I wanted to ask how you guys take on a VPN. I recently started self-hosting (like Nextcloud), but it is quite annoying to use both Tailscale and iVPN or let my Nextcloud just go publicly out to the internet where anyone can access.
I regardless, don’t necessarily like Tailscale, as while they clients are open-source, there servers aren’t. I can easily host Headscale on a Oracle Cloud VPS though to get passed this.
Anyway, I would like to try and find a way to balance these things out. Like still having the privacy benefits from ISP and online, while still easily accessing my self hosted services, outside of my house without completely making them public.
How do you guys approach this in general? Is it just better to use or VPN or setup Wireguard with a VPS?
Plus and minus points on hosting your own VPN. For one, only you and possibly you and members of your immediate circle will be using it at it will have a fixed IP address. So websites, etc. can use that for some tracking purposes.
In addition, any server you run will need to be maintained which takes some effort and usually some money.
If your Nextcloud is hosted at your home then you want a way to get into your house. See if your router supports VPN server functions. I think many routers do nowadays including some open source variants.
My router can function as a VPN server and I use that to access my home servers. That might work for you. Free and not a lot of additional maintenance as I need to keep my router up to date anyway.
But if I wanted to hide things from my ISP, it turns out my router can also run a VPN client and has rules about what traffic goes over the VPN that I can customize. So, in a case like I think you have, the router could provide a server for home access and then all traffic out from the house (including from the incoming VPN) can be directed out over a different VPN to a provider of my choice.
I think my last choice would be to setup a VPN server on a VPS. That costs money and maintenance effort. And it won’t really hide my IP from tracking sites as I wouldn’t be “lost in the crowd” as my household would be the only ones on it.
Probably the best balance (or at least the easiest and most convenient balance) would be to buy Mullvad Through Tailscale.
Self-hosting a VPN on your own network, doesn’t make too much sense to me in most contexts because (1) it doesn’t change your IP, (2) doesn’t shift your geographic location (or legal jurisdiction), (3) doesn’t bypass your ISP, and (4) doesn’t give you a crowd to potentially blend in with. And even if you host on external VPS, usually you are going to be required to provide a lot more personal info than you would provide a VPN service (oracle for example requires real info, and payment info, even on the free tier).
@OldGuy
Unfourantely, I am behind CGNAT and I cannot use a VPN on my router. So this is out of the table.
@xe3
Mullvad Through Tailscale isn’t that bad, but I feel like I am losing some functionailty of a normal VPN. I, for example, like to use multi-hop on iVPN. I used to use Mullvad standalone and it was meh on mobile. I much prefer iVPN. Also, while Tailscale isn’t bad, there servers AFAIK are proprietary. Only there clients are open-source. Regardless though, I think this is my next best option. Although I would have to give Tailscale my payment info.
Any other ideas?
Oh and wouldn’t Tailscale be able to see the internet traffic?
Having only read the main post and not any comments:
See, here’s why it’s always important to remember that threat model and sacrifices in conveniences go hand in hand and are closely related.
To answer your main question/title more directly: I would say No! It’s not “better” because I don’t see a need or a use case or necessarily an advantage to have your own VPN. If you have very specific needs, you know what you’re doing and why and one wouldn’t necessarily be posting/asking such a question here. But since you are, I would say this: I think you’re over complicating your privacy set up and digital life. You are of course most certainly welcome to do so if you have certain highly specific reasons.
You may not like this comment/opinion/answer/response to your post but you have it since you did ask.
Hi,
Thanks for the answer. I am honestly not sure whether I am over complicating things. I already do some self-hosting and I am trying to find a nice balance what to use and what not to use. Haha, oddly enough, I am kind of having a similar issue as Henry is having when he setup his NAS. I just rather find it quite annoying switching between Tailscale and iVPN.
Now, of course simplist solution is to choose Mullvad and Tailscale, but I am not sure whether I want to do that. So, I was just thinking I could make my own VPN, and not have this problem.
And, I sort of like Mullvad, but I find there clients to be meh. I find iVPN to be better since I can use it with my NextDNS configuration and use DOH on desktop.
See, this is what I meant by over complicating. You want things to work but your specific way. It’s not always possible… such is the situation and life is not that easy haha.
There is literally no difference in terms of quality of service between Mullvad and IVPN as they are both fantastic options. If Mullvad works better objectively in your case, that’s what you ought to use. But you’re personal preference (for whatever reason) is making you stick with or at-least prefer IVPN.
Then ask yourself why you don’t love it. It is more often than not, simply personal bias which is highly subjective. But objectively, no difference unless, again, if you have some very specific reasons (in which case you really don’t have a solution from anyone).
I for example use Proton on desktop (since it helps with streaming) but Mullvad on iOS because I find it more robust on mobile. I suggest Mullvad to my parents because its easier to use (simplicity of the UI/UX) and given it’s robustness and affordability.
Everyone has their preferences but everyone ought to use what works for them.
Edit: that’s all I have to say on the matter. Now, you do you and good luck!
