this post was submitted on 12 May 2026
133 points (99.3% liked)

Selfhosted

59955 readers
300 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
133
Replacing Tailscale with a 2-VPS WireGuard setup (No port forwarding) (the.unknown-universe.co.uk)
submitted 1 month ago by TheIPW@lemmy.ml to c/selfhosted@lemmy.world
24 comments fedilink hide all child comments
 

I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.

Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.

It lets me expose services publicly without any inbound port forwarding on my home connection.

you are viewing a single comment's thread
view the rest of the comments
[–] brewery@feddit.uk 10 points 1 month ago (1 children)

Just to clarify for my simple brain - vps1 has just 80/443 open, vps2 just has a wireguard port open (51825 or whichever). Vps2 has no domain pointing to it's public IP, vps has your domain pointing to it. Vps1 and home server have wireguard configs pointing to the vps2 public IP, so punch through automatically. Is that all correct?

I think I have the same setup but with vps1 + 2 combined but that means it's public IP is easily found by the domain (one includes a public business website) and has WG ports open (although my understanding is this in itself is not an issue as WG gives no reply)

Have you opened an SSH port on both vps1 and vps2 for backup or happy to rely on wireguard? Thinking about it, you could open up the port on the vps but use the providers firewall to block the port - if needed can login to their site, open the port and then SSH in - would this work? They have KVMs for emergencies but just trying to think of worst case scenarios.

[–] TheIPW@lemmy.ml 4 points 1 month ago (1 children)

Exactly that, VPS2 handles the WireGuard port and has no domain pointing to it, so it’s basically hiding in plain sight. VPS1 holds the domain and handles the web traffic.

I keep SSH open on both, but locked down (key-based auth + restricted to my IPs).

Your idea of using the provider firewall (Ionos in my case) as a “mechanical” lock is a good one, block it at the edge and only open it when needed. I’ve thought about doing that, but I’m generally happy relying on a hardened SSH config and the provider’s KVM if everything goes sideways.

[–] brewery@feddit.uk 2 points 1 month ago

Awesome idea then, I'll have to kook into it.