Granted this is not Headscale's fault, they're just using Tailscale clients. Either way I'm glad I use a roll-your-own Wireguard.

I and my partner also don't use those OSs, but it's more the point of using FOSS when we can.

Do you pay for a domain? They likely provide dynamic DNS (DNS). If you're lucky, they have an API for it, instead of an app, and you can configure a cronjob on your home server to run every 1-5 minutes (or more often, if your IP is super unstable!).

I can't. I tried it first and installed it on my phone from f-droid. After opening it up, it connected to an already existing network with other people's old machines from years ago on it. I was horrified.

So then I tried to delete my whole account and couldn't due to an error. I sent them an email about it and they took like two weeks to respond.

If you just have to talk from many devices to the one server sure, but Tailscale sure makes it easy for many to many. Also if a direct connection is impossible (e.g. firewall of china, CGNAT etc) tailscale puts a relay server in the middle for you.

Yeah I can always do that, but putting stuff behind something like Tailscale is (or atleast feels) more secure than making my IP known to the public. I have a DMZ setup though so it should be fine.

Can you segregate connections between different nodes on the tailnet, like say node G and H can only talk to each other and no other nodes?

Your "IP address" is already public. That's why an IPv4 address is assigned to you as a "public IP address" and you NAT to a private space. When using IPv6, everything is public.

The key is to secure everything with access restrictions.

Realistically Tailscale seems to currently be running on a model of get all of the self hosters to love running it at home so then they advocate to run it at work where all of the pricey enterprises licenses make the real money.

I've actually seen some real world usecases where if I had more political push, I would've put Tailscale onto the running as a potential solution

Hopefully they have the right people in place to push back at the VC firms about maintaining their current strategy rather than scaring away all of their best advocates before they can truly get off the ground. Having worked at a company owned by a hedgefund, part of the trick is having the right people in place in the company who can block the worst decisions by the capital-hungry owners

And here I am, still using OpenVPN in 2025 lol

Well yes I know, but there is a difference between using a domain bound to me as a person and a random string of numbers that changes every 5 minutes

Ok I can understand awareness. This whole time I've been thinking, Plex started in 2008 and 'Plex Hate' followed about two years into it's existence and has perpetuated itself for these 15 +/- years now. So I'm wondering, if during this time, anyone's personal narrator went off in their head with something like:

Hey bro....you know we're gonna have to dismount.

Awww maaan!

Yeah, I know it's your little honey hole but we're going to have to marry it if this keeps up.

Perhaps I misread the tone of the article.

The iOS app is the exception for now but with the CLI and the core libs being open source it’s at least not off the table to make an alternate iOS client I’d say.

I am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.

Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.

On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)

So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.

So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.

Does that make sense?

Nerds stop recommending corporate crap: challenge: impossible

Or get something like a rapsberry-pi (second hand or on a sale). I have netbird running on it and I can use it to access my home network and also use it as tunnel my traffic through it.

I decided to experiment a bit with Headscale when the wg-easy v15 update broke my chained VPN setup. Got it all set up with Headplane for a UI, worked amazingly, until I learned I was supposed to set it all up on a VPS instead and couldn't actually access it if I wasn't initially on my home network, oops.

I might play around with it again down the road with a cheap VPS, didn't take long to get it going, but realistically my setup's access is 95% me and 5% my wife so Wireguard works fine (reverted back to wg-easy v14 until v15 allows disabling ipv6 though, since that seemed to be what was causing the issues I've been seeing).

My entire setup might not be your entire setup, I have the basic functionality of connecting multiple systems into one mesh network. That's all I needed so it's all I did.

the VPS uses the pi-hole through the tunnel

The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.

server dns - itself

client dns - the server's wg address

On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)

Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn't aware I host anything at all.

So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.

Pihole (in my case) can't see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.

So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.

Allowed ips = 10.x.x.0/24 - only connects the clients and server together

Allowed ips = 0.0.0.0/0 - sends everything through the VPN, and connects the clients and server together.

Do the top one, that's how TS works.

Thanks for the info, I appreciate it.

What you want to look at is the size of the hate and the material reasons for it. And that's fairly difficult to measure if you're not paying close attention. Plex hate has been growing dramatically over the last few years because they materially changed their service. They began collecting data some time ago and now they are selling it unless you go and opt out. So the hate is much larger and louder for that reason. For me those last changes were the straw that made it clear we're just one small push for profit away from my sailing habits getting sold to the American copyright lobby. So I'm currently trialling Jellyfin.

In addition as some have highlighted Jellyfin is markedly different from Plex or Emby in that it's open source and if something happens to it, forking is the way out, which already happened since Jellyfin is a fork of Emby. Migrating from one open source project to its fork is usually trivial compared to migrating from a proprietary service to another one. And there's no reasonable chance of my data ending up in the RIAA/MPAA's hands. So the Plex -> Jellyfin switch everyone is doing is not merely switching to another horse. It's more like switching to completely different vehicle that you can maintain indefinitely.

E: This process we currently call "enshittification" (not a new process) has now been experienced by wide swaths of people where previously only a small minority understood it. I think that drives faster and wider reaction to these patterns as they're now very familiar. I think that's a good thing. I used to give corporations more benefit of the doubt and think in balance but then I did not understand why they do what they do. Now I do and the benefit of the doubt is gone unless there's something material to support it. Like having open source clients.