Hello friends!

For awhile now I’ve wanted to delve into self-hosting and the first thing I thought of was ditching my VPN Provider for my own VPN solution.

I wanted to ask about the cost/benefit of each option with those of you who are more experienced.

Option One: Stick with my VPN Provider:

This is a funky case, as my VPN Provider is with Proton, and my email and VPN accounts are linked together. Since I’ve been with them for awhile, I have over a gigabyte of storage for emails. I rarely ever get past 400MB. The VPN is fine, occasionally I have some hiccups with speed but it overall works. I pay roughly $19.20/month for both a paid email account and the VPN service, so it’s likely the second cheapest. When it comes to privacy, though, I’m not 100% sold Proton wouldn’t just sell my data for no reason. Yes, they are Swiss, but that doesn’t entirely reassure me.

The weird thing about this is my PiHole is decoupled from the VPN. At least in the mobile app, I see no option to use your own DNS. There’s also no provided way nor really an obvious way for me to connect to all of my devices if they’re all on ProtonVPN, as opposed to the other two options.

Option Two: Just use Tailscale

Personally I’d like to mess with the ACLs so probably I’d wind up with the $6/month plan. For the $18/month plan I don’t really know what “Tailscale SSH” even means, as I don’t know what magic they do to wrap SSH into something worth paying for. I’ve heard mixed things about “Tailscale Funnel.”

I hear Tailscale is easy to install and there’s no real extra fidgeting you’d have to do for your home network. Tailscale will also let me use my PiHole as my DNS, getting me ad-blocking from PiHole on all devices on Tailscale.

Option Three: Self-Hosted Headscale

This is one I’m interested in, but I don’t know the feasibility of it. The initial idea was to get a VPS and install OpenBSD on it and make it my Headscale instance. I’ve installed OpenBSD before, I mostly know my way around it and I like how lightweight it is and how security focused it is. There would be more setup initially, but I don’t really mind that. I do a lot of fidgeting on my Linux desktop anyway.

The main thing for this is cost. I don’t really know what performance specs for a VPS I would need to reasonably have good network performance with ~10 devices, though I’m guessing I’ll have to have something =<10Gbsp. So maybe $25-$30/month depending on who I buy a VPS through?

The other thing is updating stuff. I can just SSH and do all of that manually and since the VPS will be dedicated specifically to being a Headscale server, but that is still time I have to spend.

Lastly, I wouldn’t have the international selection of VPN locations like with a VPN provider, just one, but it’s not like I’m trying to bounce my connection from country and that’s not advisable anyway.

Other options

Setting up a VPS with Wireguard myself. While I wouldn’t mind it too much, Tailscale exists for a reason and it can traverse firewalls without me having to configure a bunch of devices so that’s a big plus.

Running Headscale in a container on my Linux desktop, but this means my desktop would have to be on almost 24/7 and I don’t know how I feel about having my VPN stuff to be sitting directly inside my home network.

What are your opinions?

    • Chewy@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      I agree that for most people tailscale isn’t selfhosted (except for the few with headscale). But Tailscale is easy to set up and configure, so I get why people love it.

      And regarding the “antithesis of selfhosting”, I read on here constant recommendations for Cloudflare Tunnel, which might be a great service but also is the opposite of selfhosted.

      Now I personally switched back to wireguard directly since I had battery life issues with ts. Using wg directly makes a few other things easier to set up in my network.

      PS: A great feature of tailscale is it’s ability to create tls certificates for it’s domains, so bitwarden doesn’t complain about an insecure connection. This I could solve with dns-01 challenges, but then my router blocked the domains because of some attack vector. Now I have to manually whitelist them. TS makes this simpler.

    • Jerry1098
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I agree with you that by using tailscale you have to trust them, but your traffic is not routed through their servers, they are only responsible to directly connect your devices (by nat traversal)

      • AlecStewart1st@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        but your traffic is not routed through their servers,

        Hmm so correct me if I’m wrong (I probably am), but with a basic Wireguard setup you’d have one device act as the server and other devices that connect to it are the clients. But can’t you have 2 devices that act as servers/clients to each other, and then have other devices connect to them and the connect with bounce between those two devices?

        I’m assuming that if this is even achievable, it’s not something Tailscale or Headscale will let you do.

        • marsokod@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          With Tailscale and other mesh VPN, by default all your machines are client and servers. If you have 3 machines A, B and C, when machine A wants to send something to B it will connect to the server that B has.

          These mesh VPN have a central server that is used to help with the discovery of the members, manage ACLs, and in the case one machine is quite hidden and not direct network access can be done act as a relay. Only in that last case do the traffic go through the central server, otherwise the only thing the central server knows is that machine A requested to talk to machine B.

          You still have to trust them if you want to use their server, but you can also host your own server (headscale for Tailscale). Though at this point you still need to somewhat trust Tailscale anyway since they re the ones doing the client releases. They could absolutely insert a backdoor and it would work for a while until is is discovered and would then totally ruin their reputation.

    • spencer@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      So two things about this:

      1. Tailscale doesn’t actually route through Tailscale’s servers, it just uses its servers to establish a direct connection between your nodes. You can use Headscale and monitor the traffic on the client and server sides to confirm this is the case. Headscale is just a FOSS implementation of that handshake server, and you point the Tailscale client there instead.

      2. Doesn’t renting a $3 VPS and routing your traffic through that expose many of the same vulnerabilities regarding a 3rd party potentially having access to your VPN traffic, namely the VPS provider?

      For what it’s worth, I generally think that the Headscale route is the most privacy- and data-sovereignty-preserving route, but I do think it’s worth differentiating between Tailscale and something like Nord or whatever, where the traffic is actually routed through the provider’s servers versus Tailscale where the traffic remains on your infrastructure.