Selfhosted

I do this currently. I have a Hetzner VPS with Pangolin, giving access to family services like Immich etc, and my own nerdy services I keep locked to my home IP, and if I'm away from home, I tunnel in with Wireguard and hence then the home IP kicks in and they work.

You can issue traefik IP rules with Pangolin as well to limit what IPs can access services.

I have Pangolin and all family services behind Pocket ID with passkey only auth.

The VPS I protect with Hetzner's firewall, so only SSH is allowed from my home IP.

The whole setup is as secure as I can make it. My family would just roll their eyes at any VPN I asked them to use, so it has to be publicly accessible for some things annoyingly.

I also have private services coming direct to my home firewall away from the VPS (for speed efficiency), and for truly public services (websites), I have those tunneled through a Cloudflare tunnel that can handle Google Auth for WordPress login pages etc.

It made me uncomfortable to start with using the VPS, but in time, confidence grows.

Is they're a reason you don't want to just use tailscale for this? it's incredibly easy to set up and does exactly what you're trying to do.

Look into Pangolin with crowdsec. It's basically the all in one tested solution for your plans.

I would say if you need to ask this, you might not be ready to expose your home sever to the internet. Please be VERY careful about this.

With that being said, setting up reverse proxy (nginx) on the VPS should not affect the reverse proxy on your home server in any way.

In the proposed setup, the VPS will be directly exposed to the internet - it's the "gateway" to your network. If someone gains access to the VPS, they have access to your home server and probably other devices in your network. So yes, you need to secure the VPS as much as you can. Fail2ban or Crowdsec are a good idea. Setting them up on the home server wouldn't really do anything against an attacker with access to the VPS.

When I looked into this configuration a few years ago the security improvements seemed minimal. Adding yet another provider to the mix plus the additional risk of a server misconfiguration didn't seem to be worth the trouble unless I was dealing with CGNAT.

Besides hiding endpoints from your ISP and exposing them to the VPS, how much security does this really add?

Configure the VPN route for only that one address, not the whole subnet.

If you only have the VPN, nothing exposed directly, you don't need fail2ban at all. I suppose you could configure it for the VPN service, but that seems unnecessary to me.

I had a similar setup for years with traefik instead of nginx and I would recommend you to not over engineer your setup. If you only want to expose some specific services and for the others you only allow access in your LAN you can create an ACL for the restricted services based on a whitelist with your IP-Range. With that way your setup will be much easier, not so many SSL specific stuff (Which certificate do you need on which machine? Do you pass through the TCP connect or open the SSL connection and use insecure connection over your VPN?...), not so much DNS stuff, because you can redirect every subdomain to your server. You only need one fail2ban setup.

And you can access any device from your VPN in your LAN.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

9 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

[Thread #130 for this comm, first seen 2nd Mar 2026, 21:10] [FAQ] [Full list] [Contact] [Source code]