But you should really keep your stuff inside the VPN and not expose things, it opens up a pile of potential risks that you don’t need to have. You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications. If you absolutely, positively must have something exposed directly, put it on it’s own VLAN and with no access to anything you value.
Don’t listen to this guy. You don’t have to turtle all your stuff inside a VPN if you don’t want to. Hosting services on the internet is what the internet was created for. It’s up to you whether what you want to host is exposed to the internet or not, and as long as you’re aware of the risks do what you want man. I will mention that Immich specifically might not be the best idea to expose since it’s so unstable, but that depends on your level of comfortability. Worst case scenario is somebody gets into your Immich and can see all your photos. Would this be a dealbreaker for you? If so don’t expose it publicly. Otherwise you’re perfectly fine.
But family photos keep a bit more secure, Particularly if it’s syncing directly from your phone, I take a lot of explicit photos of my wife, but also code that I’m writing on my computer, or the kids playing, etc.
I’m not a big fan of amateur know-nothings regurgitating the same nonsense regurgitated to them by previous know-nothings, attempting to further the cycle to people finding their footing with self hosting, telling everybody what they “should” do based on their own limited understabding. It was a big problem on the self hosted reddit and up to this point has been less of a problem here.
And yet here you are, making sure this guy knows he can expose anything he wants except the specific thing you decided is troublesome like immich. Maybe you’ll be here to help him put it all back together with your wealth of knowledge and experience.
Take a hard look at yourself, you’re doing all the stuff you accuse someone else of. Maybe you aren’t always the smartest person in the room. In any case, I’m done with your shit. Go ruin someone else’s day, you ray of sunshine.
Yeah maybe you should take notes on how to relay a little bit of relevant knowledge in the context of what it is they’re trying to do, and let them decide how it fits their use case, instead of repeating broad, inaccurate generalizations dictating what people should and shouldn’t do across the board.
If you’re not going to be helpful or informative, then don’t bother chiming in at all.
I tired the same, but my router wants to be smart by filtering DNS responses that points to local IP. I guess whoever designed it considered it a security feature.
It is a stock router from the ISP, its configuration interface is minimal, borderline to non existent.
Edit: i see now they’re talking about private IP, but in case you want to learn about getting a static IP for other things…
Many ISPs will give you a dynamic (changing) IP rather than a static (unchanging) IP. Just check your IP once a week for a few weeks to see if it changes.
There are some services that get around this by checking your ip regularly and updating their records automatically. This is called a dynamic DNS provider (DDNS). I used to use “noip” but since then there are quite a few like cloudflare DDNS.
Beyond that you just would want to make sure your router or whatever device is assigning IPs on your network to give a static assignment to the server. Assigning IPs is handled by a DHCP server and it would usually be your router, but if you have a pihole you might be using that as a DHCP server instead.
Between DDNS and DHCP you can make sure both your external IP and internal IP are static.
Most routers have a feature to assign static IPs to a specific MAC address. You can also tell most devices to try to take a specific IP instead of using DHCP.
There are multiple ways to set it up, but it’s very possible to set a specific device to always have the same local IP, which is usually the first step to many self-hosting scenarios.
Opening it up lets you use it from devices that aren’t on tailscale, or for friends and family. I have the same idea with Nebula instead of Tailscale, if I can figure it out.
I want to be able to upload/download/share my photos from anywhere in the world without using a VPN. Additionally, this satisfies the wife requirement. It works in the background without her needing her to turn on the VPN. I don’t want her to keep asking me how do I turn on the VPN? If it’s just me, then no issue, I’ll use a VPN.
Unless you’re on IOS that will shut your VPN off regularly. Or you want somebody else to be able to access what you’re hosting without having to walk theme through a VPN setup they won’t understand.
