i know there were a lot of recommendations for tailscale/headscale (and they'll keep coming because it's the current market darling) but i've found netbird to be more ergonomic for my needs.
this post was submitted on 31 Aug 2025
29 points (96.8% liked)
Selfhosted
51089 readers
627 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
It might not be what you’re looking for, but tailscale offers end points where you can use mulvad vpn in conjunction with your tailscale network, might be worth looking into! I use it and it works great.
Obligatory due to the sub we’re in. I don’t believe tailscale falls into the space of “self hosted”. You’d need to set up your own wireguard server for that.
Headscale.
Worth noting that there's an open issue to support Wireguard peers into Headscale, so you could use it with e.g. a wg0.conf file from a commercial VPN
That might make me re-look into using Headscale.
Did both. Setting up your own VPN is a bit annoying but when it works it works. Tailscale is really easy and solid. For folder syncing I can recommend using tailscale and syncthing. Install both on both devices, then connect the devices in sync thing (it will reciprocate) and then you can add a folder and share it with the other device. Latency for syncing can be 10s-3min, plus the actual file transfer speed.
Knowledge level: configuring software and setting up software. Maybe some basic network troubleshooting if it comes up.
It's never gonna be as easy as paying for a service that does it for you but this setup is also not that hard.
If you have questions feel free to ask me or other nerds on here, I'm sure they can help you ^^~
In fact, it's Syncthing what I use in LAN (mesh) mode. Thanks for the help :D
I thought of that, my problem is that I have another year of NordVPN subscription paid, and I don't want to waste it. But lesson learned, no more long subscriptions.
Thanks for the clarification!
Tailscale is "mostly" self-hosted, in that the VPN connection itself is peer-to-peer almost all the time. You can host your own Headscale and DERP/Relay servers to make it fully self-hosted, but tbh I'm fine not self-hosting the control plane.
The relay server is only used if both ends have very restrictive NAT and none of the NAT hole punching techniques work, which is rare other than on very locked down corporate networks. If you have IPv6 enabled on both ends, you shouldn't have issues making a direct connection, as IPv6 doesn't use NAT. Even with regular NAT (like a home internet connection) on both ends, Tailscale can use UDP hole punching on both ends to establish a direct connection.
Fellow satisfied Tailscale user here. Worth noting that one can host a custom control plane server if desired, which in theory removes cloud dependencies for Tailscale from the equation: https://tailscale.com/kb/1507/custom-control-server. Use of Mullvad exit nodes is optional ($5 / mo for 5 machines at time of writing). I'm not sure if TS' native exit node feature can be configured to use other/sepf-hosted VPNs, but I suspect this is not supported.
Yeah sad they're stopping it. I used it to easily access all services when not home... Jellyfin, audio bookshelf, dashboards, nextcloud... All worked rather well on it with very little effort (just had to turn the meshnet feature off and on again on phone once in a while). I don't think there is any other company offering anything as simple as this was...
If you can selfhost and can use containers/docker, I wanna shamelessly plugin my solution: https://github.com/stratself/tswg. Basically mount a WireGuard config from Nord or any upstream VPN, and the container will tunnel traffic to said VPN when you choose it as an exit node.
There are other gluetun + tailscale solutions that are worth a look too
Honestly I have tried selfhosting and I really like it, but I am always too scared of doing something wrong and losing data. So I end up pulling the plug haha
I’m not familiar with NordVPN Meshnet but I wanted to chime in that you can use Tailscale with a VPN, but you’ll have to do some routing work between the Tailscale network interface and the VPN one. I do this on a VPS.
This is a decent idea. You can configure the VPS to be an exit node on the Tailnet, and configure the clients to use it as their exit node. Then you'd just need to configure some nftables rules to masquerade (source NAT) to the VPN network interface.
Having said that... At that point, why do you need the other VPN? You can just use the VPS as your exit node.
I do some pretty crazy stuff honestly because I’m really into privacy. Since I’m stuck using a VPS I usually put it in the same country that I’m currently in so that for my end devices it appears I’m just accessing some corporate VPN.
On the VPN I actually have two in-country double hop VPN tunnels. I then have two more double hop VPN tunnels that first go into some random country, then finally to Switzerland (because I love their privacy laws). Those two tunnels are set as two equal cost multipath hops for my Tailscale clients, then they get stuffed into the first set of in-country tunnels.
Iinject random delays to protect against timing attacks too, and on top of all that I run Blocky with an insane amount of blocklists and that traffic also spread between all the tunnels over DoT.
It’s a lot of overkill but I absolutely love having no ads, strong data protection and a higher level of freedom of speech.
Don't do this as it defeats the point of Tailscale
Not really. I use the exit node to forward my “default” traffic through the VPN but I still use tunnels between my end devices too. My wife uses it to print documents from work and hell, I even shut off a lot of services on my LAN and made them Tailscale-only just as a way to force encryption (unnecessarily).
The problem is that it likely will break NAT traversal which means no direct connections.
Tailscale already has VPN integrations. I would recommend that you use that instead.
Tailscale only supports Mullvad VPN and when you do use it you’re stuck with its DNS server. It’s a super basic option and doesn’t allow for much customization.
On the exit node you should be able to setup routing so that traffic goes though a VPN route.
In the end though I honestly don't see much of a use case for VPNs
So you’re just chiming in that people shouldn’t use it because you don’t see the use case for VPNs?
You could try KDE connect using Bluetooth