It’s a 10 minute read when it should probably be a 2 minute read, likely due to LLMs fluffing it up (I got that vibe from skimming it). But what do you all think, is there anything in here that would compel you to switch from your current VPN solution to this?
Nope. I’m trying to move further away from US proprietary tech, not towards it. I’m currently using Tailscale, but I’m looking at moving to Netbird because it’s open source and European.
There’s nothing I’d like to do more than let the US internet-monopolizing company handle all my vpn traffic /s But without being snarky, for homelabbing purposes just use wireguard directly, it’s fun and not that hard to handle. Automate peer configurations using Ansible or some other automation tool if it gets hard to manage manually.
Yeah, you can’t just use wireguard directly on a home network depending on provider (CGNAT) and you can’t just switch providers as most providers are in a non-compete with other providers. So, Cloudflare Mesh or Tailscale is the best option for those.
See my comment here, https://infosec.pub/comment/21363677
I tried, but I don’t understand how to bypass a cgnat. With Tailscale it just works. Also, I tried Netbird, it’s very similar, and it works well too. I’d love to simplify this, but I have no knowledge at the moment. Would love someone pointing into the right direction.
CGNAT and changing IPs make this harder. What I’d consider in this scenario is renting a small vps at a local provider (a tiny/cheap machine is enough). Then use this one as a hop to your network, basically homelab->vps<-client. Here is a post that talks about something like that: https://taggart-tech.com/wireguard/
I haven’t used this method personally, but I’ve done something similar for incoming web traffic before, when you want to host things behind a CGNAT. You can actually keep all the traffic confidential by having just an L4 proxy on the vps, then the http traffic is still end-to-end encrypted between the client and the service, so you don’t even have to trust the vps provider when it comes to them snooping. They still get some metadata, but not significntly more than the ISPs.
I’m trying to set up the same at some point. How do you solve the changing IP address problem?
The simplest would be renting a VPS I think.
I grabbed an Oracle free-tier many moons ago. The x86 one with 4 gig of memory I think? The arm have a much more core and memory but unless you go with Pay As You Go (PAYG) account ( need a one time refundable $100 credit) it’s virtually impossible to grab it.
My free tier account is sufficient as pure VPN for accessing stuff, you get 10 TB/month egress traffic. The downside is it’s Oracle, and you are at their mercy ( they can purge it without notice )
I never tried it because CGNAT but maybe Dynamic DNS could also solve this.
Other than that, Tailscale / CF tunnel are a fine solution ( for now )
Finally a reasonable person around here.
The only thing I like about this is the pressure it might put on tailscale to make their offering better.
This could have been you, Mozilla.
sniff
I wanted so much to believe in you
Is it still too late technically? I dont want to quit on Mozilla
TBH I still donate $5/mo to Mozilla. But only because someone has to fund the upstream development of the browser I actually use (and which arguably is the browser Mozilla was supposed to be)
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CF CloudFlare CGNAT Carrier-Grade NAT DNS Domain Name Service/System IP Internet Protocol NAT Network Address Translation VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #238 for this comm, first seen 15th Apr 2026, 13:10] [FAQ] [Full list] [Contact] [Source code]
I’ve been using Cloudflare’s Tunnel/Zero Trust for a while now and I find it does the job just jammy. I’m not sure I need Mesh, but I will at least familiarize myself with it.