Yeah, you always have to account for the wife factor. Same reason I’m using Plex instead of Jellyfin for my video hosting; I’d personally prefer Jellyfin, but the wife factor (really the mother-in-law factor, but whatever…) demands that it doesn’t require a ton of config on the user’s end. If the goal is to encourage use by your family, it can’t be fiddly or difficult to set up on their end.
You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications.
Excuse me what? Here’s my dumb ass navigating to "[device name]:[port] over tailscale.
I’ve tried this a couple times and I’ve always failed. I could never figure out how to get a http://service.domain request to my Nginx install to be proxied in the first place. I tried putting pihole on tailscale and setting that as tailscale’s DNS. It blocked ads but I couldn’t navigate to custom domains. I put NPM on tailscale hoping that was the issue. I looked for LocalDNS/CNAMES in tailscale to see if I could do it that way. Do I have to set a local machine as an exit node and do split DNS shenanigans, service.domain goes through to my local and everything else the wider web? Do I set a router node?!
Not expecting you to troubleshoot, I don’t have time to see it through anyhow. Just annoyed at myself I couldn’t figure it out and driven to try again.
Wrapping my head around reverse proxy was a game changer for me. I could finally host things that are usefull outside my LAN. I use Nginx-Proxy-Manager which makes the config simple for lazy’s like me.
Used to mess around with multiple Apache Proxy Servers. When I left that job I found Docker and (amongst other things) NPM and I swear, I stared at the screen in disbelief on how easy the setup and config was. All that time we wasted on Apache, the issues, the upgrades, the nightmare in setting it all up…
If I were to do that job again I would not hesitate to use NPM 100% and stop wasting my time with that Apache Proxy mess.
NPM is awesome until you have a weird error that the web GUI does not give a hint about the problem. Used it for years at this point and wouldn’t consider anything else at this point. It just works and is super simple.
Those ones are fun. If you delete an SSL certificate and haven’t removed it from a proxy, the entire container goes down and you have to trawl through logs to find what went wrong.
Do you serve things to a public? Like a website? Because unless you’re serving a public, that’s dumb to do… and you really don’t understand the purpose of it.
If all you wanted was the ability to access services remotely, then you should have just created a WireGuard tunnel and set your phone/laptop/whatever to auto connect through it as soon as you drop your home Wifi.
A lemmy instance, a wiki, and a couple of other website type things, yes.
Publicly facing things are pretty limited, but it’s still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.
I appreciate what you’re saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.
Am I making a mistake by having my Jellyfin server proxied through nginx? The other service I set up did need to be public so I just copied the same thing when I set up Jellyfin but is that a liability even with a password to access?
This is very short sighted. I can think of dozens of things to put on the open internet that aren’t inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, there’s no inherent problem.
Plex, Jellyfin, VaultWarden, AdGuard, Home Assistant, GameVault, any flavor of pastebin, any flavor of wiki, and the list goes on.
If you’re feeling spicy throw whatever the hell you want onto a reverse proxy and put it behind a zero trust login.
The idea that opening up anything at all through to the open internet is “dumb” is antiquated. Are there likely concerns that need to be addressed? Absolutely. But don’t make blanket statements about virtually nothing belonging on the open internet.
Why don’t we just throw Lemmy behind wireguard while we’re at it.
Literally anything can go behind a VPN. Doesn’t mean much at all. And the majority of those are commonly left on the open internet for friends and family, which would be annoying af to set up with WireGuard.
I have enough issues dealing with VPN issues in my professional life, I don’t want to have to deal with them in my personal life as well.
Tells me everything I need to know that you struggle with WireGuard… it’s dead simple. And can be completely automated so your household literally doesn’t need to do anything and their devices automatically connect to it.
Plex can sometimes get by without port forwarding by using UPnP or NAT-PMP, but I had to open a port to use Plex (before I started using Jellyfin and a reverse proxy).
Same with Nextcloud, you either have to open a port or use a reverse proxy. Reverse proxy is more secure. Good stuff!
