Hello friends!
For awhile now I’ve wanted to delve into self-hosting and the first thing I thought of was ditching my VPN Provider for my own VPN solution.
I wanted to ask about the cost/benefit of each option with those of you who are more experienced.
Option One: Stick with my VPN Provider:
This is a funky case, as my VPN Provider is with Proton, and my email and VPN accounts are linked together. Since I’ve been with them for awhile, I have over a gigabyte of storage for emails. I rarely ever get past 400MB. The VPN is fine, occasionally I have some hiccups with speed but it overall works. I pay roughly $19.20/month for both a paid email account and the VPN service, so it’s likely the second cheapest. When it comes to privacy, though, I’m not 100% sold Proton wouldn’t just sell my data for no reason. Yes, they are Swiss, but that doesn’t entirely reassure me.
The weird thing about this is my PiHole is decoupled from the VPN. At least in the mobile app, I see no option to use your own DNS. There’s also no provided way nor really an obvious way for me to connect to all of my devices if they’re all on ProtonVPN, as opposed to the other two options.
Option Two: Just use Tailscale
Personally I’d like to mess with the ACLs so probably I’d wind up with the $6/month plan. For the $18/month plan I don’t really know what “Tailscale SSH” even means, as I don’t know what magic they do to wrap SSH into something worth paying for. I’ve heard mixed things about “Tailscale Funnel.”
I hear Tailscale is easy to install and there’s no real extra fidgeting you’d have to do for your home network. Tailscale will also let me use my PiHole as my DNS, getting me ad-blocking from PiHole on all devices on Tailscale.
Option Three: Self-Hosted Headscale
This is one I’m interested in, but I don’t know the feasibility of it. The initial idea was to get a VPS and install OpenBSD on it and make it my Headscale instance. I’ve installed OpenBSD before, I mostly know my way around it and I like how lightweight it is and how security focused it is. There would be more setup initially, but I don’t really mind that. I do a lot of fidgeting on my Linux desktop anyway.
The main thing for this is cost. I don’t really know what performance specs for a VPS I would need to reasonably have good network performance with ~10 devices, though I’m guessing I’ll have to have something =<10Gbsp. So maybe $25-$30/month depending on who I buy a VPS through?
The other thing is updating stuff. I can just SSH and do all of that manually and since the VPS will be dedicated specifically to being a Headscale server, but that is still time I have to spend.
Lastly, I wouldn’t have the international selection of VPN locations like with a VPN provider, just one, but it’s not like I’m trying to bounce my connection from country and that’s not advisable anyway.
Other options
Setting up a VPS with Wireguard myself. While I wouldn’t mind it too much, Tailscale exists for a reason and it can traverse firewalls without me having to configure a bunch of devices so that’s a big plus.
Running Headscale in a container on my Linux desktop, but this means my desktop would have to be on almost 24/7 and I don’t know how I feel about having my VPN stuff to be sitting directly inside my home network.
What are your opinions?
Have a read through https://tailscale.com/blog/how-nat-traversal-works/
You, and many commenters are pretty confused about out tailscale/Headscale work.
- To a first approximation, Tailscale/Headscale don’t route and traffic. They perform NAT traversal and data flows directly between nodes on the tailnet, without traversing Headscale/Tailscale directly.
- If NAT traversal fails badly enough, it’s POSSIBLE that bulk traffic can flow through the headscale/tailscale DERP nodes… but that’s an unusual scenario.
- You probably can’t run Headscale from your home network and have it perform the NAT traversal functions correctly. Of course, I can’t know that for sure because I don’t know anything about your ISP… but home ISPs preventing Headscale from doing it’s NAT traversal job are the norm… one would be pleasantly surprised to find that a home network can do that properly.
- Are younreally expecting 10gb/s speeds over your encrypted links? I don’t want to say it’s impossible, people do it… but you’d generally only expect to see this on fairly burly servers that are properly configured. Tailscale just in April bragged about hitting 10gb speeds with recent optimizations: https://tailscale.com/blog/more-throughput/ and on home hardware with novice configd I’d generally expect to see roughly more like single gigabit.
