VPN Options for Accessing Your Home Server Remotely

You’ve built an amazing home server with Nextcloud, Jellyfin, Home Assistant, and more. Now you want to access it securely from anywhere—coffee shops, hotels, your phone’s LTE connection.

The solution: VPN (Virtual Private Network).

A VPN creates an encrypted tunnel between your device and your home network, letting you access everything as if you were sitting at home.

In this guide, we’ll compare the top VPN options for self-hosters and walk through setup for each.

Why VPN Instead of Port Forwarding?

You could expose services directly via port forwarding (open ports 80/443, set up reverse proxy with SSL). But this has risks:

Port forwarding downsides:

• Attack surface - Your services are visible to the entire internet
• Brute-force attempts - SSH, login pages get hammered 24/7
• Complexity - Need SSL certificates, fail2ban, hardening for each service
• CGNAT issues - Some ISPs don’t give you a public IP
• Dynamic IP headaches - Need dynamic DNS if IP changes

VPN advantages:

• Zero exposure - Services invisible to internet scanners
• Single entry point - Secure VPN server, everything else hidden
• Encryption - Traffic encrypted end-to-end
• Device-level security - Entire device on home network, not just browser
• Simpler - No SSL per-service, no exposed ports

VPN Options Compared

Let’s dive into each.

Option 1: WireGuard (Best Performance)

WireGuard is the modern VPN protocol: fast, secure, and minimal.

Pros

• ⚡ Fastest - 3-5x faster than OpenVPN
• 🔒 Modern crypto - ChaCha20, Poly1305
• 🪶 Lightweight - 4,000 lines of code vs OpenVPN’s 100,000
• 🐧 Built into Linux kernel - Native support

Cons

• ⚙️ Manual configuration required
• 🚧 No built-in NAT traversal
• 📱 Need to configure each device manually

Setup (Ubuntu/Debian Server)

1. Install WireGuard

sudo apt update
sudo apt install wireguard -y

2. Generate Server Keys

cd /etc/wireguard
umask 077
wg genkey | tee server_private.key | wg pubkey > server_public.key

3. Create Server Config

sudo nano /etc/wireguard/wg0.conf

Paste:

[Interface]
PrivateKey = <server_private.key contents>
Address = 10.0.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# Client 1
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Replace eth0 with your network interface (ip a to check).

4. Enable IP Forwarding

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

5. Start WireGuard

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

6. Open Port on Firewall

sudo ufw allow 51820/udp

Forward port 51820 UDP on your router to your server.

7. Generate Client Config

On client (laptop, phone):

wg genkey | tee client_private.key | wg pubkey > client_public.key

Create wg0-client.conf:

[Interface]
PrivateKey = <client_private_key>
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <server_public_key>
Endpoint = YOUR_PUBLIC_IP:51820
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
PersistentKeepalive = 25

Replace:

• YOUR_PUBLIC_IP with your home IP (from curl ifconfig.me)
• 192.168.1.0/24 with your home network range

8. Add Client to Server

Edit /etc/wireguard/wg0.conf, add client public key:

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Restart WireGuard:

sudo systemctl restart wg-quick@wg0

9. Connect Client

Linux:

sudo wg-quick up wg0-client

Mobile:

• Install WireGuard app
• Scan QR code (generate with qrencode -t ansiutf8 < wg0-client.conf)

Test:

ping 10.0.0.1  # Server VPN IP
ping 192.168.1.100  # Home device

You’re connected! Access services via local IPs.

WireGuard Tips

• Add more clients: Generate new keys, add [Peer] blocks
• Dynamic DNS: Use DuckDNS or No-IP if your IP changes
• Split tunneling: Set AllowedIPs = 10.0.0.0/24 to route only VPN traffic

Option 2: Tailscale (Easiest)

Tailscale is WireGuard with magic: zero-config mesh VPN with NAT traversal.

