Make your own VPN with Fly.io, tailscale and GitHub

I did a similar thing with a cheap VPS and Wireguard. I don&#x27;t trust Tailscale, and prefer controlling all aspects of my VPN. Right now I&#x27;m only using a single node, but it would be trivial to start another in a different region, and automate the whole thing.<p>If someone&#x27;s interested, this blog was very helpful: <a href="https:&#x2F;&#x2F;www.procustodibus.com&#x2F;tags&#x2F;wireguard&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.procustodibus.com&#x2F;tags&#x2F;wireguard&#x2F;</a>

TIL the `until` shell syntax: <a href="https:&#x2F;&#x2F;github.com&#x2F;patte&#x2F;fly-tailscale-exit&#x2F;blob&#x2F;main&#x2F;start.sh">https:&#x2F;&#x2F;github.com&#x2F;patte&#x2F;fly-tailscale-exit&#x2F;blob&#x2F;main&#x2F;start....</a>

I tried using this or a similar repo to set up a Tailscale exit node on Fly.io before.<p>The downside is that my traffic never went direct; it was always relayed via a Tailscale DERP node, as Fly.io machines were only accessible via anycast, and so a direct connection from Tailscale on my machine to the exit node on Fly.io couldn&#x27;t be established.<p>So performance wasn&#x27;t as great (and I felt bad about using up Tailscale&#x27;s DERP bandwidth, as a free user).

This is cool, but you should really understand what you&#x27;re in for if you choose to do this. In particular, running your own VPN does not enhance your privacy posture, and in fact makes it much worse, because your little cloud VPS is uniquely yours and yours only. You become much more fingerprintable, and any sufficiently determined sysadmin can easily manually trace your cloud instance&#x27;s IP back to you.

Isn&#x27;t the problem that the exit IPs will be flagged &#x2F; blocked, meaning at best you&#x27;ll get a ton of captchas etc.? I have set up personal Wireguard VPNs with Algo[1] before on DO, and while they work fine, they cause a lot of friction for that reason.<p>1: <a href="https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo">https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo</a>

I&#x27;ve recently built something similar [0], but the complete opposite. I wanted to forward traffic onto my homeserver without a public IPv4. I&#x27;ve tried Tailscale Funnel, but the inability to use custom domains made me look for other solutions. I ended up with a fly.io app acting as a TCP proxy over Tailscale. Considering how crappy the setup is, it&#x27;s surprisingly reliable. Great job fly.io and Tailscale teams! I haven&#x27;t had any issues in the month or so I&#x27;ve been using it.<p>[0]: <a href="https:&#x2F;&#x2F;github.com&#x2F;vakabus&#x2F;flyio-tailscale-gateway">https:&#x2F;&#x2F;github.com&#x2F;vakabus&#x2F;flyio-tailscale-gateway</a>

This seems like a bad idea for torrenting. Using a service with a billing account in your name seems like a really easy way to get subpoenaed and taken to court. The benefit of services like Mullvad is the “small fish in an ocean” aspect that you lose with running your own VPS.

I recently did the same thing with AWS, using the CDK to make it easy to add and remove regions [1]. I use it to hop my traffic around as required.<p>[1] <a href="https:&#x2F;&#x2F;blog.scottgerring.com&#x2F;automating-tailscale-exit-nodes-on-aws&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.scottgerring.com&#x2F;automating-tailscale-exit-node...</a>

It is unfortunate that many GeoIP providers will just use Fly.io&#x27;s Chicago address even when the nodes are somewhere entirely different in the world.<p>You sometimes get lucky and get something that doesn&#x27;t resolve to United States, and sometimes the IPv4 is US, while IPv6 is correctly the location, or vice versa.

