But I’m not very comfortable giving 100% access to Tailscale to my internal network
Out of curiosity, why are you uncomfortable with Tailscale?
this post was submitted on 24 Mar 2025
16 points (100.0% liked)
Selfhosted
45148 readers
894 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I have a single server with everything inside. By using Tailscale to access my server I'm giving full access to it and the entirety of my network to a third party tool that I don't know that well.
entirety of my network to a third party tool that I don’t know that well.
Understandable.
There is no need, and you're defeating the point of using tailscale. Use headscale if you cannot summit your anxiety around trusting tailscale.
Note that using headscale transfers the anxiety of contril from tailscale as a company to whatever vps you would be hosting the headscale on
Yes, you can run Tailscale in a container. You could create a second VLAN, attach it to your hosts interface, add a macvlan docker interface to the container and put it directly on your network.
If you have concerns about the software running on your host I would recommend getting a dedicated piece of hardware instead (rpi, zimaboard, etc).
How paranoid are you wanting to be? You can either go Headscale, or Tailnet Lock (my preference) to give your self some peace of mind. It completely depends on your threat model, which you didn't mention.
Depending on what services you want to give access with, I have had great luck with an ultra cheap VPS
https://lowendbox.com/blog/1-vps-1-usd-vps-per-month/
Then I host my edge services on a container and use an ssh tunnel to the remote host which gives me an ipv4 and any port forward that I want.
For example I have my reverse proxy inside my network and my VPN server then I use a command like:
ssh -R 8080:localhost:80 public.example.com
Which would forward publicip:8080 to localhost:80
Read more here: https://www.ssh.com/academy/ssh/tunneling-example.
I use autossh to keep the tunnel alive at all times.
https://www.harding.motd.ca/autossh/
This is an ultra cheap way to get any ports you want and self host the whole thing. The remote VPS also doesn't get any extra access to your local network and doesn't initiate the connection so it doesn't have credentials for your local network
Just setup wireguard on your server, add masquerading and ip forwarding. That single wireguard in, will give you full access to your lan
He can't open ports because of the ISPs setup.
Edit NVM, read up on it. Seems like you have to run PCP protocal on IP4 to bypass thr CGNAT issues.
You can use any open port and port forward at the router, or is CG NAT only 80