When we think about self-hosted services, it's easy to only think about sharing them with the people in your home. That gives a set of access considerations already, whether from the home network or mobile devices, but it's not the only time you might want to let others use your server. Maybe you want to share everything with your parents, or someone else you don't see often.

This gives you a new set of considerations, as remote access to fix issues sucks (for the most part), and they might not be the most technically inclined. But with a site-to-site VPN based on WireGuard, you can connect their devices to your self-hosted stack easily, and everything behaves like it's on the same physical network. It's the best of both worlds, making it easy to troubleshoot if things go wrong, while enabling easy sharing of media servers, storage, and more.

Security and privacy

The big one. Really.

WireGuard gives you one big advantage over other easy-to-administer remote access tools like Cloudflare Tunnel — it keeps all data encrypted while in transit. I know, Cloudflare encrypts data when it's not on Cloudflare's infrastructure, but it's not encrypted when it is, and I don't like the idea of that in any way, shape, or form, even if I trust Cloudflare with my domain registration needs. To be clearer, I don't trust anyone to transmit unencrypted data on my behalf, and you shouldn't either.

There are other privacy concerns that WireGuard-based VPNs mitigate. Normally, sharing a self-hosted service requires opening ports in your firewall and letting the other user connect to your external IP address. That's a problem if you have a dynamic IP address anyway, as when the ISP cycles it, the remote access is broken. But it also leaves your IP address and ports open to the internet, where automated scanners will find it, often within minutes. Using Dynamic DNS removes one issue, but does nothing about the security implications. It's far better to have WireGuard handle things and keep those IP details under wraps.

Performance and efficiency

WireGuard is better than traditional VPN options by far

WireGuard uses efficient, modern encryption, which is important for throughput when the services you share are media servers, for example. Traditional VPNs will struggle to stream video or sometimes even audio, and that's not as much of a worry with WireGuard. Older VPN methods like OpenVPN are fine for basic connectivity, but they were built for compatibility as the main feature, which never really lends itself to speedy operation.

And the various WireGuard clients and services built around it are just as efficient to set up and maintain, making your secure virtual networking less of a chore. As the people often tasked with tech support for the rest of our families, that's a benefit that can't be understated.

Scalability and flexibility

Treat it like a network switch between two places

Traditional VPN services use a hub and spoke architecture, which makes things complicated to maintain when the number of devices increases, plus you have to ensure there are enough resources to handle those devices. With a site-to-site VPN, it doesn't need to go to a central server at all, so it doesn't matter which devices are on the other ends, only that the two networks can reach each other. And if you're using a reverse proxy with your self-hosted services, adding another service takes a minor update to the reverse proxy, and crucially, doesn't require any configuration changes on the client devices.

The only consideration is the VPN gateway at each site, which reduces complexity and makes it easy to scale because you don't need a VPN client on every device. You can do it if your devices support it, but not every client will have a Tailscale client to use, and it's easier to set things up as a site-to-site with subnets so that every device, from smart TVs to thermostats, gets the benefits of the VPN.

Avoids public exposure

Plus, it bypasses any port blocks and NAT issues

Whether you're using Tailscale, Pangolin, NetBird, or any of the other next-gen VPNs built on WireGuard, they all enable you to share services with others without exposing your home IP address or computer's IP addresses to the internet. There are two parts to this, having WireGuard running on a cheap VPS, and having WireGuard connected to a reverse proxy that takes incoming traffic meant for accessing your self-hosted services and routes it where it needs to go.

This doesn't just let family or friends connect to your services in a secure, stable manner. You could accomplish that by connecting them to your home network via Tailscale or whichever WireGuard-based service you find easiest to maintain. But connecting the two keeps your home network safe, because it stops them from being able to see your other network locations and resources, and only allows access to the things you enable.

And for those of you in the US and elsewhere behind restrictive ISP port blocks or CG-NAT, using a VPS to set up a site-to-site VPN in this manner also bypasses any NAT issues you might encounter, without having to forward any ports, leave ports open to the internet, or other related security issues.

Cost and control

Become the cloud provider for your family

Self-hosting WireGuard-based VPNs also means you don't have to trust anyone but yourself, however you look at that. Tailscale is one exception as the company hosts the initial handshake servers, but you could run Headscale and then are in control of every aspect again. Plus, you only have to worry about the cost of the VPS you've installed WireGuard on, or potentially the number of client or user seats if you share with a larger number of people. You control who has access to what, how they authenticate, if they have bandwidth limits, and every other consideration, turning you into a cloud provider.

Site-to-site VPNs are great for sharing self-hosted services

Whether you're connecting two parts of your home lab together, sharing services with close family and friends, or trying to get around annoying CGNAT issues, running a site-to-site WireGuard-based VPN is a great solution. And by linking it to a reverse proxy, you'll keep your home network as safe as the encrypted information that's going between the sites.