What is everyone else using for VPN solutions and what are the trade offs?
I want a VPN to access all my personal devices and use services like Syncthing. I use it on my phone so it can't use ungodly amounts of idle data.
I looked at Netbird but found the idle data usage almost 1GB per few days using JetBird with Lazy connections. I tried the default app but it makes me SSO login every day or two, it wouldn't stay connected, and it still used a reasonable amount of idle data.
I looked at Tailscale but I'm not going to lock access to all my devices behind a Google account login or some other third party service login for no reason. It seems like hosting my own auth server is too much additional risk as well. I tried self hosting headscale which worked well except that I have no decent front end to easily add devices. I have to log into a terminal, then execute docker commands which was a huge pain in the ass. I didn't even touch on any of the firewalling or routing that can be done because it was so much more complex in headscale then in a web interface. I tried hosting two or three headscale front ends but couldn't get one working that supported most of the available feature set. Usually I was given generic connection errors with no clear way to diagnose or clear troubleshooting steps so after a few hours I moved on.
Edit 2026-05-10:
Thank you for all the feedback.
Will try disabling expiry on SSO login for my phone via Netbird official app.
Will look into Pangolin.
May try Headplane UI for Headscale again though lower priority than Netbird because it's fully open source.
:P
I hadn't even considered running not one, but three VPNs and chaining them together for different functionalities.
I'm only using 1 vpn provider (mullvad) and using a wireguard config for 1 location. Headscale provides my mesh network controller, and pihole is a dns server. Not sure how you came to that conclusion
How are you using Headscale, with a thirdparty VPN? I can understand Mullvad might have a Wireguard config option?
You register a new device on your tailnet and advertise it as an exit node. When other devices on your tailnet use the exit node all of their traffic goes through that device. If that exit node has a wireguard connection setup, all other devices using it will also use that same connection. The only tricky part was making sure wg-quick’s systemd service starts before tailscaled’s does (mentioned that in my op).
Tailscale offers this as a service but I dont use tailscale directly. I basically set this up manually and use headscale as my control server instead of using tailscale’s control servers.
Okay, now it makes sense. For my purposes, I would only teed the headscale part for inter device communication.
It makes sense though, rather than paying for a VPN for multiple devices (on those that charge per device) I could route traffic via tailscale / wireguard to a single VPN'd device.