At some point along your self-hosting journey, you'll realize that your local services aren't quite replacements for cloud subscriptions unless you can access them when away from your home network. You could set up a reverse proxy (and you should) to connect to them more easily, but you still have to worry about leaving those ports open to the wider internet.
Plus, you'll have to set up a ton of other services, including firewall rules, DMZ, port forwarding, and worrying about CGNAT issues. It's honestly a headache, but you can make it easier by using a mesh VPN like Tailscale to have your mobile devices behave as if they're on your home network at all times. That makes your self-hosting headaches go away, but is it safe? Should you be trusting the security of your home network and services, all of which hold your private information, to Tailscale and its external servers?
How to set up a powerful home VPN with Tailscale
We'll show you how to set up easy anywhere-access to your home services using Tailscale
What is Tailscale?
Turn your VPN into a mesh network with peer-to-peer connections
Tailscale is a peer-to-peer VPN built on the WireGuard protocol. It acts like a decentralized mesh network between your devices, which Tailscale calls a tailnet. A central control server hosted by Tailscale handles peer discovery and sharing public keys for encryption purposes, but the encrypted VPN tunnels are only generated between your devices.
Because it uses a central server architecture to start connections before handing them off to your registered devices, it can use single sign-on (SSO) to authenticate and connect to your tailnet, saving you the complex connection routines of traditional VPNs. The design also means NAT traversal issues don't affect the VPNs, because the central server architecture means it can use NAT hole-punching to start the connections, bypassing any NAT issues.
I use Tailscale to remotely access my self-hosted services - here's how
Tailscale provides an easy way to access your home server from external networks
How safe is it to use?
Tailscale is built with security in mind at every stage
By using WireGuard as its base, Tailscale already starts from a position of strength in security, as the protocol is known for being secure. It uses end-to-end encryption for all communications between devices in your tailnet, and your private keys never leave the device they were generated on, so any data you send through its relay servers is never readable in transit. Devices can be set up to use SSO and MFA (multifactor authentication) to add another layer of security to the identity-based controls, and because it's SSO, Tailscale's servers don't handle the login; the SSO provider does.
It's also designed with Zero Trust principles, so every device needs to authenticate before accessing tailnet resources and can be set up with access control lists to further limit which authenticated devices can talk to each other. It's a VPN combined with a robust firewall that's handled by authentication tokens, not blindly on IP addresses or regions.
Ah, but some data is handled by Tailscale's central servers
Tailscale isn't self-hosted, with the control servers that facilitate WireGuard public key exchange for the Tailscale network being closed source. Their relay servers (DERP or Designated Encrypted Relay for Packets) are open-source (and you can self-host those, although they come with a warning about reduced functionality and it being a lot of work), and are only used if the tailnet can't create a direct peer-to-peer connection to your own devices. But the DERP servers only see encrypted data pass through them, so they're no different from any other relay server on the backbone of the internet that your VPN data is traveling on.
If you're worried about the control servers, there is an open-source, self-hostable version called Headscale that has Tailscale's blessing. One of the active maintainers is employed by Tailscale and works on Headscale in his spare time. It's designed to run a single tailnet for hobbyist use, so your home lab can be easily and securely accessed while away from home.
Is there a safer way to access my home network remotely?
You could self-host your own VPN with additional setup and headaches
If you don't like the idea of a third party handling part of your VPN service, you can self-host your own VPN with a little more involved management. You gain more control here but also the responsibility for security, access control, and other aspects of your setup. You'll be able to connect more devices without a subscription, but because most self-hosted solutions aren't a mesh VPN, you might see degraded performance depending on where you're connecting from.
Self-hosting your own VPN on Proxmox is easy - here's how it's done
Want to maintain your Internet security without paying for a VPN? Here's a simple way to host a WireGuard server on Proxmox
Tailscale is one of the easiest and safest ways to connect to your home network from anywhere
The whole point of Tailscale is that it handles the networking layer of your VPN for you, making it easier to add devices and get connected. The trade-off is a small reduction in the control you have over the entire service, as the control servers are managed by Tailscale, as are the relay servers if needed. For home lab use, you can use the open-source Headscale to host your own control server, and self-host the majority of your tailnet. The DERP relay servers will still be used occasionally, but these only see encrypted data, so your communications are safe.