Pros

• 🎯 Zero config - No port forwarding, no manual setup
• 🌐 NAT traversal - Works behind CGNAT, corporate firewalls
• 📱 Cross-platform - Windows, Mac, Linux, iOS, Android
• 🔗 Mesh network - All devices can talk to each other
• 🆓 Free tier - 20 devices, 1 user

Cons

• ☁️ Coordination server (control plane only, data stays peer-to-peer)
• 💰 Paid for teams ($5/user/month)

Setup

1. Install Tailscale (Server)

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Visit the URL shown, authenticate with Google/GitHub/Microsoft.

2. Install on Clients

Linux/Mac:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Mobile: Install Tailscale app from store, log in.

Windows: Download from tailscale.com.

3. Access Your Server

Each device gets a Tailscale IP (e.g., 100.x.x.x).

From any client:

ssh [email protected]  # Server's Tailscale IP

Or access services via browser: http://100.64.0.1:8080

Advanced Features

Subnet Router

Let VPN clients access your entire home network:

sudo tailscale up --advertise-routes=192.168.1.0/24

In Tailscale admin panel, approve the subnet.

Now clients can access 192.168.1.x devices without Tailscale installed on them.

MagicDNS

Access devices by name instead of IP:

ssh myserver  # Instead of 100.64.0.1

Enable in Tailscale admin → DNS → MagicDNS.

Exit Node

Route all your traffic through home (useful on public WiFi):

sudo tailscale up --advertise-exit-node

On client, set server as exit node. Now all traffic goes through home.

Tailscale is Perfect For

• 🏠 Beginners who want it to “just work”
• 📱 Multiple devices (phones, laptops, tablets)
• 🌍 CGNAT or no public IP
• 🚀 Quick setup (5 minutes)

Option 3: OpenVPN (Legacy)

OpenVPN is the old standard. Mature, widely supported, but slower than WireGuard.

When to Use OpenVPN

• 📜 Legacy devices (old routers, corporate clients)
• 🔧 Need advanced routing/bridging
• 🛡️ Maximum compatibility

Quick Setup (PiVPN Script)

curl -L https://install.pivpn.io | bash

Follow wizard:

1. Choose network interface
2. Select OpenVPN or WireGuard (choose OpenVPN)
3. Set static IP
4. Choose DNS provider
5. Generate certificates

Add client:

pivpn add

Download .ovpn file, import to OpenVPN client.

Manual Setup (Not Recommended)

OpenVPN manual setup is complex (certificate authority, dozens of config options). Use PiVPN or switch to WireGuard.

Option 4: ZeroTier (Mesh Alternative)

ZeroTier is similar to Tailscale: mesh VPN with NAT traversal.

Setup

1. Create Network

Visit my.zerotier.com, sign up, create network.

Note your Network ID (16-digit hex).

2. Install on Server

curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join YOUR_NETWORK_ID

3. Authorize Device

In ZeroTier dashboard, check the box next to your device.

4. Install on Clients

Repeat step 2 on each device.

Differences vs Tailscale

Both work great. Tailscale has better UX, ZeroTier has more free devices.

Option 5: Cloudflare Tunnel (No VPN)

Cloudflare Tunnel isn’t a VPN—it’s a reverse proxy that exposes services without port forwarding.

How It Works

1. Install cloudflared on your server
2. Create tunnel to Cloudflare
3. Cloudflare proxies https://yourapp.yourdomain.com → your local service

No VPN client needed! Access via any browser.

Setup

1. Install cloudflared

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb

2. Authenticate

cloudflared tunnel login

Opens browser, log in to Cloudflare.

3. Create Tunnel

cloudflared tunnel create myserver

Note the tunnel ID.

