New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What's the preferred way to route non-public services? Still tailscale?
overclockwise
Member
in General
I was just curious what people are using these days? Is headscale/tailscale still the preferred tool, or are people back to straight wireguard or cloudflare tunnels? Just trying to set up something small for a single-digit handful or servers and double-digit number of clients - what's the least hassle without losing control/having to trust a random provider?
Comments
I became a big fan of https://pangolin.net/ they have got modern version of Wireguard under the hood.
Innernet is a very lightweight coordination server for raw wireguard. Good replacement if you don't want the kiddie-friendly features of tailscale. There's also Slack's Nebula.
Cloudflare Tunnel triggers my gag reflex. Not only is Cloudflare MITMing my public website traffic (tolerable, its public after all) but it also wants to MITM my internal traffic too? No!
I've heard of Pangolin and I haven't looked at it. I consider it guilty by association with obnoxious noobs (at least on Reddit). Maybe its good software but I've never seen it mentioned by a person I respect. Just like Nginx Proxy Manager. I've never seen it mentioned by a user I didn't want to permanently ban from the internet for being stupid.
Purists might say that raw wireguard is the way to go, but I will concede that once you have a fleet of 10+ VMs it stops being convenient to manage it by hand.
Of course, innernet's one weakness is that it doesn't have a mobile client. You can create a 'ghost node' and export the raw wireguard config from that node to your phone. But this is inconvenient if you need to support technologically-hopeless users (i.e. boomers) or your network scope changes with sufficient regularity. For those usecases, something with a commercially-supported mobile client like tailscale or Nebula is superior.
There is also ionscale as an alternative control server to headscale, but the last commit is from May 2025 so that project might have died. It felt vibe-coded and ambitious tbh, trying to replicate most of the commercial features of the tailscale backend that headscale partitioned as out of scope.
been using pangolin for a while now. it hasn't been a flawless experience, but the founders are responsive and very helpful. I can definitely recommend it as an alternative to cloudflare tunnels and tailscale.
netbird
I was using tinc for ages, managed with Salt, but have switched to Wireguard. Quite happy with straight Wireguard.
I started to use Pangolin and it seemed to a good option.
Didn't get the time to really dive into it, and had a couple of failed attempts to get a private resource working, but for public exposed resources it works really well.
Can be paired with an OpenID or other Identity management systems to have SSO if your resources are prepared to do that.
still stuck with zerotier with own network controller, been using it since it can be put on my router