To a first approximation, Tailscale/Headscale don’t route and traffic.
Ah, well damn. Is there a way to achieve this while using Tailscale as well, or is that even recommended?
Are younreally expecting 10gb/s speeds over your encrypted links?
Eh, no. You have a good point there. I mean in a more perfect world that would be wonderful, but that’s not the case.
To a first approximation, Tailscale/Headscale don’t route and traffic.
Ah, well damn. Is there a way to achieve this while using Tailscale as well, or is that even recommended?
Is there a way to achieve what? Force tailscale to route all traffic through the DERP servers? I don’t know, and I don’t know why you’d want to. When my laptop is at home on the same network as my file-server, I certainly don’t want tailscale sending filserver traffic out to my Headscale server on the Internet just to download it back to my laptop on the same network it came from. I want NAT traversal to allow my laptop and file-server to negotiate the most efficient network path that works for them… whether that’s within my home lab when I’m there, across the internet when I’m traveling, or routing through the DERP server when no other option works.
OpenVPN or vanilla Wireguard are commonly setup with simple hub-and-spoke routing topologies that send all VPN traffic through “the VPN server”, but this is generally slower path than a direct connection. It might be imperceptibly slower over the Internet, but it will be MUCH slower than the local network unless you do some split-dns shenanigans to special-case the local-network scenario. With Tailscale, it all more or less works the same wherever you are which is a big benefit. Of course excepting if you have a true multigigabit network at home and the encryption overhead slows you down… Wireguard is pretty fast though and not a problematic throughout limiter for the vast majority of cases.
Force tailscale to route all traffic through the DERP servers?
No no, sorry. I mean can I still have all my network traffic go through some VPN service (mine or a providers) while Tailscale is activated?
So if I’m torrenting something, I don’t have to turn off Tailscale on that device and switch on a VPN before I start the torrent process?
I’m going to guess either “no” or “yes, on paper, it’s possible.”
No no, sorry. I mean can I still have all my network traffic go through some VPN service (mine or a providers) while Tailscale is activated?
Tailscale just partnered with Mullvad so this works out of the box for that setup: https://tailscale.com/blog/mullvad-integration/
For others, it’s a “yes on paper” situation. It will probably often not work out of the box, but it seems likely to be possible as an advanced configuration. At the end of the line of possibilities, it would definitely be possible to set up a couple of docker containers as one-armed routers, one with your VPN and one with Tailscale as an exit node. Then they can each have their own networking stack and you can set up your own routes and DNS delegating only the necessary bits to each one. That’s a pretty advanced setup and you may not have the knowhow for it, but it demonstrates what’s possible.
Tailscale just partnered with Mullvad so this works out of the box for that setup: https://tailscale.com/blog/mullvad-integration/
Ah I literally saw that post here a few days ago! How could I forget about that? I might just switch over to Mullvad. Way cheaper, I can downgrade the Proton account I have (I’ll still use their email service until I have time and figure out how to self-host my own email) and I can use Mullvads encrypted DNS servers until I can configure DNS-over-HTTPS + Unbound on my PiHole.
For Headscale you don’t need a lot of bandwidth or power because your traffic is not routed through the Headscale server. Headscale only helps to directly connect your clients together without having to open ports
your traffic is not routed through the Headscale server
Damn, well is there a means of using both Headscale and routing your traffic somewhere else?
My big reason for looking into Tailscale/Headscale is the ability to connect to my devices at home, at the office or a VPS that’s in a different state/province and having the ability to use my PiHole as my DNS, but I would still like my network traffic to be (mostly, as an VPN doesn’t save you from other tracking methods) protected.
You set up a node on some other server and enable it to be an exit node, and can then access the Internet through that one. So any node on your net can be your VPN exit point at any time, if you want to juggle several, for example
$20 per month for 400mb of email + a VPN was an acceptable cost maybe in 1998, now it’s insanely expensive
For tailscale, for personal use i don’t see why the free plan is not enough, you need more than 3 users? ACLs can still be edited on the free plan.
