Selfhosted

If you're getting a VPS I'd generally recommend getting pangolin. It's basically like cloudflared tunnels, but self hosted (on the vps). It works the same, you use it to map your subdomains to IPs on the other end of the secure tunnel.

It has things like user access controls for each of the subdomains, the ability connect it to an identity provider, rules governing which paths need authentication and which don't, etc.

It can optionally come preconfigured with crowedsec, but I had problems with it falsely classifying my normal traffic as an attack and banning my IPs.

Just be aware that even if your service has a login page, you first need to log into pangolin to be granted access to the service, and although that's fine on the web (especially if you're using an sso), some native apps don't like the extra login. Homeassistant handles it better now, but I haven't gotten jellyfin native android app working yet.

I agree with the other folks recommending Pangolin on a VPS for this. It's great. It combines a reverse proxy and a wireguard tunnel together for you. You don't have to open any ports on your home network, and Pangolin allows you to set access levels for each individual service.

So you can have some fully open for those who aren't going to mess with VPNs and tunneling, and you can put other things behind Pangolin auth to add additional protection.

Look into Pangolin with crowdsec. It's basically the all in one tested solution for your plans.

Is they're a reason you don't want to just use tailscale for this? it's incredibly easy to set up and does exactly what you're trying to do.

I do this currently. I have a Hetzner VPS with Pangolin, giving access to family services like Immich etc, and my own nerdy services I keep locked to my home IP, and if I'm away from home, I tunnel in with Wireguard and hence then the home IP kicks in and they work.

You can issue traefik IP rules with Pangolin as well to limit what IPs can access services.

I have Pangolin and all family services behind Pocket ID with passkey only auth.

The VPS I protect with Hetzner's firewall, so only SSH is allowed from my home IP.

The whole setup is as secure as I can make it. My family would just roll their eyes at any VPN I asked them to use, so it has to be publicly accessible for some things annoyingly.

I also have private services coming direct to my home firewall away from the VPS (for speed efficiency), and for truly public services (websites), I have those tunneled through a Cloudflare tunnel that can handle Google Auth for WordPress login pages etc.

It made me uncomfortable to start with using the VPS, but in time, confidence grows.

I would say if you need to ask this, you might not be ready to expose your home sever to the internet. Please be VERY careful about this.

With that being said, setting up reverse proxy (nginx) on the VPS should not affect the reverse proxy on your home server in any way.

In the proposed setup, the VPS will be directly exposed to the internet - it's the "gateway" to your network. If someone gains access to the VPS, they have access to your home server and probably other devices in your network. So yes, you need to secure the VPS as much as you can. Fail2ban or Crowdsec are a good idea. Setting them up on the home server wouldn't really do anything against an attacker with access to the VPS.

When I looked into this configuration a few years ago the security improvements seemed minimal. Adding yet another provider to the mix plus the additional risk of a server misconfiguration didn't seem to be worth the trouble unless I was dealing with CGNAT.

Besides hiding endpoints from your ISP and exposing them to the VPS, how much security does this really add?

Configure the VPN route for only that one address, not the whole subnet.

If you only have the VPN, nothing exposed directly, you don't need fail2ban at all. I suppose you could configure it for the VPN service, but that seems unnecessary to me.

I had a similar setup for years with traefik instead of nginx and I would recommend you to not over engineer your setup. If you only want to expose some specific services and for the others you only allow access in your LAN you can create an ACL for the restricted services based on a whitelist with your IP-Range. With that way your setup will be much easier, not so many SSL specific stuff (Which certificate do you need on which machine? Do you pass through the TCP connect or open the SSL connection and use insecure connection over your VPN?...), not so much DNS stuff, because you can redirect every subdomain to your server. You only need one fail2ban setup.

And you can access any device from your VPN in your LAN.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

[Thread #130 for this comm, first seen 2nd Mar 2026, 21:10] [FAQ] [Full list] [Contact] [Source code]