Hi!
I often read suggestions to use something like Tailscale to create a tunnel between a home server and a VPS because it is allegedly safer than opening a port for WireGuard (WG) or Nginx on my router and connecting to my home network that way.
However, if my VPS is compromised, wouldn’t the attacker still be able to access my local network? How does using an extra layer (the VPS) make it safer?
It’s mainly about managing risk, but also not all ISPs allow residential accounts to host services on their IP addresses.
Opening a port to the internet exposes the service to the whole internet, which means you need to secure the service with strong credentials, set up SSL, manage the certificate, and keep software up to date. You incur a lot of extra work, and also extra risk not only to your self-hosted service, but to any other services you host that “trust” your service.
All that work requires extra knowledge and experience to get right which, let’s just be honest here: we’ve all probably followed that one How-To blog post, and maybe not understood every step along the way to get past that one pesky error.
Running a secure VPN overlay like Tailscale has much less overhead. You generate some keys, and configure your lighthouse server so the enrolled devices can find each other. It effectively extends your LAN environment to trusted hosts wherever they might be without exposing any of the services to the Internet.
Overall, Tailscale is simpler and much less work for individuals to set up and maintain than to secure multiple services against casual or targeted intrusion.
Tailscale also has the benefit of being a “client” in the view of the ISP, who see your IP address reach out to your VPS to initiate the tunnel, and not the other way around. If there’s any CGNAT going on, Tailscale would tunnel through it.
This is a pretty good summary. In enterprise networking, it’s common to have the ‘DMZ’, the network for servers exposed to the internet, firewalled off from the rest of the system.
If you have a webserver, you would need two sets of ports open, often on two separate firewalls. On the WAN firewall, you would open ports 80/443 pointing to the webserver. On the system firewall, between the DMZ and LAN, you would open specific ports between the webserver and whatever internal resources it needs; a database server for example.
This helps limit the damage if a malicious actor hacks into your webserver by making sure they don’t also have unrestricted access to other parts of your system. It’s called a layered security approach.
However, someone self hosting may not have the expertise or even the hardware to set up their system like this. A VPS for public facing services, as long as it’s configured properly, can be a good alternative. It also helps if you have a dynamic WAN IP address and/or are behind CG-NAT.
Edit: maybe good to mention that securing your local network behind a VPN, even one hosted on your local network, is more secure than allowing public facing services. Yes, it means you still have to open a port. But that’s useless to a malicious actor without the encryption keys. Whereas, if you have a webserver exposed publicly, malicious actors already have some level of access to your system. More than they would if that service didn’t exist anyway. That’s not inherently bad. It comes with the territory when you’re hosting public services. It is more more risky though. And, if the exposed server is compromised, it can potentially open up the rest of your system to compromise as well. Like the original commenter said, it’s about managing risk and different network configurations have different levels of risk.