Hello friends!
For awhile now I’ve wanted to delve into self-hosting and the first thing I thought of was ditching my VPN Provider for my own VPN solution.
I wanted to ask about the cost/benefit of each option with those of you who are more experienced.
Option One: Stick with my VPN Provider:
This is a funky case, as my VPN Provider is with Proton, and my email and VPN accounts are linked together. Since I’ve been with them for awhile, I have over a gigabyte of storage for emails. I rarely ever get past 400MB. The VPN is fine, occasionally I have some hiccups with speed but it overall works. I pay roughly $19.20/month for both a paid email account and the VPN service, so it’s likely the second cheapest. When it comes to privacy, though, I’m not 100% sold Proton wouldn’t just sell my data for no reason. Yes, they are Swiss, but that doesn’t entirely reassure me.
The weird thing about this is my PiHole is decoupled from the VPN. At least in the mobile app, I see no option to use your own DNS. There’s also no provided way nor really an obvious way for me to connect to all of my devices if they’re all on ProtonVPN, as opposed to the other two options.
Option Two: Just use Tailscale
Personally I’d like to mess with the ACLs so probably I’d wind up with the $6/month plan. For the $18/month plan I don’t really know what “Tailscale SSH” even means, as I don’t know what magic they do to wrap SSH into something worth paying for. I’ve heard mixed things about “Tailscale Funnel.”
I hear Tailscale is easy to install and there’s no real extra fidgeting you’d have to do for your home network. Tailscale will also let me use my PiHole as my DNS, getting me ad-blocking from PiHole on all devices on Tailscale.
Option Three: Self-Hosted Headscale
This is one I’m interested in, but I don’t know the feasibility of it. The initial idea was to get a VPS and install OpenBSD on it and make it my Headscale instance. I’ve installed OpenBSD before, I mostly know my way around it and I like how lightweight it is and how security focused it is. There would be more setup initially, but I don’t really mind that. I do a lot of fidgeting on my Linux desktop anyway.
The main thing for this is cost. I don’t really know what performance specs for a VPS I would need to reasonably have good network performance with ~10 devices, though I’m guessing I’ll have to have something =<10Gbsp. So maybe $25-$30/month depending on who I buy a VPS through?
The other thing is updating stuff. I can just SSH and do all of that manually and since the VPS will be dedicated specifically to being a Headscale server, but that is still time I have to spend.
Lastly, I wouldn’t have the international selection of VPN locations like with a VPN provider, just one, but it’s not like I’m trying to bounce my connection from country and that’s not advisable anyway.
Other options
Setting up a VPS with Wireguard myself. While I wouldn’t mind it too much, Tailscale exists for a reason and it can traverse firewalls without me having to configure a bunch of devices so that’s a big plus.
Running Headscale in a container on my Linux desktop, but this means my desktop would have to be on almost 24/7 and I don’t know how I feel about having my VPN stuff to be sitting directly inside my home network.
What are your opinions?
I agree with you that by using tailscale you have to trust them, but your traffic is not routed through their servers, they are only responsible to directly connect your devices (by nat traversal)
Hmm so correct me if I’m wrong (I probably am), but with a basic Wireguard setup you’d have one device act as the server and other devices that connect to it are the clients. But can’t you have 2 devices that act as servers/clients to each other, and then have other devices connect to them and the connect with bounce between those two devices?
I’m assuming that if this is even achievable, it’s not something Tailscale or Headscale will let you do.
With Tailscale and other mesh VPN, by default all your machines are client and servers. If you have 3 machines A, B and C, when machine A wants to send something to B it will connect to the server that B has.
These mesh VPN have a central server that is used to help with the discovery of the members, manage ACLs, and in the case one machine is quite hidden and not direct network access can be done act as a relay. Only in that last case do the traffic go through the central server, otherwise the only thing the central server knows is that machine A requested to talk to machine B.
You still have to trust them if you want to use their server, but you can also host your own server (headscale for Tailscale). Though at this point you still need to somewhat trust Tailscale anyway since they re the ones doing the client releases. They could absolutely insert a backdoor and it would work for a while until is is discovered and would then totally ruin their reputation.