You should keep trying with tailscale, did you read the docs? (tailscale provides amazing documentation), you dont need to install the client on every device, for that use subnet routers, all is in the docs. Give it another try and post back what issues you are having.

All you need is Wireguard with IP forwarding allowed on the host, maybe some firewall rules if you have one. You configure your wire guard client to only route traffic for your network IPs. I leave my wire guard client connected 100% of the time.

I think you’re overthinking it. Wireguard is considered the “gold standard” and an excellent solution for what you’re trying to do. Open ports can be a concern, but an open Wireguard port is completely silent when not in use and does not respond unless it receives the correct access keys. That makes it invisible to port scanners.

Wireguard on my OpenWRT router works flawlessly. If the router is working the WG endpoint is too, and there are no 3rd parties involved. Tailscale provides much the same thing, but as I understand it requires the involvement of multiple 3rd party services. I’ve been burned too many times by terms of service changes and security breaches so I wanted to avoid relying on any corporate entities wherever possible.

Tasker brings up the tunnel on my phone automatically whenever I’m not connected to my home wifi and drops it when I get back home, so my home servers are always available. My biggest problem when not at home is Verizon’s crappy mobile network.

IMO it’s worth the effort to properly configure Wireguard and get your servers working. Once you get it set up you probably won’t have to touch it for years.

“how do I add remote access to my servers?”

don’t.

create a new server that’s accessible via VPN and then access your servers from there. then actively log all connections from that device and alert anytime someone or something connects to it.

what is more secure? a house with twenty front doors or a house with one front door and an alarm on it.

Do you want to expose port 80/443 and set up a reverse proxy or do you want to use a VPN tunnel? You could just use SSH to port 80 and 443 like so: ssh -L 80:<local-server-ip>:80 -L 443:<local-server-ip>:443 <username>@<domain>

I expose port 80/443 and use Caddy as a reverse proxy together with Authelia to protect anything that I deem needs an extra layer of security. I followed this guide: https://caddy.community/t/securing-web-apps-with-caddy-and-authelia-in-docker-compose-an-opinionated-practical-and-minimal-production-ready-login-portal-guide/20465

Once setup, it is easy to remove or add a backend to Caddy and Authelia. This way does mean that you sometimes need to log in twice, but that is a small price to pay if your backend app does not support SSO (like n8n community edition).

If the servers have public IPs and you want the minimum possible ports open, just SSH? With passwords disabled and large keys, it’s quite secure.

If that’s still not enough for you or you need a private gateway, then Wireguard. I can strongly recommend Tailscale - It’s really an orchestration layer on top of Wireguard. You can setup your own Derp relays and head scale if you are truly paranoid. But 99.9% you don’t need all that and Tailscale out of the box will work well.

Also Tailscale isn’t a single point of failure the way you’re imagining. It’s certainly possible for Tailscale’s servers to go down, but that won’t drop existing connections.

I switched from tail scale to pangolin for reverse proxy. Does everything. Auth, VPN, hidden services, public services. Fantastic piece of software

Give it a robot that can read your handwriting, & write snail-mail lettres to it?

d :

_ /\ _

Just expose it on single-stack IPv6. Nobody ever knocks. The address space is not scannable.