Melmi

Tailscale is just a bunch of extra fancy stuff on top of Wireguard. If you don’t need the fancy stuff, using raw Wireguard can be more lightweight, but might require more networking knowledge.

The biggest thing Tailscale brings you the table is NAT traversal. On top of that it uses direct Wireguard tunnels as necessary instead of creating a mesh like you usually would if you were using raw Wireguard. It also offers convenient bits of sugar like internal DNS, and it handles key exchanges for you so it’s just generally easier to configure. When you do raw Wireguard you’re doing all the config yourself, which could be a pro or a con depending on your needs—and you’ll be editing config files, unlike Tailscale which has a GUI for most things. It also supports some more detailed security options like ACLs and I think SSO, while Wireguard is reliant on your existing firewall for that.

Here’s what Tailscale has to say about it: https://tailscale.com/compare/wireguard

I’ve messed around with Tailscale myself, but ultimately settled on running Wireguard. The reason I do that though is because I trust my LAN, and I only run Wireguard at the edge. Tailscale really wants to be run on every node, which in turn is something that raw Wireguard theoretically can do but would be onerous to maintain. If I didn’t trust my LAN, I’d probably switch to Tailscale.

A lot of people have suggested Tailscale and it’s basically the perfect solution to all your requirements.

You keep saying you need ProtonVPN which means you can’t use Tailscale, but Tailscale actually supports setting up an exit node which is what you need. Put Protonvpn on the Raspberry Pi, then set it up as an exit node for your tailnet. There’s a lot of people talking about how they did this online. It looks like they even have native support for bypassing the manual setup if you use Mullvad.

As long as every client has the ability to use Tailscale (I.e. no weird TVs or anything) this seems like it checks all your boxes. And since everything is E2EE from Tailscale, TLS is redundant and you can just use HTTP.

A big part of IPv4’s persistence I think is that people insist that IPv6 is complicated, but then refuse to learn it or think outside their IPv4-brain. It’s just different enough that it’s easier to stay in v4, even if it requires a million hackjob fixes to keep around.

If anything is to blame for that, it’s the lack of momentum behind IPv6. We’re out of IPv4, so NAT is inevitable, and IPv6 doesn’t have enough inertia for single-stack to be viable (certainly wouldn’t be described as “no drama” at least).

It definitely encrypts the traffic, the problem is that it encrypts the traffic in a recognizable way that DPI can recognize. It’s easy for someone snooping on your traffic to tell that you’re using Wireguard, but because it’s encrypted they can’t tell the content of the message.

Goes to show I don’t know much about SSO I suppose. Time to do some more research

I had issues connecting to Nextcloud from mobile clients when using Authelia, they didn’t like it, but if there’s a workaround for that that’s great

Most things should be behind Authelia. It’s hard to know how to help without knowing what exactly you’re doing with it but generally speaking Authelia means you can have SSO+2FA for every app, even apps that don’t provide it by default.

It also means that if you have users, you don’t need them to store a bunch of passwords.

One big thing to keep in mind is that anything with its own login system may be more involved to get working behind Authelia, like Nextcloud.

Why would a random browser extension take it upon itself to snoop on your traffic to ensure that the websites you’re using can’t be used for illegal things, and then intentionally break it if it detects something it thinks it’s illegitimate? That’s a huge breach of privacy. It’s just malware at that point. It’s not like a court of law would hold your browser extensions responsible for your piracy. That’s like blaming a cup holder because the car was used in a robbery.

No, I think this is just a bug. Especially since people have reported that the extension breaks other websites too.

Docker containers are more like LXCs—in fact, early versions of Docker used LXC under the hood, but the project diverged over time and support for LXC was eventually dropped as they switched to their own container runtime.

If you’re already using Wireguard, it’s super easy to add a VPS to your Wireguard network and route all traffic through it. Then you can port forward pretty easily using some iptables rules from the VPS public IP to an IP on the Wireguard network.

That said, doing it that way will involve routing all of your traffic through the VPS, which means you’ll need a good low latency connection to your VPS. (You can set up split tunneling, but it’s a bit of a hassle to do that and port forwarding.) An alternative would be to set up a reverse proxy on the VPS, and reverse proxy your VPN IP.

Any non-proxiable services probably shouldn’t be exposed directly to the internet anyway, and you can simply expose them via VPN.

As long as you have access to a a command line, you can install it manually. It’s worth noting though that I did a cursory internet search, and it seems like the developers are strongly against installing AGH on IPFire directly—plus it would take some hackiness to even get it installed on IPFire directly. That said, IPFire supports VMs, so you could run AGH in a VM on IPFire.

AGH can also be installed alongside OPNsense or pfSense as well, either by installing manually or in the case of OPNsense there’s a plugin in the community repo

What is TrueNAS adding to this arrangement? Generally when people run two different servers at home, they keep the VM drives on the hypervisor and just use the NAS for storing bigger things like media files. Hosting VM drives over iSCSI works in an enterprise environment, but if you can’t guarantee uptime for your storage solution then all you’re doing is adding failure modes.

It seems to me that your best bet is to go down to one server, which means cutting out either TrueNAS or Proxmox. Both can handle both storage (ZFS included!) and VMs, so ultimately it’s a matter of which you like better.

Alternatively, if you’re hosting other stuff on your NAS, you could consider keeping both servers but just getting a few SSDs to stick in your Proxmox mini PC to serve VMs. That may or may not be viable for your situation, but it’s worth considering.

I’m not sure of the cause, but this is an issue with the Web Player on the Jellyfin app. You can fix it by going to Settings -> Client Settings -> Video Player Type and selecting Integrated Player or External Player.

I find it disappointing that everyone’s first suggestion in the selfhosted community is Cloudflare. It seems to run counter to the spirit of selfhosting to hand off the last part to the giant corporation that controls 90% of the Internet.

Most of what Cloudflare does—if it’s necessary at all—can be replicated with a cheap (or free) VPS sitting in front of your network on a VPN, and the remainder doesn’t matter for most selfhosted use cases.

I’d recommend Wireguard over OpenVPN, it’s much faster and just generally more efficient. Notably, it also handles network changes better, and reconnects in seconds rather than minutes. It seems like it would be a much better fit for your use case.

The barrier to entry for making a new instance is relatively high compared to the barrier for entry for making an account on a free for all instance, so I doubt it will be an issue.