Worth mentioning that either way you’re opening up ports (you need to open 80 and 443 for the reverse proxy), but that’s much better than opening a bunch of ports, one for each thing you’re running.
The hardcore security minded people will always scream “use wireguard or whatever”, which also works really well (even combined with a reverse proxy that’s not exposed to the internet (80 and 443 not forwarded)). I do this for some of the stuff I run that I don’t want exposed at all, like my password manager. To access my password manager while out and about, I need to connect to my wireguard thing (my router sets it up for me), and then my phone is effectively back inside my LAN, and I can access whatever I need to. Fortunately it’s rare that I need to do this, because my password manager keeps a cached copy on my phone.
Yeah both Nginx and plex handle making themselves public for me already. But I have a handful of other svcs that id like to move behind a reverse proxy too
Just be sure to read up on network security and set yourself up for success! Even tunnels can still be an attack surface. Always keep everything up to date! And plan for the worst case.
Wow, so my understanding of the terms ‘reverse proxy’ and Tailscale must be wrong then, because I thought they were mutually exclusive. I’ll go do some more research, unless someone feels like explaining how you can do both at the same time.
Also, I think the ‘Risks’ section of this page is informative:
I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that’s just used for emergency ssh access.
Same boat (in the learning cycle that is). No idea what immich is, but I got Stirling-PDF hosting in docker. I only learned the other day that localhost, is localhost for the container. I couldn’t get a bunch of stuff running for.ever, till I learned the way I was calling things needed to be to host.docker.internal.
I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).
O have a very similar setup but have a couple of questions if you don’t mind me asking, what did you used for OAuth? and where is it running? I tried athelia on the VPS but had some problems I can’t remember now and decided it wasn’t worth the time at the time, but probably should set it up.
Actually my ISP supports IPv6 (it is very erratic though) so I can access some of my services outside through it without using VPNs (only using a reverse proxy for the 443 port), but still is very annoying when I want to use them with IPv4 only networks, such as my carrier mobile data, I suffer from this especially when wanting to use Plex.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Like, good for you, man.
But you should really keep your stuff inside the VPN and not expose things, it opens up a pile of potential risks that you don’t need to have. You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications. If you absolutely, positively must have something exposed directly, put it on it’s own VLAN and with no access to anything you value.
deleted by creator
@randombullet@programming.dev
Don’t listen to this guy. You don’t have to turtle all your stuff inside a VPN if you don’t want to. Hosting services on the internet is what the internet was created for. It’s up to you whether what you want to host is exposed to the internet or not, and as long as you’re aware of the risks do what you want man. I will mention that Immich specifically might not be the best idea to expose since it’s so unstable, but that depends on your level of comfortability. Worst case scenario is somebody gets into your Immich and can see all your photos. Would this be a dealbreaker for you? If so don’t expose it publicly. Otherwise you’re perfectly fine.
Absolutely that’s what the internet was made for!
But family photos keep a bit more secure, Particularly if it’s syncing directly from your phone, I take a lot of explicit photos of my wife, but also code that I’m writing on my computer, or the kids playing, etc.
Nobody said they had to. I made him aware of the risks in case he wasn’t. You seem to have an axe to grind there.
I’m not a big fan of amateur know-nothings regurgitating the same nonsense regurgitated to them by previous know-nothings, attempting to further the cycle to people finding their footing with self hosting, telling everybody what they “should” do based on their own limited understabding. It was a big problem on the self hosted reddit and up to this point has been less of a problem here.
And yet here you are, making sure this guy knows he can expose anything he wants except the specific thing you decided is troublesome like immich. Maybe you’ll be here to help him put it all back together with your wealth of knowledge and experience.
Take a hard look at yourself, you’re doing all the stuff you accuse someone else of. Maybe you aren’t always the smartest person in the room. In any case, I’m done with your shit. Go ruin someone else’s day, you ray of sunshine.
