this post was submitted on 30 Apr 2026

52 points (93.3% liked)

Selfhosted

59062 readers

490 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Cloudflare or Tailscale? (sh.itjust.works)

submitted 1 week ago by frosch@sh.itjust.works to c/selfhosted@lemmy.world

63 comments fedilink hide all child comments

Which route did you go for your homeland, a tunnel to your services or setting up tail scale/wireguard and access them on your trailer?

top 50 comments

sorted by: hot top controversial new old

[–] tofu@lemmy.nocturnal.garden 17 points 1 week ago (2 children)

I have wireguard, it's supported by my router (Fritzbox).

[–] androidul@lemmy.world 3 points 1 week ago

same here, took me 7m to set this up on OPNsense with FritzBox

[–] frosch@sh.itjust.works 2 points 1 week ago

Nice, I have to take a look if mine supports it, too!

[–] prenatal_confusion@feddit.org 11 points 1 week ago (5 children)

Pangolin on a vps.

[–] fleem@piefed.zeromedia.vip 3 points 1 week ago (1 children)

isn't it awesome? i am scared to update it too far for an unknown reason

[–] prenatal_confusion@feddit.org 3 points 1 week ago

It's opensoursrso we should be able to roll back.

load more comments (4 replies)

[–] FlexibleToast@lemmy.world 8 points 1 week ago (1 children)

Pangolin on a free Oracle VPS.

[–] giacomo@lemmy.dbzer0.com 1 points 1 week ago (2 children)

is there a bandwidth/throughput limit on Oracle VPS?

[–] german@pawb.social 2 points 1 week ago (4 children)

Something like 10TB. I’m an incredibly heavy user and I’d have to quadruple all of my usage, including home, to hit it.

load more comments (4 replies)

[–] FlexibleToast@lemmy.world 2 points 1 week ago

Not that I've noticed.

[–] hexagonwin@lemmy.today 8 points 1 week ago (6 children)

tailscale. works perfectly, the only problem is needing a google acc for login

[–] BCsven@lemmy.ca 3 points 1 week ago

And that years back they moved their servers from Canada to the US. That's when I dropped TS and just did wireguard by hand.

[–] zeitverschreib@freundica.de 2 points 1 week ago

@hexagonwin

I think Headscale gives you the option of using your own provider.

@frosch

[–] cunnililgus@sopuli.xyz 2 points 1 week ago

Netbird allows email & TOTP 2FA.

[–] FauxLiving@lemmy.world 1 points 1 week ago (2 children)

the only problem is needing a google acc for login

You can use e-mail now.

[–] potustheplant@feddit.nl 5 points 1 week ago

No, you cannot. Putting in your emails just redirects to the identity provider you used when signing up. If you try to create an account you'll see that email's not a option.

[–] hexagonwin@lemmy.today 1 points 1 week ago (3 children)

is it possible to switch to email from my google acc tied account? or do i need to create a new one?

load more comments (3 replies)

load more comments (2 replies)

[–] julianwgs@discuss.tchncs.de 8 points 1 week ago

I am very happy with Tailscale

[–] frongt@lemmy.zip 7 points 1 week ago (3 children)

Netbird via a free cloud VM. Works great.

[–] peskypry@lemmy.ml 2 points 1 week ago

Who provides free cloud VM?

load more comments (2 replies)

[–] mlg@lemmy.world 7 points 1 week ago (1 children)

Wireguard.

Dunno if Cloudflare does effective auth for the tunnel or if you have to set that up yourself, but I don't bother trying to expose services to the internet in any way because some of this stuff was just never designed for proper web security (cough Jellyfin).

It's still worth setting up a wildcard cert with ACME so you get nice https and a real domain.

[–] frosch@sh.itjust.works 2 points 1 week ago

Cloudflare has some opt-in auth. Mail-OTP is a nice balance imo: You can allowlist mail addresses per service/subdomain and set expiry for each. Then for access, you first have to enter the mail address, get the OTP and then access the service.

So, nobody without access to allowed mail addresses even gets to knock on you door.

But yeah, that's why I think about going tail scale: why bother having something exposed when not needed?

