Hello everyone, hope you are doing great.
I am not sure if my question goes here, but this was my best guess. Apologies if I am wrong.
So, I have been using the mesh network offered by NordVPN alongside with their VPN subscription to sync some folders between my phone (Android) and my laptop (Linux Mint). This was great because I remember not being able to use Tailscale and VPN at the same time in the past, at least not on my phone.
Now they are dropping Meshnet support in December, so I am trying to figure out if there’s any way I can still run NordVPN and a Meshnet, or if I have to discard one.
If you know of any alternative, please let me know!
i know there were a lot of recommendations for tailscale/headscale (and they’ll keep coming because it’s the current market darling) but i’ve found netbird to be more ergonomic for my needs.
+1 for Headscale.
It might not be what you’re looking for, but tailscale offers end points where you can use mulvad vpn in conjunction with your tailscale network, might be worth looking into! I use it and it works great.
Obligatory due to the sub we’re in. I don’t believe tailscale falls into the space of “self hosted”. You’d need to set up your own wireguard server for that.
I thought of that, my problem is that I have another year of NordVPN subscription paid, and I don’t want to waste it. But lesson learned, no more long subscriptions.
Thanks for the clarification!
Headscale.
I could never get this working in a basic Docker image pushed to Fly.io.
Worth noting that there’s an open issue to support Wireguard peers into Headscale, so you could use it with e.g. a wg0.conf file from a commercial VPN
That might make me re-look into using Headscale.
Did both. Setting up your own VPN is a bit annoying but when it works it works. Tailscale is really easy and solid. For folder syncing I can recommend using tailscale and syncthing. Install both on both devices, then connect the devices in sync thing (it will reciprocate) and then you can add a folder and share it with the other device. Latency for syncing can be 10s-3min, plus the actual file transfer speed.
Knowledge level: configuring software and setting up software. Maybe some basic network troubleshooting if it comes up.
It’s never gonna be as easy as paying for a service that does it for you but this setup is also not that hard.
If you have questions feel free to ask me or other nerds on here, I’m sure they can help you ^^~
In fact, it’s Syncthing what I use in LAN (mesh) mode. Thanks for the help :D
Tailscale is “mostly” self-hosted, in that the VPN connection itself is peer-to-peer almost all the time. You can host your own Headscale and DERP/Relay servers to make it fully self-hosted, but tbh I’m fine not self-hosting the control plane.
The relay server is only used if both ends have very restrictive NAT and none of the NAT hole punching techniques work, which is rare other than on very locked down corporate networks. If you have IPv6 enabled on both ends, you shouldn’t have issues making a direct connection, as IPv6 doesn’t use NAT. Even with regular NAT (like a home internet connection) on both ends, Tailscale can use UDP hole punching on both ends to establish a direct connection.
Fellow satisfied Tailscale user here. Worth noting that one can host a custom control plane server if desired, which in theory removes cloud dependencies for Tailscale from the equation: https://tailscale.com/kb/1507/custom-control-server. Use of Mullvad exit nodes is optional ($5 / mo for 5 machines at time of writing). I’m not sure if TS’ native exit node feature can be configured to use other/sepf-hosted VPNs, but I suspect this is not supported.
Yeah sad they’re stopping it. I used it to easily access all services when not home… Jellyfin, audio bookshelf, dashboards, nextcloud… All worked rather well on it with very little effort (just had to turn the meshnet feature off and on again on phone once in a while). I don’t think there is any other company offering anything as simple as this was…
If you can selfhost and can use containers/docker, I wanna shamelessly plugin my solution: https://github.com/stratself/tswg. Basically mount a WireGuard config from Nord or any upstream VPN, and the container will tunnel traffic to said VPN when you choose it as an exit node.
There are other gluetun + tailscale solutions that are worth a look too
Honestly I have tried selfhosting and I really like it, but I am always too scared of doing something wrong and losing data. So I end up pulling the plug haha
I’m not familiar with NordVPN Meshnet but I wanted to chime in that you can use Tailscale with a VPN, but you’ll have to do some routing work between the Tailscale network interface and the VPN one. I do this on a VPS.
This is a decent idea. You can configure the VPS to be an exit node on the Tailnet, and configure the clients to use it as their exit node. Then you’d just need to configure some nftables rules to masquerade (source NAT) to the VPN network interface.
Having said that… At that point, why do you need the other VPN? You can just use the VPS as your exit node.
I do some pretty crazy stuff honestly because I’m really into privacy. Since I’m stuck using a VPS I usually put it in the same country that I’m currently in so that for my end devices it appears I’m just accessing some corporate VPN.
On the VPN I actually have two in-country double hop VPN tunnels. I then have two more double hop VPN tunnels that first go into some random country, then finally to Switzerland (because I love their privacy laws). Those two tunnels are set as two equal cost multipath hops for my Tailscale clients, then they get stuffed into the first set of in-country tunnels.
Iinject random delays to protect against timing attacks too, and on top of all that I run Blocky with an insane amount of blocklists and that traffic also spread between all the tunnels over DoT.
It’s a lot of overkill but I absolutely love having no ads, strong data protection and a higher level of freedom of speech.
Don’t do this as it defeats the point of Tailscale
Not really. I use the exit node to forward my “default” traffic through the VPN but I still use tunnels between my end devices too. My wife uses it to print documents from work and hell, I even shut off a lot of services on my LAN and made them Tailscale-only just as a way to force encryption (unnecessarily).
The problem is that it likely will break NAT traversal which means no direct connections.
Tailscale already has VPN integrations. I would recommend that you use that instead.
Tailscale only supports Mullvad VPN and when you do use it you’re stuck with its DNS server. It’s a super basic option and doesn’t allow for much customization.
On the exit node you should be able to setup routing so that traffic goes though a VPN route.
In the end though I honestly don’t see much of a use case for VPNs
So you’re just chiming in that people shouldn’t use it because you don’t see the use case for VPNs?
You could try KDE connect using Bluetooth
