I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.
Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.
It lets me expose services publicly without any inbound port forwarding on my home connection.
An excerpt from the Wireguard Whitepaper:
One design goal of WireGuard is to avoid storing any state prior to authentication and to not send any responses to unauthenticated packets. With no state stored for unauthenticated packets, and with no response generated, WireGuard is invisible to illegitimate peers and network scanners. Several classes of attacks are avoided by not allowing unauthenticated packets to influence any state.
After opening an SSH port and watching the number of attacks I understand the concern about opening any port on a router, but it seems the worry about opening a port for WG is way overblown.
As of now I can find zero reports of a properly configured open WG port ever being successfully used by attackers to access a network.
Anyone have better/more recent info?
What did you not like about Headscale? I started using it recently and it seems fine so far. Works identically to Tailscale.
It’s not that I didn’t like it, I just wanted to back to basics! A simple config file on each machine, job done
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol ISP Internet Service Provider NAT Network Address Translation SSH Secure Shell for remote terminal access TCP Transmission Control Protocol, most often over IP VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
8 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.
[Thread #286 for this comm, first seen 12th May 2026, 13:20] [FAQ] [Full list] [Contact] [Source code]
https://github.com/wg-easy/wg-easy
Needs like 100MB RAM to run, so it can basically run on almost anything. If you like some extra security: Do another layer of authentication in the reverse proxy that faces the internet.
This is an interesting article, but the crux of the setup isn’t described : what is the configuration on your home server?
Creating a wireguard tunnel is pretty simple, but managing how everything is handled behind the VPN is more challenging.
It’s not clear to my why you absolutely don’t wan’t to expose your home port.
From a security standpoint, you are still exposing your services to the public anyway (only the TCP stack is not, which is likely the smallest attack surface).
If you had a simpler reverse-proxy VPS, it would still hide your home server IP from clients. Your ISP would still only see encrypted traffic (https). Since you use adguard already, you can target dns-over-https upstreams to hide all DNS traffic too (eventually have a firewall rule to block outgoing dns queries if you don’t trust your application).
I’m rusty since it’s been awhile, but I don’t understand why you need two VPSs. I have a similar setup just using one. It was mainly to get around the ISP NAT. My DNS points to the VPS, and it forwards traffic to/from my home server over the WG connection with IPtables rules.
You’re right, and for a lot of people, one VPS is the sensible choice. I actually addressed this in the post:
"VPS1 is my web-facing server. It handles the public side of things. VPS2 is the VPN hub. At first glance, that probably looks unnecessary. Strictly speaking, it is unnecessary. I could have crammed WireGuard onto VPS1 and called it done. But splitting the roles makes the whole thing cleaner.
One machine serves public traffic. The other handles VPN duties. That means fewer networking compromises, fewer chances of Docker or firewall rules becoming annoying, and a clearer separation between the public-facing stack and the private tunnel. It also means I can change one side without poking the other with a stick and hoping nothing catches fire."
Gotcha, didn’t realize it was a blog post haha. As far as my personal experience, I never have to touch it. Once I did a dist-upgrade and broke it, but fixed it with a backup.
