I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.
Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.
It lets me expose services publicly without any inbound port forwarding on my home connection.
https://github.com/wg-easy/wg-easy
Needs like 100MB RAM to run, so it can basically run on almost anything. If you like some extra security: Do another layer of authentication in the reverse proxy that faces the internet.
An excerpt from the Wireguard Whitepaper.
One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated, WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided by not allowing unauthenticated packets to influence any state.
After opening an SSH port and watching the number of attacks I understand the concern about opening any port on a router, but it seems the worry about opening a port for WG is way overblown. As of now I can find zero reports of a properly configured open WG port ever being successfully used by attackers to access a network.
Anyone have better/more recent info?
I thought about setting tail scale up for my home server but then I realized I’ve got no one I want to open myself up to and just use the VPN to connect to my stuff. Good setup, I like 💖
What did you not like about Headscale? I started using it recently and it seems fine so far. Works identically to Tailscale.
It’s not that I didn’t like it, I just wanted to back to basics! A simple config file on each machine, job done
None of this is especially complicated
It is for an absolute noob like me… i need vacation so i can start learning all this networking jargon.
Thank you for sharing though!
Just to clarify for my simple brain - vps1 has just 80/443 open, vps2 just has a wireguard port open (51825 or whichever). Vps2 has no domain pointing to it’s public IP, vps has your domain pointing to it. Vps1 and home server have wireguard configs pointing to the vps2 public IP, so punch through automatically. Is that all correct?
I think I have the same setup but with vps1 + 2 combined but that means it’s public IP is easily found by the domain (one includes a public business website) and has WG ports open (although my understanding is this in itself is not an issue as WG gives no reply)
Have you opened an SSH port on both vps1 and vps2 for backup or happy to rely on wireguard? Thinking about it, you could open up the port on the vps but use the providers firewall to block the port - if needed can login to their site, open the port and then SSH in - would this work? They have KVMs for emergencies but just trying to think of worst case scenarios.
Exactly that, VPS2 handles the WireGuard port and has no domain pointing to it, so it’s basically hiding in plain sight. VPS1 holds the domain and handles the web traffic.
I keep SSH open on both, but locked down (key-based auth + restricted to my IPs).
Your idea of using the provider firewall (Ionos in my case) as a “mechanical” lock is a good one, block it at the edge and only open it when needed. I’ve thought about doing that, but I’m generally happy relying on a hardened SSH config and the provider’s KVM if everything goes sideways.
Awesome idea then, I’ll have to kook into it.
Might want to have a look at your mobile site, it seems to cut stuff off on Firefox for Android.
Thank you for the heads up, turns out it was the custom html code in the code blocks causing the issue. Fixed now.
Yeah, seems fixed. Thank you.
Seems to be a fixed width site, indeed.
Netbird could be a nice alternative.
The article makes sense. I think it’s good to note that if the services you’re running makes outbound requests (e.g. a Matrix homeserver), you could also tunnel outbound traffic to the same VPS as your inbound, so your residential IPs won’t be leaked.
I’ve written about a similar setup, but for Tailscale nodes, here.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters IP Internet Protocol SSH Secure Shell for remote terminal access VPS Virtual Private Server (opposed to shared hosting)
2 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.
[Thread #286 for this comm, first seen 12th May 2026, 13:20] [FAQ] [Full list] [Contact] [Source code]
