can access all my internal services by name and it just works.

[–] [email protected] 3 points 1 week ago

I can't use VPN on my work PC so I have some services open on sub domains that aren't in my DNS. Follow some basic rules and it's fine. My phone is always connected to my Wireguard running on Opnsense. It's simple, fully self hosted and works great.

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago)

Im using tailscale and have all my devices connected through it. Im not exposung any services in particular, just handy to be able to ssh around. Its always on and i did not notice huge power loss on my phone

[–] [email protected] 1 points 1 week ago

Not much, I have services that run both externally and only over wg.

Only issue with wg is sometimes I have to shut it off for things like multicastdns, or otherwise that try to look around the network or wifi.

[–] [email protected] 1 points 1 week ago

Depends on how secure the application and the security you use in front of the application such as reverse proxies, load balancers, etc. If you are exposing a web application with no SSL, no two factor with, or something in a beta state or if you can't trust your ISP not to create man-in-the-middle attacks for advertising and collecting information to sell which also likely introduces security vulnerabilities, then that could be a problem and a VPN or similar might be a big help.

[–] [email protected] 1 points 1 week ago

If you have an iPhone, it’s a pain over Tailscale because Tailscale frequently likes to disconnect for various reasons and this isn’t something Tailscale can fix, it’s something with the way Apple manages background processes.

If you’d like an alternative, you can host your services directly to the internet via a reverse proxy like Caddy or Nginx, and then use mTLS to secure that access with a certificate you load only onto your devices.