What is everyone else using for VPN solutions and what are the trade offs?
I want a VPN to access all my personal devices and use services like Syncthing. I use it on my phone so it can’t use ungodly amounts of idle data.
I looked at Netbird but found the idle data usage almost 1GB per few days using JetBird with Lazy connections. I tried the default app but it makes me SSO login every day or two, it wouldn’t stay connected, and it still used a reasonable amount of idle data.
I looked at Tailscale but I’m not going to lock access to all my devices behind a Google account login or some other third party service login for no reason. It seems like hosting my own auth server is too much additional risk as well. I tried self hosting headscale which worked well except that I have no decent front end to easily add devices. I have to log into a terminal, then execute docker commands which was a huge pain in the ass. I didn’t even touch on any of the firewalling or routing that can be done because it was so much more complex in headscale then in a web interface. I tried hosting two or three headscale front ends but couldn’t get one working that supported most of the available feature set. Usually I was given generic connection errors with no clear way to diagnose or clear troubleshooting steps so after a few hours I moved on.
Edit 2026-05-10:
Thank you for all the feedback.
Will try disabling expiry on SSO login for my phone via Netbird official app.
Will look into Pangolin.
May try Headplane UI for Headscale again though lower priority than Netbird because it’s fully open source.
I just use wireguard, no there is no simple GUI or anything like that. I also run it bare metal no docker.
It currently sits on a pi zero 2, it has just enough power to use my pihole DNS’s. I plan on moving it to a pi 5 whenever I get around to building my firewall.
Well there is wg-easy which comes with a very decent GUI imho
Cool did not know that I will have to look into that when I set up my pi 5 firewall.
This. Onboarding new people / devices on the fly (including QR code generation) is just so simple with wg-easy.
If you have a public IP just use wire guard. If you don’t have a public IP, rent a cheap VPS and use that as entry point, setting up one wire guard from home to the vps, and the other from your phone to the vps.
I have a public IP and DNS, but as it’s a home lab I need the connectivity of other devices to not depend on a single device (VPS or otherwise). I frequently end up with broken things for short periods and I appreciate Everything not being broken when one thing is.
Also, if I put it on my SOs phone, connectivity needs to never be broken for her even if she can’t get to one or two devices that are broken.
Wireguard and their official Android app. My home router acts as the WG server and it does also the daily dynDNS refresh, so I can pretend having a fixed address.
I have a wireguard server on my opnsense router. My phone and my wifes phone is permanently connected, doesnt matter if we are on home wifi or not, we just leave it on. Very basic, very stable.
I’ve been doing always on for a while. The biggest problem I’m having are reconnection when moving fast. When I’m doing 60 miles an hour through hilly areas, I’m changing cell phone towers every minute. Every time that ip changes it has to renegotiate. It works well if I’m streaming things. But if I’m actually in a meeting or talking to someone directly over IP, the reconnection causes stutters and glitches pretty bad.
Oh, wow! I’ve never encountered that, whatan annoying issue. "Guys I cany drive any faster, my phone won’t keep up xd
I use Wireguard.
For my phone, I use the “WG Tunnel” app: https://github.com/wgtunnel/android
It’s nice because it’ll automatically enable/disable it as I move between networks.
Before that, though I used the official client and I just kept it on 24/7. It’s not like it uses extra data or battery or anything.
I’m using headscale with headplane as the UI, looks like tailscale, is feature complete (at least it says so on their GitHub readme). Headplane even integrates with an external OIDC provider (I self-host Keycloak for centralized identity management across my services).
Ahg. Okay. I might try headplane again :(
Pangolin or netbird on a vps and the rest is easy.
Netbird, it doesn’t use much for data for me, just disable expiry and it’ll stay connected. I would guess the third party app is part of the problem.
Will try disabling expiry and using the default app. Thanks.
NP, you have to do it on the web interface, not in the app. You can also decrease the frequency if you don’t want it to last forever.
Yeah I hadn’t even thought of doing that in the interface. I assumed it would be in the client settings or connection setup. I have turned it on now. Here’s hoping it works fine from here on out.
❤️
So I have a tinc mesh for my house, VPS and dedicated server. I have started using pangolin for access to things from the internet, I have also used pangolin as a VPN into my networks from my phone
Headscale is best used with the CLI. If you host a UI it’s only for convenience, and you need to keep track of the Headscale version it supports. The Discord guild can help you debug things.
Can Tailscale be logged in from multiple credentials? If so try having a few of them instead of one for redundancy. Also maybe look into hosting a reliable and simple IDP like Kanidm for Tailscale.
Wireguard + VPS. Each device connected can choose to route all their internet traffic or only VPN services traffic.
Truenas + wireguard + wg-easy. Quite easy to setup. Official apps that exist on any os you can think of. And stable. Turn it on and forget.
I use NordVPN and it’s nifty Meshnet feature for these kinds of things. Once setup, any of my devices that have the NordVPN app running and have Meshnet enabled can access my services, which at the moment is really only Immich and Jellyfin. I could even grant other Nord users access to it without much hassle.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol NAS Network-Attached Storage SSO Single Sign-On VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
6 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #280 for this comm, first seen 9th May 2026, 18:40] [FAQ] [Full list] [Contact] [Source code]
Nothing, mostly. Will use point-to-point Wireguard once I get around to setting up Prometheus ingestion.
What do you need a VPN for?
Accessing my dozen services running on my server, plus accessing some other specific devices running in various other places I am not going to open to the internet. Media machine, a second server, laptop, router without opening it to the internet, printers, etc.
I don’t care about the “make your traffic come from somewhere else”, just the “all my devices in my network no matter where they are” bit.
