# Selfhosting behind a VPN

> VPNs, tunneling, and paranoia

**Published by:** [[object Object]](https://paragraph.com/@0xlynett/)
**Published on:** 2024-08-25
**URL:** https://paragraph.com/@0xlynett/selfhosting-vpn

## Content

So I recently received my Raspberry Pi case fan, making my Pi 4 actually usable without it spiking to 80 degrees Celsius. Hooray! As a paranoid cypherpunk unfortunately living under an authoritarian government, I have some privacy requirements: only Windscribe, my own devices, and some very select services are allowed to see my IP; and connections between the Pi and my other devices must always be encrypted. This ruled out Tailscale (although that could be useful especially with the integration with Mullvad as exit nodes) as that poses the risk of leaking my IP address to things linked to my digital identity. It took me quite a bit of finagling and research to get this setup to work just right. I hope my experiences can save you time even if you don't have an extremely niche use case.My final setupI have two VPNs active at once on my devices: Windscribe and Nebula. Windscribe routes my outgoing traffic through their network, while Nebula connects the devices together, somewhat like Tailscale. On the Windscribe page, I used the config generator to generate me a WireGuard config for a certain location. I simply copied this config to my Raspberry Pi and started the connection with wg-quick (I'm not gonna go into details here, should be trivial enough with a Perplexity search)Yes, 'Florida Man' is a real VPN location. When companies shitpost as heavily as Windscribe does, that's an instant reputation boost in my book.Windscribe + NebulaNebula requires one always-online server called a lighthouse with a static IP (I believe it may work with dynamic DNS, but untested) in order to direct devices to reach each other. I set it up on my Raspberry Pi and opened up a port on my router to make it reachable from the Internet. Following the Nebula docs worked out pretty well, got nothing extra to say there. As Nebula doesn't come with systemd services, I had to write them myself. On my Raspberry Pi, I created a new system user account called nebula, gave it ownership of /etc/nebula/ and set it up as a service:[Unit] Description=Nebula Overlay Networking After=network.target [Service] Type=simple ExecStart=/bin/nebula -config /etc/nebula/config.yaml Restart=always RestartSec=10 User=nebula Group=nebula AmbientCapabilities=CAP_NET_ADMIN [Install] WantedBy=multi-user.targetI did a similar one for my laptop, setting up Nebula as a service that runs after Windscribe starts and making sure to create the necessary user accounts:[Unit] Description=Nebula Overlay Networking After=network.target [Service] Type=simple ExecStart=/bin/nebula -config /etc/nebula/config.yaml Restart=always RestartSec=10 User=nebula Group=nebula AmbientCapabilities=CAP_NET_ADMIN [Install] WantedBy=multi-user.targetAdditionally, I had to add my chosen range to Windscribe's split tunneling on my laptop in order to allow connections to go through Nebula. (Why did I use TEST-NET-2 and not the designated CGNAT range? Scroll further)When I change my Windscribe location, I have to also restart the Nebula service, but aside from that it's perfect.AndroidOn my Android, I use a work profile to run Nebula while using the main profile with Windscribe. This bypasses the Android restriction of only one VPN active at a time, so now I can have most of my apps behind Windscribe and the selfhosted apps on Nebula. Nice!UFW kill switchIt took me a while to get it done, but:sudo ufw allow ssh sudo ufw allow sudo ufw default deny outgoingRouting conflictOn my first try, I decided to set Nebula up on the CGNAT range. Too bad Windscribe uses it.sighI had to redo my Nebula network to use TEST-NET-2, which is 198.51.100.0/24. So yeah, double check your ranges.Windscribe doesn't play well with IPv6Windscribe doesn't support split tunneling IPv6 ranges unfortunately. (and after I finished setting up Yggdrasil!) That was one of the things that stopped me from using Yggdrasil, the other being the high latency.https://github.comSupport IPv6 ranges in split tunneling · Issue #176 · Windscribe/Desktop-AppIs your feature request related to a problem? Please describe. I'm trying to use Yggdrasil, which is a mesh network that uses an IPv6 range (0200::/7). I don't want to have to turn off the Windscribe firewall to access it. Describe the s...Jokes aside, Windscribe is a really good VPN. If you want private VPNs, go for either Mullvad, Windscribe, or Njalla. And if you pick Windscribe, tell em in the Discord that I sent you ;pClosing remarksNow I've got the basic networking out of the way, I am finally free to finally get some selfhosted services up. This journey taught me CIDR notation and a little more about being a sysadmin. It would never have been possible (or at least, would take 10 times more time) without the help of my beloved Claude and Perplexity. During my research, I came across a list of different projects. I opted for Nebula, but here's a small inexhaustive list of the stuff I came across during my search:Innernet, a mesh network based on CIDRsHeadscale, an open source Tailscale control server implementationtinc-boot, a wrapper over tinc, which is a full-mesh, auto-healing VPN system supporting many many OSesA blog post from fmac titled 'Nested WireGuard tunnels to my home'gluetun, a tool for running a VPN (the privacy tool kind, not the access tool kind) inside Dockerwireguard-go, a userspace implementation of WireGuardNetBird, a mesh net with a full GUI and centralized access control like Tailscale (actually now that I'm writing this post I think I should've just used this but whatever i've set it up already)The pleasures of [networking] are pains that become desirable, where sweetness and torment blend, and so [networking] is voluntary insanity, infernal paradise, and celestial hell - in short, harmony of opposite yearnings, sorrowful laughter, soft diamond.

## Publication Information

- [[object Object]](https://paragraph.com/@0xlynett/): Publication homepage
- [All Posts](https://paragraph.com/@0xlynett/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@0xlynett): Subscribe to updates
- [Twitter](https://twitter.com/lynett0x): Follow on Twitter

## Optional

- [Collect as NFT](https://paragraph.com/@0xlynett/selfhosting-vpn): Support the author by collecting this post
- [View Collectors](https://paragraph.com/@0xlynett/selfhosting-vpn/collectors): See who has collected this post