Hello friends!

For awhile now I’ve wanted to delve into self-hosting and the first thing I thought of was ditching my VPN Provider for my own VPN solution.

I wanted to ask about the cost/benefit of each option with those of you who are more experienced.

Option One: Stick with my VPN Provider:

This is a funky case, as my VPN Provider is with Proton, and my email and VPN accounts are linked together. Since I’ve been with them for awhile, I have over a gigabyte of storage for emails. I rarely ever get past 400MB. The VPN is fine, occasionally I have some hiccups with speed but it overall works. I pay roughly $19.20/month for both a paid email account and the VPN service, so it’s likely the second cheapest. When it comes to privacy, though, I’m not 100% sold Proton wouldn’t just sell my data for no reason. Yes, they are Swiss, but that doesn’t entirely reassure me.

The weird thing about this is my PiHole is decoupled from the VPN. At least in the mobile app, I see no option to use your own DNS. There’s also no provided way nor really an obvious way for me to connect to all of my devices if they’re all on ProtonVPN, as opposed to the other two options.

Option Two: Just use Tailscale

Personally I’d like to mess with the ACLs so probably I’d wind up with the $6/month plan. For the $18/month plan I don’t really know what “Tailscale SSH” even means, as I don’t know what magic they do to wrap SSH into something worth paying for. I’ve heard mixed things about “Tailscale Funnel.”

I hear Tailscale is easy to install and there’s no real extra fidgeting you’d have to do for your home network. Tailscale will also let me use my PiHole as my DNS, getting me ad-blocking from PiHole on all devices on Tailscale.

Option Three: Self-Hosted Headscale

This is one I’m interested in, but I don’t know the feasibility of it. The initial idea was to get a VPS and install OpenBSD on it and make it my Headscale instance. I’ve installed OpenBSD before, I mostly know my way around it and I like how lightweight it is and how security focused it is. There would be more setup initially, but I don’t really mind that. I do a lot of fidgeting on my Linux desktop anyway.

The main thing for this is cost. I don’t really know what performance specs for a VPS I would need to reasonably have good network performance with ~10 devices, though I’m guessing I’ll have to have something =<10Gbsp. So maybe $25-$30/month depending on who I buy a VPS through?

The other thing is updating stuff. I can just SSH and do all of that manually and since the VPS will be dedicated specifically to being a Headscale server, but that is still time I have to spend.

Lastly, I wouldn’t have the international selection of VPN locations like with a VPN provider, just one, but it’s not like I’m trying to bounce my connection from country and that’s not advisable anyway.

Other options

Setting up a VPS with Wireguard myself. While I wouldn’t mind it too much, Tailscale exists for a reason and it can traverse firewalls without me having to configure a bunch of devices so that’s a big plus.

Running Headscale in a container on my Linux desktop, but this means my desktop would have to be on almost 24/7 and I don’t know how I feel about having my VPN stuff to be sitting directly inside my home network.

What are your opinions?

  • Chewy
    link
    fedilink
    English
    51 year ago

    I agree that for most people tailscale isn’t selfhosted (except for the few with headscale). But Tailscale is easy to set up and configure, so I get why people love it.

    And regarding the “antithesis of selfhosting”, I read on here constant recommendations for Cloudflare Tunnel, which might be a great service but also is the opposite of selfhosted.

    Now I personally switched back to wireguard directly since I had battery life issues with ts. Using wg directly makes a few other things easier to set up in my network.

    PS: A great feature of tailscale is it’s ability to create tls certificates for it’s domains, so bitwarden doesn’t complain about an insecure connection. This I could solve with dns-01 challenges, but then my router blocked the domains because of some attack vector. Now I have to manually whitelist them. TS makes this simpler.