And then you need to tell us why you’re using the VPN. Just privacy when using unsecured wifi? Or ISP tracking paranoia? Or torrenting? By default tailscale does not route any WAN traffic, it can optionally use one of your nodes as an exit node, but that’s it. You mention “leaving your desktop to be 24/7” so you don’t have a server at home. If you run tailscale on the way that means the exit node will be off and you are not using a VPN. Because you’re using your own connection, it does not solve ISP tracking or torrenting issues.
Maybe for you cloudflare warp is better?
$20 per month for 400mb of email + a VPN was an acceptable cost maybe in 1998, now it’s insanely expensive
Yea I have a business plan with Proton. No idea why I upgraded but I remember doing it.
And then you need to tell us why you’re using the VPN. Just privacy when using unsecured wifi? Or ISP tracking paranoia? Or torrenting?
Yes, yes and yes lol. Also I would like to connect to devices privacy and see if I can make use of my PiHole when I’m not on my home network where the PiHole is located.
Slightly off topic but what proton subscription do you have? Proton Unlimited is email + storage via Drive with 500GB and VPN for $12.99/mo if paying monthly, otherwise it’s $10/mo or $8/mo if you pay 1 or 2 years in advance, respectively.
I have a business account with them. I don’t really remember why I upgraded to a business plan. Might downgrade it to save a few bucks for now.
You might be confused about self hosting, your desktop should not be 24/7 online, you are the client and you want to use the vps as exit node, where you host also headscale. And please don’t spend 20$ for a vps, you better rent 4 or more with 20$ from different providers and you can have more exists nodes. Headscale or wireguard are not eating a lot of resources. What you should look is at bandwidth , unlimited is better, you won’t find many vps providers with unlimited bandwidth Even if you are behind a CGNAT using wireguard as client won’t be any problems,because you are going OUT not coming IN.
Off-topic. Not about cost, but about privacy:
Considering you are using Proton, you care about digital privacy. If you are not trusting Proton, you should not trust Tailscale as well, in my opinion. Tailscale’s backend is closed-source, you get no control, and nothing is stopping them from selling you data either. If you go for Headscale, you may be in a slightly better position. But websites and big companies like Google can still make detailed profile of you, as you will be connecting to everything using a single IP, that is, the IP of your VPS. But again, nobody is stopping your VPS provider from selling your data either.
Another question is that why are you paying $19 for that? They have $10-12 plans that come with 500 GB storage, emails with 3 custom domains and high-speed VPN.
Also, if you do not trust Proton, you can consider Mullvad or IVPN. They are just $5/m, and you can pay via Monero, but they do not have as many servers as Proton does.
Another question that pops in my mind is, why do you need a VPN? Do you need to connect to your services privately, or do you just need to change your IP for (relatively) better privacy? Again, paying someone with multiple VPN options is better than setting up a single VPN by yourself, in my opinion.
If you are not trusting Proton, you should not trust Tailscale as well, in my opinion.
True, although I don’t know if I say I don’t trust them. It’s more of a sense of skepticism that’s always in the back of my mind when it comes to any service.
Another question is that why are you paying $19 for that? They have $10-12 plans that come with 500 GB storage, emails with 3 custom domains and high-speed VPN.
I have a business account with them. I’m trying to remember why I upgraded…
Another question that pops in my mind is, why do you need a VPN? Do you need to connect to your services privately, or do you just need to change your IP for (relatively) better privacy?
At this point, if I’m going to do be doing more self-hosting I’d want the ability to connect to services privately. The other thing is that with Tailscale I can set my PiHole as my DNS server. That way any device on the tailnet gets the ad blocking as well. Plus, if I can get unbound with DNS-over-HTTPS (via stubby) setup on it then I have a pretty secure and fairly private setup. That’s kind of what’s got me thinking about moving to Tailscale.
An IP is the least of the things they track you with nowadays. Thinking my IP is not mine they can’t track me is outdated and pushed by the VPN providers.