TIL the complexity of VPN is still higher than my desire to self host. I&#x27;ve run OpenVPN in very complex configurations across multiple datacenters for companies, I&#x27;ve worked on distributed systems and networking tech for decades but honestly all of this is still very much in the, too painful to setup, state. I&#x27;m playing around with Tailscale Funnel now and the tsnet package in Go, that&#x27;s pretty nice. Embedding headscale or running it separately seems like a huge effort but I like that I can programmatically build things on Tailscale.<p>More and more I&#x27;m just thinking stuff like what Signal did with a proxy server makes sense. Run a bunch of proxies, hide the complexity. Maybe default it in the browser. Maybe I&#x27;m old, who knows.

If you just want to run a simple wireguard vpn from fly.io, without tailscale, I wrote a script to spin one up[0]<p>[0]: <a href="https:&#x2F;&#x2F;github.com&#x2F;magJ&#x2F;fly-wireguard-vpn-proxy">https:&#x2F;&#x2F;github.com&#x2F;magJ&#x2F;fly-wireguard-vpn-proxy</a>

Outline[1] is significantly easier to use. They have out of the box support for AWS, GCP and Digital Ocean. You can have your own VPN setup on digital ocean for $5 a month, and you can generate keys and share the VPN with friends&#x2F;family who then only need to download the Outline app on their device. I have zero affiliation with outline but it&#x27;s an incredibly useful tool, I was looking to build something similar when I discovered it.<p>[1] <a href="http:&#x2F;&#x2F;getoutline.org" rel="nofollow">http:&#x2F;&#x2F;getoutline.org</a>

I added updates at <a href="https:&#x2F;&#x2F;github.com&#x2F;spotsnel&#x2F;tailscale-tailwings">https:&#x2F;&#x2F;github.com&#x2F;spotsnel&#x2F;tailscale-tailwings</a> to make this more &#x27;practical&#x27; by adding Dante to allow slightly more control to just have a browser exit a node, etc.

I use a combination of Tailscale and Nord Meshnet on Raspberry Pis that I have set up at my home and family home in different countries as my personal VPN. Home country does not have a good relationship with VPNs and the commercial VPN services discontinued their servers there. So now I get a clean residential IP from my family home when I want to surf from that country.

I have set up Outline on AWS for when I travel. It’s shadowsocks so it works well in some countries.

Is anyone aware of a tailscale-supporting router?<p>In order to easily watch region-restricted content, I want to put all entertainment devices in my house on a separate wifi router, and run all traffic through a chosen tailscale exit node.

Cool but what is the threat model here? Why do this?

I thought about using a VPN for better privacy, but with browser fingerprinting so rampant now, I figured that this would be pointless.

So i could use this to setup my own private cloud on a distributed environments where my servers are far from each other ?

I hope they will not stop us for doing this

Disclosure: I run a commercial VPN service.<p>If all you need is to &quot;change your IP&quot; for some specific purpose, this and many other tutorials out there can accomplish this task for &lt;$5&#x2F;month. You are in complete control and have to trust no-one. However be aware of the following downsides:<p>1. You are mapping your traffic 1:1 to the VPN IP address, that you are the sole user of. This will do virtually nothing for pseudo-anonymity as your original ISP assigned IP will be quickly linked to your new VPN IP by every single shady data broker out there as you lose the benefit of &quot;being lost in the crowd&quot; when you share VPN exit IPs with hundreds&#x2F;thousands of other people.<p>2. If you do anything shady that results in a LE subpoena or a DMCA, it&#x27;s like you were not using a VPN at all. The cloud provider will hand over your details instantly.<p>3. Many sites block data-center ranges. You will not be able to use most streaming services, and random websites like Papa Johns, Home Depot, banks, gov websites, Ticketmaster, etc. Not all ASNs are banned, but many are. Commercial VPNs can (and do) re-route traffic using &quot;residential looking&quot; or actual residential IP addresses to combat this.<p>4. Performance MAY not be great. VPN providers do quite a bit of Linux kernel tuning in order to get high(er) throughput.<p>Depending on your use case, the above may not matter but if you plan to use this 24&#x2F;7, be prepared to be annoyed.