I just think, some services might be nice to provide to friends, too - and having them connect to my tailnet for this is a bit too much friction, I guess

[–] Illecors@lemmy.cafe 6 points 1 week ago (2 children)

I do run wireguard on my router, but the main reason is ad blocking, not hiding services. Most services are publicly exposed.

load more comments (2 replies)

[–] irmadlad@lemmy.world 5 points 1 week ago (1 children)

How about both? I run the evil Cloudflare Tunnels/Zero Trust with Tailscale as an overlay on the server.

[–] frosch@sh.itjust.works 2 points 1 week ago (1 children)

I'm a bit stumped, what do you gain from this setup?

Or do you mean just running some services through the tunnel for easy access and "hide" others behind tailscale?

[–] irmadlad@lemmy.world 1 points 1 week ago

what do you gain from this setup?

Defense in Depth
Network segmentation
Fallback

[–] jlow@slrpnk.net 5 points 1 week ago

Headscale on fly.io

[–] 187OnAnUndercoverCop@programming.dev 4 points 1 week ago

Temp stuff where I could care less about the free tier domain name or things that I just want to funnel to my existing devices: Tailscale

Widespread, prolonged services that will be more actively maintained for a longer amount of time and can just spin off of its own domain/subdomain: Cloudflare

Both are great.

[–] uuj8za@piefed.social 4 points 1 week ago

option 3: self-host Netbird control plane
option 4: use Netbird's reverse proxy

[–] Decronym@lemmy.decronym.xyz 4 points 1 week ago* (last edited 5 days ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
IP	Internet Protocol
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)

[Thread #265 for this comm, first seen 30th Apr 2026, 19:30] [FAQ] [Full list] [Contact] [Source code]

[–] 30p87@feddit.org 4 points 1 week ago

Asked my ISP for a public IP, exposed all things that can handle that to the public. Custom Wireguard server for VPN

[–] Atherel@lemmy.dbzer0.com 3 points 1 week ago

Wireguard

[–] utjebe@reddthat.com 3 points 1 week ago (1 children)

Just Wireguard on a router, but I'm thinking Netbird.

WG can be a bit PITA to set up, but once you do, it just works. What I would to have is more fine grained control over who goes where if I were to expose some of the services to friends.

[–] IratePirate@feddit.org 1 points 1 week ago

wg-easy can greatly simplify your wireguard setup. Allows you to quickly generate access configs for friends and family on the fly (QR-codes, too). You still get access to post-up/-down hooks if you want tp create a more specialised deployment.

[–] TheGreenWizard@lemmy.zip 3 points 1 week ago

I'm liking self hosted NetBird atm

[–] French75@slrpnk.net 2 points 1 week ago

I used wireguard, then switched to Pangolin. Wireguard was simpler and worked better with mobile apps though. I'll prob switch back for most apps.

[–] Evil_Incarnate@sopuli.xyz 2 points 1 week ago

Zerotier. I found it easy to set up and use. Free tier gives you one network and ten hosts, I think.

[–] p4rzivalrp2@piefed.social 2 points 1 week ago (1 children)

Wildcard dns with port 80 & 443 port forwarded to traefik with tinyauth & fail2ban

[–] frosch@sh.itjust.works 1 points 1 week ago (1 children)

Did you get a static public IP from your ISP?

load more comments (1 replies)

[–] Reannlegge@lemmy.ca 2 points 1 week ago* (last edited 1 week ago) (1 children)

I actually have Wireguard running on a pi zero 2, all it really does is provide me my pihole DNS.

Edit:

I should say I have pihole running on a couple of pi 5’s currently, overkill yes but one of my pi 4’s was sacrificed to the whims of magic smoke another was donated to a friend and another now hosts HAOS, I have a few pi zero 2’s (only one was sacrificial) the one that hosts wireguard has one of my last few working SD cards. The pi 5’s host many other things other than just pihole.

[–] frosch@sh.itjust.works 2 points 1 week ago (1 children)

Taking do one thing, but do it good to the next level, nice!

I thought about getting a pi zero also just for the pi-hole. But my pi3b holds up pretty good, still

load more comments (1 replies)

[–] hendrik@palaver.p3x.de 1 points 1 week ago

I have a port forwarding without any tunnel to third parties and Wireguard.

load more comments