1. 12

So I had previously set up my home server with SSH on a high port, and did the port forwarding thing on the firewall so that I can SSH into this system from elsewhere on the Internet. It worked fine for months.

And then, it stopped working. The router didn’t have a software update as far as I can see. I re-checked everything, but I just can’t initiate a connection to the server from elsewhere on the Internet. It seems like it is filtered somewhere in the ISP’s network. I can, and possibly will switch ISPs, but in the mean time, I’m looking at other technical options. Though we use the other main ISP for work, and their uptime in the last couple years has been… less than stellar.

One option is obviously rent a VPS, and set up a VPN or something, and have the home server connect to that at startup. I can and have done that in the past, but even a low-cost VPS is $10 USD per month.

Some of the VPN providers out there have relatively low-cost multi-year deals, so I was looking at one of those. But it wasn’t clear if any of them supported what I wanted to do. I don’t really need to watch Netflix from a different region, I just want access to my server remotely.

I just wanted to see if anyone else is doing something like this. Thanks!


  2. 18

    I think anyone who uses it will suggest you use tailscale. It (and I mean exactly what I say) just works. Literally takes an hour to set up on your machines (tops) and then you (and only you) can reach them wherever you may be. I’ve even put it into initrd’s so I can remotely unlock my file servers if they reboot.

    The client is wholly open source, and they have got a free tier for the authentication service and nat-traversal endpoints, or you can run headscale which is open source and compatible with their client.

    I’d love to say I’m a shill, but nope (I hang with a few of theirs on a private slack instance), just a very happy user of theirs on the free tier (:

    1. 4

      Have you tried the open source server implementation, headscale?

      1. 2

        I haven’t (happy with the free tier and I’m a google apps user so their thirdparty auth story works for me), but friends have used it; they’re happy using it.

      2. 3

        Yeah this is more or less a textbook job for Tailscale. I am glad I don’t need to add port forwarding on my routers anymore!

      3. 11

        I use yggdrasil. The benefits over Tailscale and Zerotier is there is no need for a control server and less latency the using tor. spork.sh is another option that I’m looking at.

        Also there is third option I forget about. You can run an experimental feature in IPFS.

        1. 7

          Check https://lowendbox.com/ for cheap VPS in your area. scaleway and vultr have good offers. I would recommend setting up a wireguard network. There are many projects on github that make that super easy. I would not use tailscale. Why involve a closed source software, when you don’t have to?

          1. 5

            The core of Tailscale’s client is open source: https://github.com/tailscale/tailscale. The android app is open source: https://github.com/tailscale/tailscale-android. It really depends on what you mean by “closed source” though.

            1. 5

              Not all of the code is open, a simple wireguard setup is. Why give up freedom when you don’t have to?

              I have been in this industry for too long to make my own infra depend on some software that I have no control over.

              The setup that OP wants takes maybe a few hours to create if one has to learn it along the way.

              1. 4

                I have not used it but there’s https://github.com/juanfont/headscale an open source version of the control plane.

                1. 2

                  sure, but why bother with all that when all you want is a 2-3 host wireguard network? It is really not that hard to set up.

                  1. 4

                    It’s certainly easier than OpenVPN, but it’s still very difficult, and doesn’t grant you affordances like DNS, etc.

                    1. 3

                      Because the NAT-punching is the functionality part that OP is actually asking for, and plain WG doesn’t include that.

                  2. 3

                    Why give up freedom when you don’t have to?

                    Freedom is abstract; usability is concrete ;) Speaking personally: Tailscale was the first tool of its kind which I was able to use and deploy successfully. That’s enormous.

                2. 2

                  Is there any place you trust to review the hosts that post offers there? Some of the offers are very good, but you need to pay semi-annually or annually, which is just enough that I’d be unhappy if I kicked the tires and learned they were hopelessly oversubscribed.

                  1. 3

                    I have a scaleway stardust instance for 2€/month. Billing is by the hour. I can cancel at any time and performance is great. They are often low on supply, but if you have one, they are great. They are available in Paris and Amsterdam.

                3. 7

                  Thank you everyone for your suggestions!

                  I decided to try Tailscale first. I was able to connect remotely with no problem. I haven’t yet activated Tailscale SSH, I was just using the keys and SSH config I had already set up, because that also works with ConnectBot on Android.

                  It was all rather… easy and hassle-free.

                  1. 5

                    Zerotier (my preference) and Tailscale both let you do this really easily.

                    Cloudflare Access / Cloudflare for Teams would let you do this and access your ssh server in a web browser, if that’s interesting to you.

                    All these options are free.

                    Low-cost VPSs go for ~$5 these days, fwiw.

                    1. 5

                      even a low-cost VPS is $10 USD per month

                      You’re not looking around hard enough if you think $10/mo is the cheapest it gets 😉

                      For a simple Wireguard VPN acting as a bastion to access some servers, BuyVM’s Slice 512 would be more than sufficient and that’s $2/mo or $20/yr.

                      1. 4

                        Yep, this is a me too comment, but Tailscale. I dislike that you need to default to a big company auth provider, but not enough to do anything else.

                        1. 3

                          Zerotier doesn’t really tie you to a provider - you can even run your own control node if you want. And the config is just as simple. Install, join network, click a checkbox next to the node to authorise it.

                          (but if you want it free… yeah, you’ve got to use someone else’s auth)

                        2. 4

                          If you require access through the public Internet, I recommend https://hoppy.network/. tl;dr it will give you a static public IP address connected to your server through WireGuard, so you get the same public IP address as a local WireGuard network interface that you can bind processes to, etc. just like you’d expect. I used it for a few months around the beginning of the year when I was between homes and moving around a lot, and I found that it worked quite well.

                          It’s only slightly more expensive than the cheapest VPS’ you can find ($5 vs. $8 if you pay monthly) and will probably save you a lot of hassle with setup and maintenance.

                          1. 4

                            Many home ISPs implement firewall rules to avoid common spam & exploits (eg mail-related ports) but I suspect CG nat is now the most likely reason to cause this problem.

                            Tried contacting your ISP? My ISP (in Australia) now CG-nats home users by default, but they were perfectly happy to put me back on a dedicated IPV4 address after I gave them a reason (“need remote access”). No extra cost and sticky-enough that it doesn’t change (albeit I’m not paying for static, so it might eventually).

                            1. 1

                              I can try that too. What’s funny is that according to the common services, My public IP address didn’t change.

                            2. 3

                              NetMaker is another option, though they’re free tier is self-hosted. https://www.netmaker.io.

                              Otherwise, Tailscale works great, and an open source solution called Headscale exists if they ever end their free tier.

                              1. 2

                                You can set up Tor to access your SSH port through a Tor hidden service. I’ve used this in the past on to access my home server, and there was even Tor support in the SSH app I used on my phone at the time. Zero cost, but low bandwidth and latency might be an issue.

                                1. 2

                                  Slack’s Nebula + free Google Compute VM instance.

                                  1. 2

                                    You could also go the poor-man-VPN route of an ssh reverse tunnel to a public remote server (replace localhost with to expose the forwarded port to all interfaces on the remote server, or specify a specific interface IP)

                                    There’s also autossh that may automate the reverse ssh tunnel more reliably than my cronjob, although I never used it.

                                    1. 2

                                      Tailscale free tier