Hosting has been a focus of mine for a long time, and I kept running into the same problem: How do I make my data securely accessible from the outside without leaving my home network wide open?

The Problem: The IPv4 Dead-End

To make a server reachable from the outside, you need a unique address – the IP address. This is where the trouble starts:

  • IPv4: The old standard (e.g., 138.199.205.5). Easy to handle, but addresses are scarce.
  • IPv6: The modern successor (long and cryptic). Theoretically infinite, but practically often limited by DS-Lite (my ISP).

My issue: My home connection lacks a public IPv4 address. When traveling—especially in foreign networks or restrictive Wi-Fi—my home server is often simply unreachable via IPv6.

The Solution: The Hetzner Server as a “Relay”

I expanded my setup with a VPS at Hetzner. This server has a fixed public IPv4 and serves as my stable anchor point on the web. But how do my phone, the Hetzner server, and my home NUC (“elgrundo”) find each other?

My New Path: The Tailscale Mesh

I used to try solving this with tedious manual WireGuard routing. Today, I use Tailscale. While technically based on the WireGuard protocol, it’s “on steroids” and much smarter in its management.

  1. The Mesh Network: I installed Tailscale on the Hetzner server, my home server, and my CachyOS PC. Every device gets an internal 100.x.x.x IP. They are now “bros” in a private, encrypted network.
  2. No Port Forwarding: The genius of Tailscale is that it “tunnels” through firewalls. I didn’t have to open a single port on my router.
  3. Security via CrowdSec & UFW: CrowdSec stands guard on the Hetzner server. It scans public web requests and blocks attackers instantly. My SSH access is completely disconnected from the public internet and only reachable via the Tailscale tunnel.
  4. Mobile Connection: Instead of a complicated WireGuard configuration, I now simply use the Tailscale app. One login, and my phone is part of the home network—whether I’m in the garden or abroad.

The Result: Full Access, Zero Stress

Since retiring manual WireGuard in favor of Tailscale, the setup finally runs smoothly:

  • Stable Connection: Thanks to Tailscale, devices always reach each other via the shortest path (Direct Path) or via relay servers if the network gets tricky.
  • Mobile Protection: I can use my home server or the Hetzner server as an Exit Node. This allows me to browse as securely as I do at home, even on hotel Wi-Fi.
  • Central Services: My Nginx Proxy Manager on the Hetzner server securely forwards requests for elgrundo.de through the VPN tunnel to my containers (Immich, Paperless, etc.).

A major step for my setup is complete. The manual tinkering is over; logic prevails. If you’re still struggling with unstable VPN tunnels: check out Tailscale – your blood pressure will thank you!