I haven’t used Mullvad through Tailscale personally (because I don’t actively use Tailscale) but that is the impression I got as well. Its unfortunate that integrates well with Tailscale and also gives the full Mullvad experience. Still if you are using Tailscale, it seems like the best compromise, but it is a compromise in some regards.
Oh and wouldn’t Tailscale be able to see the internet traffic?
I don’t believe so, But I’m not the best person to ask.
My understanding is that Tailscale’s servers are for coordination/C&C, your actual connection is P2P and isn’t flowing through Tailscale’s servers (outside of one specific context, but even in that context Tailscale just forwards encrypted data they can’t see). So while I’m sure there are privacy/security tradeoffs, I’m somewhat sure that Tailscale having technical access to your actual internet/network traffic is not one of them.
I’m personally quite interested in Tailscale for my own use, but on the fence about it. I’m thinking about using it for my own glacially evolving self-hosted setup, but like you I have some mild misgivings/concerns.
I don’t like that they only offer ‘sign in with’ Google, Apple, or Microsoft.
In the context of self-hosting I’d prefer not to be reliant on closed source 3rd party servers from a mainstream/non-privacy focused company. (not a criticism of the product or the company, not even a privacy concern, just a mild personal preference/discomfort)
Headscale would require a VPS, and a VPS typically requires more real PII than compared to other services and a payment method. For example Oracle seems to block accounts that use privacy[dot]com cards for payment, and iirc some popular e-mail aliasing services and real name etc.
Have you looked into whether a Multihop-ish setup (you → vpn → proxy server → open internet) is possible via the Mullvad Browser extension? With Mullvad VPN proper, this is possible, but what I don’t know is if you can use the browser extension, or that specific feature with Mullvad purchased through Tailscale.
Yes, this isn’t a bad setup, but it is only on the browser. Which is ok.
Oh, and I did try out Tailscale with Mullvad and it really isn’t too bad! I miss out on some features, but I still do get to use NextDNS with my configuration, and get some privacy benefits from using something like Mullvad.
I am a little concerned about the privacy standpoint of Tailscale though. I mean it is not bad (better to use Tailscale than making my Nextcloud public to the internet), but overall the payment proccess is meh. It would be nice if they accepted something like Monero (I can only pay with card regardless since I am under 18). Something more privacy friendly.
For what it’s worth, I have found it useful to keep file servers like Nextcloud publicly available, and not to restrict access to specific IP addresses. This is particularly useful for the purpose of sharing files with others, or sending them a link to which they can upload files securely. One can run fail2ban to thwart the bots that will inevitably attempt to gain unauthorized access the server.
This is nice. What other precautions do you take to secure down your Nextcloud?
One can also easily attempt to get passed the authetication on Nextcloud.
In addition to setting up TOTP (as suggested by @oldguy), you might also look at the Nextcloud security settings at /settings/admin/security and enforce a strong password policy. You can also enable server side encryption there, if desired.
Do not directly open Ports, use something like Cloudflare tunnel (or any other service). If your network isn’t directly reachable from the outside, it is hard to get access to it.
Activate full disk encryption and also encrypt the Nextcloud storage with the built-in encryption module.
Do NOT allow any non encrypted ports (like 80).
Use strong password with MFA
For ssh try to avoid password auth. and go with ssh keys AND MFA (YubiKey auth. or google authenticator)
Use Crowdsec and if you do not want to use this, use at least fail2ban
Do not install any software directly on the server (tmux, screen, htop, docker, fail2ban etc. don’t count here). For this, install the software in a container/kvm.
If you have the knowledge and the resources, use something like pfSense or Opensense to filter the incoming traffic (normal firewall rules for internal communication and external, DNS filtering, maybe also DPI)
Use Raid 1, and please do not use software raids
Also try to not allow internal administrative (ssh, portainer, proxmox etc.) communication to the server. I would, even for internal communication, use a VPN to reach the system. If someone in your home gets infected with malware, it would be easier to infect the server, if the ports are open.
Make frequent off-site backups.
If multiple users working (not using it, administrating it) on the server. Disable root login and create different groups as well as different accounts for each one.
This is all great advice. Now I do have a question. I was planning on creating a Wireguard VPN (using this script: Bypass_CGNAT/Oracle Cloud/Oracle_Installer.sh at main · mochman/Bypass_CGNAT · GitHub) from my server to a public VPS, assign a domain to the public VPS, and access my self-hosted services like Nextcloud, Jellyfin and, Invidious all behind Caddy as a reverse proxy. My question though, is how can I enhance the security even futhur? Already ssh keys, UFW, and Fail2ban do quite a lot, but what else can I do with this kind of setup?
The primary reason why I am doing this is because I have 5G internet and I am behind CGNAT. All incoming connections are blocked on the router and there is no way I can change it, so no iPv6. I also cannot use pfSense or Opensense sadly.
About Cloudflare tunnels, I don’t think they are very privacy respecting. As far as I know, all the traffic that comes to them is in clear text.
