It’s a 10 minute read when it should probably be a 2 minute read, likely due to LLMs fluffing it up (I got that vibe from skimming it). But what do you all think, is there anything in here that would compel you to switch from your current VPN solution to this?
CGNAT and changing IPs make this harder. What I’d consider in this scenario is renting a small vps at a local provider (a tiny/cheap machine is enough). Then use this one as a hop to your network, basically homelab->vps<-client. Here is a post that talks about something like that: https://taggart-tech.com/wireguard/
I haven’t used this method personally, but I’ve done something similar for incoming web traffic before, when you want to host things behind a CGNAT. You can actually keep all the traffic confidential by having just an L4 proxy on the vps, then the http traffic is still end-to-end encrypted between the client and the service, so you don’t even have to trust the vps provider when it comes to them snooping. They still get some metadata, but not significntly more than the ISPs.
I have done basically that before and it worked. But I find Tailscale with a headscale server easier to manage. Maybe I’ll take a look into selfhosting netbird at some point too.
Whatever works for you, and as long as you have an out, that’s great. I’ve just become wary of single-vendor opensource projects to the point where I basically treat them like proprietary software. So far that’s worked, but it requires some restraint from using new shiny things
But Tailscale is free, works very easily and reliable and it is set up in minutes. I will only be motivated to look into all that when tailscale isn’t free and reliable anymore… I guess that will eventually happen at sometime in the future.