You should keep trying with tailscale, did you read the docs? (tailscale provides amazing documentation), you dont need to install the client on every device, for that use subnet routers, all is in the docs. Give it another try and post back what issues you are having.

All you need is Wireguard with IP forwarding allowed on the host, maybe some firewall rules if you have one. You configure your wire guard client to only route traffic for your network IPs. I leave my wire guard client connected 100% of the time.

If the servers have public IPs and you want the minimum possible ports open, just SSH? With passwords disabled and large keys, it’s quite secure.

If that’s still not enough for you or you need a private gateway, then Wireguard. I can strongly recommend Tailscale - It’s really an orchestration layer on top of Wireguard. You can setup your own Derp relays and head scale if you are truly paranoid. But 99.9% you don’t need all that and Tailscale out of the box will work well.

Also Tailscale isn’t a single point of failure the way you’re imagining. It’s certainly possible for Tailscale’s servers to go down, but that won’t drop existing connections.

I think you’re overthinking it. Wireguard is considered the “gold standard” and an excellent solution for what you’re trying to do. Open ports can be a concern, but an open Wireguard port is completely silent when not in use and does not respond unless it receives the correct access keys. That makes it invisible to port scanners.

Wireguard on my OpenWRT router works flawlessly. If the router is working the WG endpoint is too, and there are no 3rd parties involved. Tailscale provides much the same thing, but as I understand it requires the involvement of multiple 3rd party services. I’ve been burned too many times by terms of service changes and security breaches so I wanted to avoid relying on any corporate entities wherever possible.

Tasker brings up the tunnel on my phone automatically whenever I’m not connected to my home wifi and drops it when I get back home, so my home servers are always available. My biggest problem when not at home is Verizon’s crappy mobile network.

IMO it’s worth the effort to properly configure Wireguard and get your servers working. Once you get it set up you probably won’t have to touch it for years.

Give it a robot that can read your handwriting, & write snail-mail lettres to it?

d :

_ /\ _

Just expose it on single-stack IPv6. Nobody ever knocks. The address space is not scannable.

The way Tailscale works, you don’t need to worry to much about your local IP address. You can just use the Tailscale IP address and it will connect as if you were local using the fastest route. That’s the beauty of a mesh VPN. Each device knows the fastest route to each other.

Without more information I can’t really tell what issue you are actually having, but if your system has internet, you have a local IP and if the system is showing as up on your tailscale dashboard than it will have a tailscale IP. Not being able to connect using one or the other would be a configuration issue. Whatever service you are having trouble with is probably only listening to one of the interfaces but not the other.

I’m assuming you are running a linux or unix box, but try running the command ip addr. Assuming you have the package installed, it will tell you all of your IP addresses for the system you run the command on. The list may be quite long if you have a lot of docker containers running. The command tailscale ip will do the same but limited to your tailscale IP addresses.

Apache guacamole is something I wish I had when I started. Let’s you connect with telnet, ssh, RDP, or VNC using html5

“how do I add remote access to my servers?”

don’t.

create a new server that’s accessible via VPN and then access your servers from there. then actively log all connections from that device and alert anytime someone or something connects to it.

what is more secure? a house with twenty front doors or a house with one front door and an alarm on it.

I switched from tail scale to pangolin for reverse proxy. Does everything. Auth, VPN, hidden services, public services. Fantastic piece of software

I’m behind CGNAT. My OpenWrt router is a Netbird server that can be connected externally. Having the Netbird server in the router allows me to ssh devices or use services as if I was connected via WiFi.

There’s documentation for Opnsense as well -(https://docs.opnsense.org/manual/how-tos/netbird.html)

Have you tried adding Tor hidden services? It was the easiest solution for me to expose ports from behind the provider’s NAT to my phone when not at home.

For remote management, I just enable SSH, configure it to run on some non-standard port and enable Fail2ban… Make sure I use certificates or secure passwords and also check if fail2ban is actually doing its job. Never had any issues with that setup.

For the services I’ll either use a reverse proxy, plus configure the applications not to allow infinite login attempts, or Wireguard / a VPN.

Do you want to expose port 80/443 and set up a reverse proxy or do you want to use a VPN tunnel? You could just use SSH to port 80 and 443 like so: ssh -L 80:<local-server-ip>:80 -L 443:<local-server-ip>:443 <username>@<domain>

I expose port 80/443 and use Caddy as a reverse proxy together with Authelia to protect anything that I deem needs an extra layer of security. I followed this guide: https://caddy.community/t/securing-web-apps-with-caddy-and-authelia-in-docker-compose-an-opinionated-practical-and-minimal-production-ready-login-portal-guide/20465

Once setup, it is easy to remove or add a backend to Caddy and Authelia. This way does mean that you sometimes need to log in twice, but that is a small price to pay if your backend app does not support SSO (like n8n community edition).

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

[Thread #127 for this comm, first seen 2nd Mar 2026, 10:00] [FAQ] [Full list] [Contact] [Source code]