Yeah maybe you should take notes on how to relay a little bit of relevant knowledge in the context of what it is they’re trying to do, and let them decide how it fits their use case, instead of repeating broad, inaccurate generalizations dictating what people should and shouldn’t do across the board.
If you’re not going to be helpful or informative, then don’t bother chiming in at all.
I don’t even bother with the internal DNS server. I just set my A records in Cloudflare to point to the private IPs
I tired the same, but my router wants to be smart by filtering DNS responses that points to local IP. I guess whoever designed it considered it a security feature. It is a stock router from the ISP, its configuration interface is minimal, borderline to non existent.
Do the private IPs not change at all? Or can you handle that automatically?
I have next to no experience, but I’m pretty sure that wouldn’t work for me since my IP changes? Idk
You can either set a DHCP reservation in your router, or manually set the IP on the device.
When I say private IP, I’m referring to the internal IP e.g 192.168.1.X
Means internally I just go to the domain without having to remember the IP I set.
Oooh. That makes more sense, thank you.
I somehow thought you’d meant your global IP addresses, lol
Edit: i see now they’re talking about private IP, but in case you want to learn about getting a static IP for other things…
Many ISPs will give you a dynamic (changing) IP rather than a static (unchanging) IP. Just check your IP once a week for a few weeks to see if it changes.
There are some services that get around this by checking your ip regularly and updating their records automatically. This is called a dynamic DNS provider (DDNS). I used to use “noip” but since then there are quite a few like cloudflare DDNS.
Beyond that you just would want to make sure your router or whatever device is assigning IPs on your network to give a static assignment to the server. Assigning IPs is handled by a DHCP server and it would usually be your router, but if you have a pihole you might be using that as a DHCP server instead.
Between DDNS and DHCP you can make sure both your external IP and internal IP are static.
Most routers have a feature to assign static IPs to a specific MAC address. You can also tell most devices to try to take a specific IP instead of using DHCP.
There are multiple ways to set it up, but it’s very possible to set a specific device to always have the same local IP, which is usually the first step to many self-hosting scenarios.
Sounds like Cloudflare tunnels. I used that for a while, until I realized I didn’t want to be tied to Cloudflare.
Opening it up lets you use it from devices that aren’t on tailscale, or for friends and family. I have the same idea with Nebula instead of Tailscale, if I can figure it out.
I want to be able to upload/download/share my photos from anywhere in the world without using a VPN. Additionally, this satisfies the wife requirement. It works in the background without her needing her to turn on the VPN. I don’t want her to keep asking me how do I turn on the VPN? If it’s just me, then no issue, I’ll use a VPN.
You set up the VPN and it’s always on. There’s no hassle.
Unless you’re on IOS that will shut your VPN off regularly. Or you want somebody else to be able to access what you’re hosting without having to walk theme through a VPN setup they won’t understand.
I have a couple dozen customers on ios that use their camera servers via Tailscale. Never had a peep about that sort of thing.
And the last is the typical sort of “convenience” that gets people popped.
You’re hearing about it now. It’s an issue with the way iOS handles background tasks and there isn’t any way to fix it. It’s just how the OS works.
Well, apparently a bunch of farmers are smart enough to press a button without even bothering me about it.
Why would farmers not be smart enough to press buttons?
I’ve never had iOS shut my VPN off, and I use a kill switch so I would immediately know.
Yeah, you always have to account for the wife factor. Same reason I’m using Plex instead of Jellyfin for my video hosting; I’d personally prefer Jellyfin, but the wife factor (really the mother-in-law factor, but whatever…) demands that it doesn’t require a ton of config on the user’s end. If the goal is to encourage use by your family, it can’t be fiddly or difficult to set up on their end.
To be fair, wireguard is pretty painless.
Excuse me what? Here’s my dumb ass navigating to "[device name]:[port] over tailscale.