It’s a bit more complicated than that. Your IP can identify you still, if there are few users connecting from that IP. VPNs reduce the efficacy of IP based tracking because they allow you to connect via many different addresses, and every one of those addresses will have hundreds of thousands of users on a given day. It adds a lot of noise that makes any pattern identification useless.
The main thing for this is cost. I don’t really know what performance specs for a VPS I would need to reasonably have good network performance with ~10 devices, though I’m guessing I’ll have to have something =<10Gbsp. So maybe $25-$30/month depending on who I buy a VPS through?
Would EACH of your devices have their own dedicated gigabit connection to your server? Even so, are you the only user or is this for some family members also? If its just you, you can 9/10 just get a basic 5$ or less gigabit VPS. You’d much more often be limited by your outbound connection than your VPS networking, by a considerable margin. Most things you are connecting to won’t saturate even a gigabit connection, so you’d be well under your bandwidth requirements.
are you the only user or is this for some family members also?
Probably just me and my fiance at the moment.
you can 9/10 just get a basic 5$ or less gigabit VPS.
Sweet, good to know!
deleted by creator
I agree with you that by using tailscale you have to trust them, but your traffic is not routed through their servers, they are only responsible to directly connect your devices (by nat traversal)
but your traffic is not routed through their servers,
Hmm so correct me if I’m wrong (I probably am), but with a basic Wireguard setup you’d have one device act as the server and other devices that connect to it are the clients. But can’t you have 2 devices that act as servers/clients to each other, and then have other devices connect to them and the connect with bounce between those two devices?
I’m assuming that if this is even achievable, it’s not something Tailscale or Headscale will let you do.
With Tailscale and other mesh VPN, by default all your machines are client and servers. If you have 3 machines A, B and C, when machine A wants to send something to B it will connect to the server that B has.
These mesh VPN have a central server that is used to help with the discovery of the members, manage ACLs, and in the case one machine is quite hidden and not direct network access can be done act as a relay. Only in that last case do the traffic go through the central server, otherwise the only thing the central server knows is that machine A requested to talk to machine B.
You still have to trust them if you want to use their server, but you can also host your own server (headscale for Tailscale). Though at this point you still need to somewhat trust Tailscale anyway since they re the ones doing the client releases. They could absolutely insert a backdoor and it would work for a while until is is discovered and would then totally ruin their reputation.
I agree that for most people tailscale isn’t selfhosted (except for the few with headscale). But Tailscale is easy to set up and configure, so I get why people love it.
And regarding the “antithesis of selfhosting”, I read on here constant recommendations for Cloudflare Tunnel, which might be a great service but also is the opposite of selfhosted.
Now I personally switched back to wireguard directly since I had battery life issues with ts. Using wg directly makes a few other things easier to set up in my network.
PS: A great feature of tailscale is it’s ability to create tls certificates for it’s domains, so bitwarden doesn’t complain about an insecure connection. This I could solve with dns-01 challenges, but then my router blocked the domains because of some attack vector. Now I have to manually whitelist them. TS makes this simpler.
So two things about this:
-
Tailscale doesn’t actually route through Tailscale’s servers, it just uses its servers to establish a direct connection between your nodes. You can use Headscale and monitor the traffic on the client and server sides to confirm this is the case. Headscale is just a FOSS implementation of that handshake server, and you point the Tailscale client there instead.
-
Doesn’t renting a $3 VPS and routing your traffic through that expose many of the same vulnerabilities regarding a 3rd party potentially having access to your VPN traffic, namely the VPS provider?
For what it’s worth, I generally think that the Headscale route is the most privacy- and data-sovereignty-preserving route, but I do think it’s worth differentiating between Tailscale and something like Nord or whatever, where the traffic is actually routed through the provider’s servers versus Tailscale where the traffic remains on your infrastructure.
-
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAT Network Address Translation PiHole Network-wide ad-blocker (DNS sinkhole) SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #133 for this sub, first seen 11th Sep 2023, 22:05] [FAQ] [Full list] [Contact] [Source code]