What is everyone else using for VPN solutions and what are the trade offs?
I want a VPN to access all my personal devices and use services like Syncthing. I use it on my phone so it can’t use ungodly amounts of idle data.
I looked at Netbird but found the idle data usage almost 1GB per few days using JetBird with Lazy connections. I tried the default app but it makes me SSO login every day or two, it wouldn’t stay connected, and it still used a reasonable amount of idle data.
I looked at Tailscale but I’m not going to lock access to all my devices behind a Google account login or some other third party service login for no reason. It seems like hosting my own auth server is too much additional risk as well. I tried self hosting headscale which worked well except that I have no decent front end to easily add devices. I have to log into a terminal, then execute docker commands which was a huge pain in the ass. I didn’t even touch on any of the firewalling or routing that can be done because it was so much more complex in headscale then in a web interface. I tried hosting two or three headscale front ends but couldn’t get one working that supported most of the available feature set. Usually I was given generic connection errors with no clear way to diagnose or clear troubleshooting steps so after a few hours I moved on.
Edit 2026-05-10:
Thank you for all the feedback.
Will try disabling expiry on SSO login for my phone via Netbird official app.
Will look into Pangolin.
May try Headplane UI for Headscale again though lower priority than Netbird because it’s fully open source.
Wireguard + VPS. Each device connected can choose to route all their internet traffic or only VPN services traffic.
Removed by mod
I’m using headscale with headplane as the UI, looks like tailscale, is feature complete (at least it says so on their GitHub readme). Headplane even integrates with an external OIDC provider (I self-host Keycloak for centralized identity management across my services).
Ahg. Okay. I might try headplane again :(
I just use wireguard, no there is no simple GUI or anything like that. I also run it bare metal no docker.
It currently sits on a pi zero 2, it has just enough power to use my pihole DNS’s. I plan on moving it to a pi 5 whenever I get around to building my firewall.
Well there is wg-easy which comes with a very decent GUI imho
This. Onboarding new people / devices on the fly (including QR code generation) is just so simple with wg-easy.
Cool did not know that I will have to look into that when I set up my pi 5 firewall.
I have pfSense as my firewall, running OpenVPN and I just connect when I need to.
Phone’s running trackercontrol all the time to block stuff and I’ve disabled most of google on it, so I’m not too concerned whilst I’m out and about… most apps I use are local-data anyway, ie CoMaps not google maps, etc… so I’m using ~1GB/month.
Syncthing only syncs on known wifi, so when I’m home it updates with a NAS and 2 laptops (and photos with 2 tablets), so there’s always something it’s syncing with.
I use Wireguard. For a GUI I use https://github.com/ngoduykhanh/wireguard-ui since I’m not running Wireguard in a container.
Wireguard and their official Android app. My home router acts as the WG server and it does also the daily dynDNS refresh, so I can pretend having a fixed address.
If you have a public IP just use wire guard. If you don’t have a public IP, rent a cheap VPS and use that as entry point, setting up one wire guard from home to the vps, and the other from your phone to the vps.
I have a public IP and DNS, but as it’s a home lab I need the connectivity of other devices to not depend on a single device (VPS or otherwise). I frequently end up with broken things for short periods and I appreciate Everything not being broken when one thing is.
Also, if I put it on my SOs phone, connectivity needs to never be broken for her even if she can’t get to one or two devices that are broken.
I have a wireguard server on my opnsense router. My phone and my wifes phone is permanently connected, doesnt matter if we are on home wifi or not, we just leave it on. Very basic, very stable.
I’ve been doing always on for a while. The biggest problem I’m having are reconnection when moving fast. When I’m doing 60 miles an hour through hilly areas, I’m changing cell phone towers every minute. Every time that ip changes it has to renegotiate. It works well if I’m streaming things. But if I’m actually in a meeting or talking to someone directly over IP, the reconnection causes stutters and glitches pretty bad.
Oh, wow! I’ve never encountered that, whatan annoying issue. "Guys I cany drive any faster, my phone won’t keep up xd
I use Wireguard.
For my phone, I use the “WG Tunnel” app: https://github.com/wgtunnel/android
It’s nice because it’ll automatically enable/disable it as I move between networks.
Before that, though I used the official client and I just kept it on 24/7. It’s not like it uses extra data or battery or anything.
Netbird, it doesn’t use much for data for me, just disable expiry and it’ll stay connected. I would guess the third party app is part of the problem.
Will try disabling expiry and using the default app. Thanks.
NP, you have to do it on the web interface, not in the app. You can also decrease the frequency if you don’t want it to last forever.
Yeah I hadn’t even thought of doing that in the interface. I assumed it would be in the client settings or connection setup. I have turned it on now. Here’s hoping it works fine from here on out.
❤️
Pangolin or netbird on a vps and the rest is easy.
Truenas + wireguard + wg-easy. Quite easy to setup. Official apps that exist on any os you can think of. And stable. Turn it on and forget.
I’m like you and did not want any kind of corporate entity involved in my network if it could be avoided. I settled on Wireguard and rather than deal with management constantly I set up 3 times as many peer configurations as initially needed. When a new device is added I just copy a spare configuration to the device and change the name of the config on the server. Tasker is used to connect the WG tunnel on our phones whenever home wifi is not connected. The open port on the router looks closed to the outside and only responds when the correct key is received so there’s no known way to breach the network.
Everything from my phone is run through WG and it only uses a tiny amount of additional mobile data. Syncthing adds nothing of consequence except when syncing big files. Battery life is fine even with both WG and Syncthing running.
Once set up it’s required zero attention or maintenance.
personally I just use headscale with tailscale clients and mullvad vpn via wireguard on the control server. there’s a bit of systemd magic required to make sure wg-quick starts before headscale does. dns is setup via a pihole device and I just point headscale’s config at that device for dns. it’s a pretty simple setup, but I have no issue doing everything via cli so this works well for me.
:P
I hadn’t even considered running not one, but three VPNs and chaining them together for different functionalities.I’m only using 1 vpn provider (mullvad) and using a wireguard config for 1 location. Headscale provides my mesh network controller, and pihole is a dns server. Not sure how you came to that conclusion
How are you using Headscale, with a thirdparty VPN? I can understand Mullvad might have a Wireguard config option?
You register a new device on your tailnet and advertise it as an exit node. When other devices on your tailnet use the exit node all of their traffic goes through that device. If that exit node has a wireguard connection setup, all other devices using it will also use that same connection. The only tricky part was making sure wg-quick’s systemd service starts before tailscaled’s does (mentioned that in my op).
Tailscale offers this as a service but I dont use tailscale directly. I basically set this up manually and use headscale as my control server instead of using tailscale’s control servers.
Okay, now it makes sense. For my purposes, I would only teed the headscale part for inter device communication.
It makes sense though, rather than paying for a VPN for multiple devices (on those that charge per device) I could route traffic via tailscale / wireguard to a single VPN’d device.