I’ve tried this a couple times and I’ve always failed. I could never figure out how to get a http://service.domain request to my Nginx install to be proxied in the first place. I tried putting pihole on tailscale and setting that as tailscale’s DNS. It blocked ads but I couldn’t navigate to custom domains. I put NPM on tailscale hoping that was the issue. I looked for LocalDNS/CNAMES in tailscale to see if I could do it that way. Do I have to set a local machine as an exit node and do split DNS shenanigans, service.domain goes through to my local and everything else the wider web? Do I set a router node?!
Not expecting you to troubleshoot, I don’t have time to see it through anyhow. Just annoyed at myself I couldn’t figure it out and driven to try again.
Wrapping my head around reverse proxy was a game changer for me. I could finally host things that are usefull outside my LAN. I use Nginx-Proxy-Manager which makes the config simple for lazy’s like me.
Used to mess around with multiple Apache Proxy Servers. When I left that job I found Docker and (amongst other things) NPM and I swear, I stared at the screen in disbelief on how easy the setup and config was. All that time we wasted on Apache, the issues, the upgrades, the nightmare in setting it all up…
If I were to do that job again I would not hesitate to use NPM 100% and stop wasting my time with that Apache Proxy mess.
Nginx-Proxy-Manager. Got it.
I didn’t read the parent comment well enough and was wondering what the Node Package Manager had to do with anything 😂
NPM is awesome until you have a weird error that the web GUI does not give a hint about the problem. Used it for years at this point and wouldn’t consider anything else at this point. It just works and is super simple.
Those ones are fun. If you delete an SSL certificate and haven’t removed it from a proxy, the entire container goes down and you have to trawl through logs to find what went wrong.
+1 for NPM! Used to even do things manually, but I’m too lazy for that and NPM fulfils nearly all my use cases lol
came here to leave this exact response! 😁
Do you serve things to a public? Like a website? Because unless you’re serving a public, that’s dumb to do… and you really don’t understand the purpose of it.
If all you wanted was the ability to access services remotely, then you should have just created a WireGuard tunnel and set your phone/laptop/whatever to auto connect through it as soon as you drop your home Wifi.
A lemmy instance, a wiki, and a couple of other website type things, yes.
Publicly facing things are pretty limited, but it’s still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.
I appreciate what you’re saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.
Am I making a mistake by having my Jellyfin server proxied through nginx? The other service I set up did need to be public so I just copied the same thing when I set up Jellyfin but is that a liability even with a password to access?
Not really. Personally I’d allow the service account running jellyfin only access to read media files to avoid accidental deletion but otherwise no.
Also, jellyfin docs have a sample proxy config. You should use that. It’s a bit more in depth than a normal proxy config.
This is very short sighted. I can think of dozens of things to put on the open internet that aren’t inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, there’s no inherent problem.
And yet you’ve not provided one example, hmmmm
Seriously?
Plex, Jellyfin, VaultWarden, AdGuard, Home Assistant, GameVault, any flavor of pastebin, any flavor of wiki, and the list goes on.
If you’re feeling spicy throw whatever the hell you want onto a reverse proxy and put it behind a zero trust login.
The idea that opening up anything at all through to the open internet is “dumb” is antiquated. Are there likely concerns that need to be addressed? Absolutely. But don’t make blanket statements about virtually nothing belonging on the open internet.
None of those have to be public and can all be accessed with WireGuard. You just proved my point, moron
Why don’t we just throw Lemmy behind wireguard while we’re at it.
Literally anything can go behind a VPN. Doesn’t mean much at all. And the majority of those are commonly left on the open internet for friends and family, which would be annoying af to set up with WireGuard.
I have enough issues dealing with VPN issues in my professional life, I don’t want to have to deal with them in my personal life as well.
Tells me everything I need to know that you struggle with WireGuard… it’s dead simple. And can be completely automated so your household literally doesn’t need to do anything and their devices automatically connect to it.
