Replacing Tailscale with WireGuard
the.unknown-universe.co.uk
I replaced Tailscale with a self-hosted WireGuard setup using two VPSes to securely expose home lab services without port forwarding or SaaS.

I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.

Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.

It lets me expose services publicly without any inbound port forwarding on my home connection.

  • spaghettiwestern@sh.itjust.worksEnglish
    5·
    18 minutes ago

    An excerpt from the Wireguard Whitepaper:

    One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated, WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided by not allowing unauthenticated packets to influence any state.

    After opening an SSH port and watching the number of attacks I understand the concern about opening any port on a router, but it seems the worry about opening a port for WG is way overblown.

    As of now I can find zero reports of a properly configured open WG port ever being successfully used by attackers to access a network.

    Anyone have better/more recent info?