I pay for Mullvad VPN primarily centered around improving my privacy. However, I also homelab quite a bit, but I do not have a public IP. This means I also require a overlay VPN like Tailscale. I do know there is currently an integration (which I am currently paying for), however this decreases your anonymity, because you’re using it while logged into Tailscale.
Additionally this service is only available if you use Tailscale’s co-ordination server. So if I were ever to self host Headscale or move to something like say, Pangolin, I would not continue to be able to have the privacy benefits.
How can someone both reap the benefits of a privacy VPN and an overlay VPN simultaneously, while retaining as much control over both as possible?
I’ve heard of using a docker container with gluetun as an endpoint as one option, or just manually using wireguard between two devices. Althought I’ve heard these strategies result in a lot of DNS leaks.
Was curious what privacy minded home labbers here use as their solution, especially if you self host your own co-ordination server.
I’ve heard of this before, but is there any solution that doesn’t require a Cloudflare account? I’d prefer something self-hosted if possible. If a public IP is absolutely required that’s ok I can get a VPS.
Just yesterday, I believe I managed to get my VPN and Tailscale combination functioning as optimally as possible. I’m utilizing IVPN, and the solution for me was to add the Tailscale IP to the killswitch exceptions. I disabled MagicDNS and subnets from Tailscale. Now, everything operates through the IVPN tunnel without any DNS leaks.
Admittedly, I haven’t tested inbound connections, as I have no need for them.
Not sure about your technical skills, but:
What about using a reverse NAT tunneling proxy like rathole or frp and a public VPS? Then use this VPS as intermediate proxy to connect public devices to homelab WireGuard endpoint.
You don’t need to put trust into third-party VPN mesh providers like Tailscale. Within your homelab you then can tunnel outgoing connections as you like over (Mullvad)VPN:
WG peer <-> VPS <-> rathole <-> WG gateway <-> Local Mullvad VPN proxy <-> Mullvad VPN <-> Internet
|------------------- homelab -------------------------|
|--Reverse NAT tunnel--|
|----------------------------- E2EE WG ------------|
rathole client establishes a tunnel from homelab to VPS, circumventing CGNAT. WireGuard devices can use this VPS endpoint tunnel to access homelab.
As a note: I haven’t this myself yet, but this is how I probably would do it, preferred over solutions like Tailscale, Netbird and other mesh VPN solutions with regards to security and vendor lock-in.
Isn’t gluetun just a VPN client with convenience features for multiple providers? This would not solve your problem with CGNAT / no public IP, if I have understood correctly.
I’m pretty comfortable with networking, but I’ve never used ether of those tools before. I’m hesitant to do a lot of the routing by hand in case something slips up and I start getting DNS leaks, but if its the only way to have the best of both worlds I suppose it’s worthwhile to do.
I’d have to look through this a bit more. I don’t suppose there are any blogs or tutorials on this already?
Ah, I should probably explain this a bit more, I was considering hosting headscale in a docker containers in a VPS or at my relatives place and using gluetun to force the connection through Mullvad, but maybe my theoretical understanding of that is wrong.
Well, in that case, just go with IVPN and your problem will be sorted. I haven’t encountered any other VPNs that offer the functionality to configure exceptions for the killswitch.
I’m not super familiar with Netbird, if it requires a co-ordination server, wouldn’t that be similar to Tailscale where it would require a public static IP for something like that?
I’m pretty sure I personally exhausted all options before the workaround, but I figured he’d already given them a shot too… Regardless, everything’s still flowing through the IVPN tunnel, no leaks.
Couldn’t you do this using the WireGuard app directly? Set up a config and force all IPs through the tunnel with the Allowed IPs parameter, EXCEPT the local IP of the Netbird app, which would be included in the Disallowed IPs parameter. You can use a calculator to generate a list of all IP ranges minus a particular set of Disallowed IPs, see here for example: WireGuard AllowedIPs Calculator | Pro Custodibus
I suppose I’d have to learn how to use raw Wireguard as opposed to consumer clients built on it. For the time being I think I’m going to try and host my own Headscale instance and set one of my devices as an exit node. Then somehow try to force all traffic on that exit node to be funneled through Mullvad.
I don’t really see a big issue with using Netbird in comparison to raw wireguard unless you really want some super safe environment with as little in-between tools in the mix.
Every decent tool nowadays is built with a small wrapper around wireguard anyway.
Also will make your life quite more easy in comparison of having to deal with handling the keys for 2+ devices + also comes with quite a lot of other nice features for the free.
