this post was submitted on 12 May 2026
127 points (99.2% liked)

Selfhosted

59142 readers
637 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
127
Replacing Tailscale with a 2-VPS WireGuard setup (No port forwarding) (the.unknown-universe.co.uk)
submitted 1 day ago by TheIPW@lemmy.ml to c/selfhosted@lemmy.world
22 comments fedilink hide all child comments
 

I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.

Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.

It lets me expose services publicly without any inbound port forwarding on my home connection.

you are viewing a single comment's thread
view the rest of the comments
[–] brewery@feddit.uk 9 points 1 day ago (1 children)

Just to clarify for my simple brain - vps1 has just 80/443 open, vps2 just has a wireguard port open (51825 or whichever). Vps2 has no domain pointing to it's public IP, vps has your domain pointing to it. Vps1 and home server have wireguard configs pointing to the vps2 public IP, so punch through automatically. Is that all correct?

I think I have the same setup but with vps1 + 2 combined but that means it's public IP is easily found by the domain (one includes a public business website) and has WG ports open (although my understanding is this in itself is not an issue as WG gives no reply)

Have you opened an SSH port on both vps1 and vps2 for backup or happy to rely on wireguard? Thinking about it, you could open up the port on the vps but use the providers firewall to block the port - if needed can login to their site, open the port and then SSH in - would this work? They have KVMs for emergencies but just trying to think of worst case scenarios.

[–] TheIPW@lemmy.ml 4 points 1 day ago (1 children)

Exactly that, VPS2 handles the WireGuard port and has no domain pointing to it, so it’s basically hiding in plain sight. VPS1 holds the domain and handles the web traffic.

I keep SSH open on both, but locked down (key-based auth + restricted to my IPs).

Your idea of using the provider firewall (Ionos in my case) as a “mechanical” lock is a good one, block it at the edge and only open it when needed. I’ve thought about doing that, but I’m generally happy relying on a hardened SSH config and the provider’s KVM if everything goes sideways.

[–] brewery@feddit.uk 2 points 1 day ago

Awesome idea then, I'll have to kook into it.