Hi!
I often read suggestions to use something like Tailscale to create a tunnel between a home server and a VPS because it is allegedly safer than opening a port for WireGuard (WG) or Nginx on my router and connecting to my home network that way.
However, if my VPS is compromised, wouldn’t the attacker still be able to access my local network? How does using an extra layer (the VPS) make it safer?
Wireguard (which is what tailscale is built on) doesn’t even require you to open ports on both sides.
Set up wireguard on a vps first, where it is accessible, then set it up from within your network. It’ll traverse NAT and everything, and you don’t have to open a port on your network.
Tailscale is the exact same thing, just easier because it does everything for you (key generation, routing, …). Their service replaces your vps, up to you if you think that’s acceptable or not. IMHO, wireguard is worth learning at least. I eventually (partially) switched to tailscale because I’m lazy, and all services I host have authentication anyway, with vpn just being a second layer.