this post was submitted on 30 Apr 2026
54 points (95.0% liked)

Selfhosted

58872 readers
910 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
54
Cloudflare or Tailscale? (sh.itjust.works)
submitted 3 days ago by frosch@sh.itjust.works to c/selfhosted@lemmy.world
62 comments fedilink hide all child comments
 

Which route did you go for your homeland, a tunnel to your services or setting up tail scale/wireguard and access them on your trailer?

top 50 comments
sorted by: hot top controversial new old
[–] Reannlegge@lemmy.ca 2 points 1 day ago (1 children)

I actually have Wireguard running on a pi zero 2, all it really does is provide me my pihole DNS.

[–] frosch@sh.itjust.works 2 points 22 hours ago (1 children)

Taking do one thing, but do it good to the next level, nice!

I thought about getting a pi zero also just for the pi-hole. But my pi3b holds up pretty good, still

[–] Reannlegge@lemmy.ca 1 points 11 hours ago

In the not to distant future I will be retiring wireguard from that pi zero 2 and turning it into a pots server. I have grand ambitions to make a better home lab with a few more pi’s and to help me get away from big tech more.

The only thing google I have is an email I do not use but so I can watch YouTube, but I use unwatched to block ads.

The only thing apple is my iPhone and my iPad, when it becomes time to replace those I will have to figure out graphenOS and some Linux distro for a tablet of some sort.

[–] mlg@lemmy.world 7 points 2 days ago (1 children)

Wireguard.

Dunno if Cloudflare does effective auth for the tunnel or if you have to set that up yourself, but I don't bother trying to expose services to the internet in any way because some of this stuff was just never designed for proper web security (cough Jellyfin).

It's still worth setting up a wildcard cert with ACME so you get nice https and a real domain.

[–] frosch@sh.itjust.works 2 points 2 days ago

Cloudflare has some opt-in auth. Mail-OTP is a nice balance imo: You can allowlist mail addresses per service/subdomain and set expiry for each. Then for access, you first have to enter the mail address, get the OTP and then access the service.

So, nobody without access to allowed mail addresses even gets to knock on you door.

But yeah, that's why I think about going tail scale: why bother having something exposed when not needed?

I just think, some services might be nice to provide to friends, too - and having them connect to my tailnet for this is a bit too much friction, I guess

[–] julianwgs@discuss.tchncs.de 8 points 2 days ago

I am very happy with Tailscale

[–] p4rzivalrp2@piefed.social 2 points 2 days ago (1 children)

Wildcard dns with port 80 & 443 port forwarded to traefik with tinyauth & fail2ban

[–] frosch@sh.itjust.works 1 points 22 hours ago (1 children)

Did you get a static public IP from your ISP?

[–] p4rzivalrp2@piefed.social 1 points 16 hours ago

No, I use dynamic dns

[–] tofu@lemmy.nocturnal.garden 16 points 3 days ago (2 children)

I have wireguard, it's supported by my router (Fritzbox).

[–] frosch@sh.itjust.works 2 points 2 days ago

Nice, I have to take a look if mine supports it, too!

[–] androidul@lemmy.world 3 points 3 days ago

same here, took me 7m to set this up on OPNsense with FritzBox

[–] prenatal_confusion@feddit.org 11 points 3 days ago (2 children)

Pangolin on a vps.

[–] fleem@piefed.zeromedia.vip 3 points 3 days ago (1 children)

isn't it awesome? i am scared to update it too far for an unknown reason

[–] prenatal_confusion@feddit.org 3 points 3 days ago

It's opensoursrso we should be able to roll back.

[–] frosch@sh.itjust.works 1 points 2 days ago (1 children)

When I looked into it first, Pangolin seemed a bit overwhelming.

Is it hard to set up?

[–] prenatal_confusion@feddit.org 2 points 2 days ago (1 children)

No, ridiculously easy with docker.

Then it follows the same principles as cloud flare. Create a site (vpn endpoint), get a docker snippet for a newt (what they call the vpn connector), paste it in the docker compose on your Homeserver and see it come up in the Webinterface.

Then you create a public resource and point it to said site and give it a url.