4. Configure Tunnel

nano ~/.cloudflared/config.yml

Paste:

tunnel: YOUR_TUNNEL_ID
credentials-file: /home/user/.cloudflared/YOUR_TUNNEL_ID.json

ingress:
  - hostname: nextcloud.yourdomain.com
    service: http://localhost:8080
  - hostname: jellyfin.yourdomain.com
    service: http://localhost:8096
  - service: http_status:404

5. Route DNS

cloudflared tunnel route dns myserver nextcloud.yourdomain.com
cloudflared tunnel route dns myserver jellyfin.yourdomain.com

6. Run Tunnel

cloudflared tunnel run myserver

Or install as service:

sudo cloudflared service install
sudo systemctl start cloudflared

Now access services via https://nextcloud.yourdomain.com—no VPN, no port forwarding!

Cloudflare Tunnel Pros

• ✅ No port forwarding needed
• ✅ Free SSL certificates
• ✅ DDoS protection
• ✅ Works behind CGNAT

Cloudflare Tunnel Cons

• ❌ Cloudflare sees your traffic (not end-to-end encrypted)
• ❌ Terms of Service restrictions (no video streaming)
• ❌ Single point of failure (Cloudflare outage = no access)

Use for: Admin panels, Nextcloud, file servers
Don’t use for: Jellyfin/Plex (violates ToS), privacy-critical data

Hybrid Approach (Recommended)

Combine methods for best security/convenience:

Setup 1: Tailscale + Cloudflare Tunnel

• Tailscale: For full device access (SSH, SMB, local services)
• Cloudflare Tunnel: For web apps you share with family/friends

Setup 2: WireGuard + Public Reverse Proxy

• WireGuard: For personal admin access
• Nginx Proxy Manager + SSL: For services you expose (blog, portfolio)

Setup 3: Tailscale Subnet + Exit Node

• Subnet router: Access entire home network
• Exit node: Secure public WiFi traffic

Comparison Summary

Recommendations

For Beginners: Tailscale

Zero config, works everywhere, mesh networking. Install and forget.

For Performance: WireGuard

Fastest, most efficient. Worth the setup effort.

For Maximum Privacy: WireGuard (self-hosted)

No third-party coordination server.

For Sharing Services: Cloudflare Tunnel

No VPN needed for visitors, free SSL, DDoS protection.

For Legacy Systems: OpenVPN

Use PiVPN script to simplify setup.

Security Best Practices

1. Use Strong Keys

All VPN protocols generate keys. Never share private keys.

2. Limit Client Access

WireGuard AllowedIPs and Tailscale ACLs let you restrict what each client can access.

3. Enable 2FA (Tailscale/ZeroTier)

Protect your account with two-factor authentication.

4. Monitor Connections

Check active VPN sessions:

# WireGuard
sudo wg show

# Tailscale
tailscale status

5. Keep Software Updated

sudo apt update && sudo apt upgrade

VPN security depends on patched software.

6. Use Kill Switch (Mobile)

WireGuard/Tailscale apps have “block without VPN” to prevent leaks.

Troubleshooting

Can’t Connect to VPN

Check:

• Firewall open on server (sudo ufw status)
• Port forwarded on router (WireGuard: 51820 UDP)
• Correct endpoint IP in client config
• VPN service running (sudo systemctl status wg-quick@wg0)

Connected But Can’t Access Services

Check:

• IP forwarding enabled (cat /proc/sys/net/ipv4/ip_forward should be 1)
• Routes correct (ip route)
• Service listening on correct interface (netstat -tulpn)

Slow Speeds

Causes:

• ISP upload bandwidth (test at fast.com)
• OpenVPN (switch to WireGuard)
• Encryption overhead (minimal with modern protocols)

Battery Drain (Mobile)

Reduce:

• Tailscale: Already optimized
• WireGuard: Increase PersistentKeepalive to 60 seconds
• Turn off VPN when not needed

Final Thoughts

VPNs are essential for secure remote access to your home server. Start with Tailscale if you want zero hassle. Graduate to WireGuard if you want maximum control and performance.

Whichever you choose, you’ll sleep better knowing your home server isn’t exposed to the internet’s underbelly.

Next Steps:

• Securing Your Home Server: Essential Steps
• How to Set Up Fail2ban
• SSL Certificates for Self-Hosted Services

Questions? Join our Discord community or drop a comment below.