Hi,
I an currently trying to add remote access to 2 of my servers but didn’t manage to get a working setup as is.
Right now I want to access 2 servers:
- one is for media stuff (navidrome, jellyfin, managing the arr stack)
- one is for my data syncing with rsync and after set a backup from borg to another server not on my domain
I was trying at some point to add stuff such as tailscale, but somehow I always had issues with having both servers reachable within the IP range I use on my local network, so everything would work as is with the current config at home being away. I have also heard of cloudflare tunnels as well, but that I didn’t try yet. At some point I tried to do just a regular wireguard from my opnsense, but I would prefer not to have open ports to worry about (and also had issues with internal IP not being assigned from wireguard as well).
Does anyone here has experience with this? If so, what was your solution and/or caviats to it?
EDIT: I got some very good responses but I think I failed to understand that what I would need is probably a hop in server of sorts for the VPN. Meaning:
- I login to the hop server
- I get an internal IP for my network, meaning, 192.168.1.xxx
- I do whatever I need to do
- log out
Does anyone has experience with such solution? My point would be able to have full access to everything on the network without having to do a VPN on every machine i need access to (although it can create a massive single point of failure/risk)
For remote management, I just enable SSH, configure it to run on some non-standard port and enable Fail2ban… Make sure I use certificates or secure passwords and also check if fail2ban is actually doing its job. Never had any issues with that setup.
For the services I’ll either use a reverse proxy, plus configure the applications not to allow infinite login attempts, or Wireguard / a VPN.
For remote management, I just enable SSH, configure it to run on some non-standard port and enable Fail2ban… Make sure I use certificates or secure passwords and also check if fail2ban is actually doing its job. Never had any issues with that setup.
This is what I’ve done for years, but I sometimes feel like it’s not a great solution from a security standpoint.
Though I have switched from fail2ban to Crowdsec, which did end up banning my own connection attempts when I forgot to whitelist myself, so that seems secure enough.Hmmh. I’m not entirely satisfied with any of them. Crowdsec is a bit too complex and involved for my taste. And oftentimes there’s no good application config floating around on the internet, neither do I get any sane defaults from my Linux distribution. Whereas fail2ban is old and eats up way too much resources for what it’s doing. And all of it is a bit too error-prone(?) As far as I remember I had several instances when I thought I had set it up correctly, but it didn’t match anything. Or it was looking for some logfile per default but my program wrote to the SystemD journal. So nowadays, I’ll double-check everything. I wish programs like sshd and webapps came with that kind of security built in in some foolproof way.
I was going to say Tailscale. You will need to give more details about what didn’t work with Tailscale, but it has been pretty seamless for me.
Basically when I connect to tailscale I just can’t get it to give an internal IP so I can access everything with my configs. Unless I am missing something obvious, I don’t understand what is going on here.
When you connect to Tailscale, via cli it should give you a link to use to connect it to your account. You can get the ip address in various ways. One of which is just looking on your Tailscale dashboard. You need to have Tailscale installed on every machine you want to talk with.
How did you config tail scale though? Are you using some Apple or MS author account? I want to stay away with using one of their services to “authorize” connecting to my own server
As far as I know you need to authenticate through them.
Alternatively, you could setup your own vpn to do all this, but it is much more work and will likely have some cost.
Do you want to expose port 80/443 and set up a reverse proxy or do you want to use a VPN tunnel? You could just use SSH to port 80 and 443 like so:
ssh -L 80:<local-server-ip>:80 -L 443:<local-server-ip>:443 <username>@<domain>I expose port 80/443 and use Caddy as a reverse proxy together with Authelia to protect anything that I deem needs an extra layer of security. I followed this guide: https://caddy.community/t/securing-web-apps-with-caddy-and-authelia-in-docker-compose-an-opinionated-practical-and-minimal-production-ready-login-portal-guide/20465
Once setup, it is easy to remove or add a backend to Caddy and Authelia. This way does mean that you sometimes need to log in twice, but that is a small price to pay if your backend app does not support SSO (like n8n community edition).
Apache guacamole is something I wish I had when I started. Let’s you connect with telnet, ssh, RDP, or VNC using html5
Never heard of this one, will check once I can
If the servers have public IPs and you want the minimum possible ports open, just SSH? With passwords disabled and large keys, it’s quite secure.
If that’s still not enough for you or you need a private gateway, then Wireguard. I can strongly recommend Tailscale - It’s really an orchestration layer on top of Wireguard. You can setup your own Derp relays and head scale if you are truly paranoid. But 99.9% you don’t need all that and Tailscale out of the box will work well.
Also Tailscale isn’t a single point of failure the way you’re imagining. It’s certainly possible for Tailscale’s servers to go down, but that won’t drop existing connections.
You should keep trying with tailscale, did you read the docs? (tailscale provides amazing documentation), you dont need to install the client on every device, for that use subnet routers, all is in the docs. Give it another try and post back what issues you are having.
I’m behind CGNAT. My OpenWrt router is a Netbird server that can be connected externally. Having the Netbird server in the router allows me to ssh devices or use services as if I was connected via WiFi.
There’s documentation for Opnsense as well -(https://docs.opnsense.org/manual/how-tos/netbird.html)
I will check if this can work for me, but sounds like it is the kind of solution I am looking for
After everything is setup, create a network route to distribute an ip to machines connected to you lan. I can’t recall exactly but setting up Netbird was pretty straightforward when following the documentation. They also have their own for Opnsense - (https://docs.netbird.io/get-started/install/opnsense)
I switched from tail scale to pangolin for reverse proxy. Does everything. Auth, VPN, hidden services, public services. Fantastic piece of software
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System IP Internet Protocol NAT Network Address Translation SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption SSO Single Sign-On TLS Transport Layer Security, supersedes SSL UDP User Datagram Protocol, for real-time communications VNC Virtual Network Computing for remote desktop access VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #127 for this comm, first seen 2nd Mar 2026, 10:00] [FAQ] [Full list] [Contact] [Source code]
