Removed by mod

I run Wireguard VPN on my router that’s using OpenWrt

I’ve tried quite a few services and eventually I mostly settled on running my own WireGuard VPN.

But honestly these days I just use tailscale.

The convenience is really unmatched, and my only qualm was that you had to let them hold the keys in exchange for the convenience of a cloud service to manage everything.

But now with Tailnet Lock you can designate devices as signing nodes which effectively means those devices now hold your keys and tailscale really has no disadvantage over setting up your own WireGuard server manually.

While also being loads easier and more feature-rich.

If anything the user-friendliness probably ultimately makes it more secure than for inexperienced users to try to set up something similar manually.

Their free plan is also quite comfortable with 3 users and 100 devices and virtually all of the features available in the premium/enterprise plans.

Honestly I was very wary of them at first but I’ve really grown to appreciate tailscale to the point I probably sound like a shill

I use duckdns and wireguard and love it. Sometimes I have to reconnect to VPN (double tap notification button), but its enabled all the time otherwise. I cant run it alongside payed VPN, but maybe selfhosted wireguard can be run behind payed VPN service.

Only downside for me is lack of ssl certs. Im using letsencrypt and have to accept the risk quite often hehe. Tried to install cert on android, but wasnt successful. Thinking to buy domain or whatever is needed to remove that annoying warning. Still noob, so dont know whats best for me, but wireguard is serving me fine

I just have all my services exposed through reverse proxy with whatever authentication they have on their webpage. I see most people using VPN which I know is the more secure option but I like the zero setup of just typing in the name of the service I want to go to and just having it work. Is there a better way to secure this?

I expose my services to the web via my own VPS proxy :) I simply run only very few of them, use 2FA when supported, keep them up to date, run each service as rootless podman, and have a very verbose logcheck set up in case the container environment gets compromised, and allow only ports 80 and 443, and, very importantly, truly sensitive data (documents and such) is encrypted at rest so that even if my services are compromised that data remains secure.

For ssh, I have set up a separate raspberry pi as a wireguard server into my home network. Therefore, for any ssh management I first connect via this wireguard connection.

I use ocserv to provide a Cisco AnyConnect compatible VPN server. There’s an SSL proxy running on port 443 of my gateway so the VPN is only accessible using the right domain name, and the server is running in a Docker container.

Main reason I go for ocserv over OpenVPN or Wireguard is when I used to travel to China for work I found it was able to get past the Chinese firewalls. No idea if it still holds true but a few years ago it was fine.

Currently I have a bastion host running a hardened distro, which establishes a reverse proxy tunnel to its ssh port via my $4/mo VPS using rathole, an excellent reverse proxy utility I switched to from frp.

I also maintain a Tor hidden service pointed at the bastion host’s ssh port and another on a different internal host. These are so that I can still get in if the bastion host, my VPS, or certain aspects of networking are down for some reason.

Eventually I will implement port knocking / single packet authorization by deploying fwknop on some or all of these services to further enhance security.

Https and a server. If hosting at home just leave a high numbered port open. If on a vps then you should be able to use any port you want.

Cloudflare tunnel works for my jellyfin server.

Did run a VPN on my firewall which broke for whatever reason.

For access to my *arrs I run a reverse proxy and authelia for access regulation.