Cost Benefit: Tailscale vs. Tailscale w/ Self-Hosted Headscale Instance vs. VPN Provider - eviltoast

Hello friends!

For awhile now I’ve wanted to delve into self-hosting and the first thing I thought of was ditching my VPN Provider for my own VPN solution.

I wanted to ask about the cost/benefit of each option with those of you who are more experienced.

Option One: Stick with my VPN Provider:

This is a funky case, as my VPN Provider is with Proton, and my email and VPN accounts are linked together. Since I’ve been with them for awhile, I have over a gigabyte of storage for emails. I rarely ever get past 400MB. The VPN is fine, occasionally I have some hiccups with speed but it overall works. I pay roughly $19.20/month for both a paid email account and the VPN service, so it’s likely the second cheapest. When it comes to privacy, though, I’m not 100% sold Proton wouldn’t just sell my data for no reason. Yes, they are Swiss, but that doesn’t entirely reassure me.

The weird thing about this is my PiHole is decoupled from the VPN. At least in the mobile app, I see no option to use your own DNS. There’s also no provided way nor really an obvious way for me to connect to all of my devices if they’re all on ProtonVPN, as opposed to the other two options.

Option Two: Just use Tailscale

Personally I’d like to mess with the ACLs so probably I’d wind up with the $6/month plan. For the $18/month plan I don’t really know what “Tailscale SSH” even means, as I don’t know what magic they do to wrap SSH into something worth paying for. I’ve heard mixed things about “Tailscale Funnel.”

I hear Tailscale is easy to install and there’s no real extra fidgeting you’d have to do for your home network. Tailscale will also let me use my PiHole as my DNS, getting me ad-blocking from PiHole on all devices on Tailscale.

Option Three: Self-Hosted Headscale

This is one I’m interested in, but I don’t know the feasibility of it. The initial idea was to get a VPS and install OpenBSD on it and make it my Headscale instance. I’ve installed OpenBSD before, I mostly know my way around it and I like how lightweight it is and how security focused it is. There would be more setup initially, but I don’t really mind that. I do a lot of fidgeting on my Linux desktop anyway.

The main thing for this is cost. I don’t really know what performance specs for a VPS I would need to reasonably have good network performance with ~10 devices, though I’m guessing I’ll have to have something =<10Gbsp. So maybe $25-$30/month depending on who I buy a VPS through?

The other thing is updating stuff. I can just SSH and do all of that manually and since the VPS will be dedicated specifically to being a Headscale server, but that is still time I have to spend.

Lastly, I wouldn’t have the international selection of VPN locations like with a VPN provider, just one, but it’s not like I’m trying to bounce my connection from country and that’s not advisable anyway.

Other options

Setting up a VPS with Wireguard myself. While I wouldn’t mind it too much, Tailscale exists for a reason and it can traverse firewalls without me having to configure a bunch of devices so that’s a big plus.

Running Headscale in a container on my Linux desktop, but this means my desktop would have to be on almost 24/7 and I don’t know how I feel about having my VPN stuff to be sitting directly inside my home network.

What are your opinions?

  • nutbutter@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Off-topic. Not about cost, but about privacy:

    Considering you are using Proton, you care about digital privacy. If you are not trusting Proton, you should not trust Tailscale as well, in my opinion. Tailscale’s backend is closed-source, you get no control, and nothing is stopping them from selling you data either. If you go for Headscale, you may be in a slightly better position. But websites and big companies like Google can still make detailed profile of you, as you will be connecting to everything using a single IP, that is, the IP of your VPS. But again, nobody is stopping your VPS provider from selling your data either.

    Another question is that why are you paying $19 for that? They have $10-12 plans that come with 500 GB storage, emails with 3 custom domains and high-speed VPN.

    Also, if you do not trust Proton, you can consider Mullvad or IVPN. They are just $5/m, and you can pay via Monero, but they do not have as many servers as Proton does.

    Another question that pops in my mind is, why do you need a VPN? Do you need to connect to your services privately, or do you just need to change your IP for (relatively) better privacy? Again, paying someone with multiple VPN options is better than setting up a single VPN by yourself, in my opinion.

    • AlecStewart1st@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      If you are not trusting Proton, you should not trust Tailscale as well, in my opinion.

      True, although I don’t know if I say I don’t trust them. It’s more of a sense of skepticism that’s always in the back of my mind when it comes to any service.

      Another question is that why are you paying $19 for that? They have $10-12 plans that come with 500 GB storage, emails with 3 custom domains and high-speed VPN.

      I have a business account with them. I’m trying to remember why I upgraded…

      Another question that pops in my mind is, why do you need a VPN? Do you need to connect to your services privately, or do you just need to change your IP for (relatively) better privacy?

      At this point, if I’m going to do be doing more self-hosting I’d want the ability to connect to services privately. The other thing is that with Tailscale I can set my PiHole as my DNS server. That way any device on the tailnet gets the ad blocking as well. Plus, if I can get unbound with DNS-over-HTTPS (via stubby) setup on it then I have a pretty secure and fairly private setup. That’s kind of what’s got me thinking about moving to Tailscale.

    • Auli@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      An IP is the least of the things they track you with nowadays. Thinking my IP is not mine they can’t track me is outdated and pushed by the VPN providers.

      • bamboo@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        It’s a bit more complicated than that. Your IP can identify you still, if there are few users connecting from that IP. VPNs reduce the efficacy of IP based tracking because they allow you to connect via many different addresses, and every one of those addresses will have hundreds of thousands of users on a given day. It adds a lot of noise that makes any pattern identification useless.