Done.

Ask me if you have questions

[–] frosch@sh.itjust.works 1 points 2 days ago (1 children)

Cool, do you get any auth and/or ingress protection?

With cloudflare, you get some auth options, can block AI crawlers (that get recognized...) etc for free

[–] prenatal_confusion@feddit.org 1 points 2 days ago

Yes there is auth on by default for resources. You can use real accounts that need to be created or passwords or pins. And I think some id providers.

[–] hexagonwin@lemmy.today 8 points 3 days ago (11 children)

tailscale. works perfectly, the only problem is needing a google acc for login

[–] cunnililgus@sopuli.xyz 1 points 18 hours ago

Netbird allows email & TOTP 2FA.

[–] zeitverschreib@freundica.de 2 points 2 days ago

@hexagonwin

I think Headscale gives you the option of using your own provider.

@frosch

[–] BCsven@lemmy.ca 2 points 2 days ago

And that years back they moved their servers from Canada to the US. That's when I dropped TS and just did wireguard by hand.

load more comments (8 replies)
[–] frongt@lemmy.zip 7 points 3 days ago (3 children)

Netbird via a free cloud VM. Works great.

[–] peskypry@lemmy.ml 2 points 2 days ago

Who provides free cloud VM?

load more comments (2 replies)
[–] TheGreenWizard@lemmy.zip 3 points 2 days ago

I'm liking self hosted NetBird atm

[–] FlexibleToast@lemmy.world 8 points 3 days ago (6 children)

Pangolin on a free Oracle VPS.

load more comments (6 replies)
[–] Illecors@lemmy.cafe 7 points 3 days ago (1 children)

I do run wireguard on my router, but the main reason is ad blocking, not hiding services. Most services are publicly exposed.

[–] frosch@sh.itjust.works 1 points 2 days ago (1 children)

Nice, I thought about using wireguard as a private VPN, too. Having my pihole block my mobile data on the go would be neat

[–] Illecors@lemmy.cafe 1 points 2 days ago

It really is!

[–] utjebe@reddthat.com 3 points 2 days ago (1 children)

Just Wireguard on a router, but I'm thinking Netbird.

WG can be a bit PITA to set up, but once you do, it just works. What I would to have is more fine grained control over who goes where if I were to expose some of the services to friends.

[–] IratePirate@feddit.org 1 points 2 days ago

wg-easy can greatly simplify your wireguard setup. Allows you to quickly generate access configs for friends and family on the fly (QR-codes, too). You still get access to post-up/-down hooks if you want tp create a more specialised deployment.

[–] Atherel@lemmy.dbzer0.com 3 points 2 days ago

Wireguard

[–] irmadlad@lemmy.world 5 points 3 days ago (1 children)

How about both? I run the evil Cloudflare Tunnels/Zero Trust with Tailscale as an overlay on the server.

[–] frosch@sh.itjust.works 2 points 2 days ago (1 children)

I'm a bit stumped, what do you gain from this setup?

Or do you mean just running some services through the tunnel for easy access and "hide" others behind tailscale?

[–] irmadlad@lemmy.world 1 points 2 days ago

what do you gain from this setup?

  • Defense in Depth
  • Network segmentation
  • Fallback
[–] uuj8za@piefed.social 5 points 3 days ago
[–] jlow@slrpnk.net 5 points 3 days ago

Headscale on fly.io

[–] Decronym@lemmy.decronym.xyz 4 points 3 days ago* (last edited 5 hours ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

4 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.

[Thread #265 for this comm, first seen 30th Apr 2026, 19:30] [FAQ] [Full list] [Contact] [Source code]

[–] 30p87@feddit.org 4 points 3 days ago

Asked my ISP for a public IP, exposed all things that can handle that to the public. Custom Wireguard server for VPN

[–] 187OnAnUndercoverCop@programming.dev 4 points 3 days ago

Temp stuff where I could care less about the free tier domain name or things that I just want to funnel to my existing devices: Tailscale

Widespread, prolonged services that will be more actively maintained for a longer amount of time and can just spin off of its own domain/subdomain: Cloudflare

Both are great.

load more comments
view more: next ›