Yeah port forwarding just isnt the same. I pretty heavily rely on Nextcloud and Plex doing the port forwarding for me
Plex can sometimes get by without port forwarding by using UPnP or NAT-PMP, but I had to open a port to use Plex (before I started using Jellyfin and a reverse proxy).
Same with Nextcloud, you either have to open a port or use a reverse proxy. Reverse proxy is more secure. Good stuff!
Worth mentioning that either way you’re opening up ports (you need to open 80 and 443 for the reverse proxy), but that’s much better than opening a bunch of ports, one for each thing you’re running.
The hardcore security minded people will always scream “use wireguard or whatever”, which also works really well (even combined with a reverse proxy that’s not exposed to the internet (80 and 443 not forwarded)). I do this for some of the stuff I run that I don’t want exposed at all, like my password manager. To access my password manager while out and about, I need to connect to my wireguard thing (my router sets it up for me), and then my phone is effectively back inside my LAN, and I can access whatever I need to. Fortunately it’s rare that I need to do this, because my password manager keeps a cached copy on my phone.
Sorry, getting long winded. You get the point!
Yeah both Nginx and plex handle making themselves public for me already. But I have a handful of other svcs that id like to move behind a reverse proxy too
me too like last week!!! yay us!!
haven’t gotten oauth going yet but soon
Just be sure to read up on network security and set yourself up for success! Even tunnels can still be an attack surface. Always keep everything up to date! And plan for the worst case.
Nice work! 😎
Wow, so my understanding of the terms ‘reverse proxy’ and Tailscale must be wrong then, because I thought they were mutually exclusive. I’ll go do some more research, unless someone feels like explaining how you can do both at the same time.
Also, I think the ‘Risks’ section of this page is informative:
https://en.m.wikipedia.org/wiki/Reverse_proxy
I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that’s just used for emergency ssh access.
I just finally got it this weekend when I got Matrix-synapse and Pixelfed working on the same box.
All I can say is good for you! It wasn’t easy. And it’s so powerful.
deleted by creator
deleted by creator
Same boat (in the learning cycle that is). No idea what immich is, but I got Stirling-PDF hosting in docker. I only learned the other day that localhost, is localhost for the container. I couldn’t get a bunch of stuff running for.ever, till I learned the way I was calling things needed to be to host.docker.internal.
Nice one dude, i know the pain of not having nerdy friends to share shit like this with.
I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).
CGNAT sucks 🤮
I’ve been wanting do something similar, but with Authentik. Does anyone know a good guide on this?
There is an official guide by Authentik on how to integrate with Immich. There is an official guide by Immich on how to integrate with Authentik.
Yes! Authentik is a great self-hosted OAuth platform. They actually publish integration guides in their documentation.
Integrate with Immich
Sounds like you’re ready to jam with the console cowboys
O have a very similar setup but have a couple of questions if you don’t mind me asking, what did you used for OAuth? and where is it running? I tried athelia on the VPS but had some problems I can’t remember now and decided it wasn’t worth the time at the time, but probably should set it up.
Authelia is great. Recently added protection for multiple domains.
I just use google OAuth since everyone I know has a google account. It just can’t use OAuth on private IP addresses, just FQDNs.
Tailscale?
Is this setup advisable for the CGNATED environment?
This is necessary for CGNat ISPs. That or cloudflared or ngrok or the like. Because you aren’t really routable on a CGNAT address.
In a nutshell, CGNAT users must spend money for something that people with IPv4 addresses can do for free 😔
We wouldn’t be in this mess if we switched to ipv6, but nOoOooOo… we can’t possibly do that…
Lack of routability is a feature for ISPs, not a bug.
Actually my ISP supports IPv6 (it is very erratic though) so I can access some of my services outside through it without using VPNs (only using a reverse proxy for the 443 port), but still is very annoying when I want to use them with IPv4 only networks, such as my carrier mobile data, I suffer from this especially when wanting to use Plex.
You will need a VPS as your other endpoint
Ah, I figured… I used to do this with Wireguard instead of Tailscale.