Create a virtual network (VPN?) between my home server and my VPS (Without routing any of my internet through the VPN)

So because of stuff my ISP started doing, I can’t port forward my home server anymore. The solution I have right now is to tunnel every service manually with an SSH tunnel to my VPS, but it’s very inconvenient and slow.

I am looking for an alternative and I’m wondering if it’s possible to set up a virtual network between my VPS and home server (and also possibly other servers I set up in the future) so they can access each other as if they’re in the same network.

I’m pretty sure I should set up a VPN, but I don’t really know where to start. The thing is that I don’t want to route any of my internet access through the VPN, I just want to be able to access services on my home server from my VPS.

What software should I use and how should I configure it to fit my needs?

I feel like this shouldn’t be too complicated? (Hopefully) But I haven’t been able to fully understand how to setup and configure VPNs like Wireguard or OpenVPN properly myself

Update: Thanks to everyone who recommended Tailscale, it worked instantly with no configuration. Also, the speeds are basically the exact same as my SSH tunnel, I guess my home internet is just not fast enough for the tunnel to become a bottleneck.

But I still kinda want to figure out if it’s possible to replicate something similar to Tailscale using Wireguard so I don’t rely too much on a third-party service (just in case they disappear (probably unlikely) or if they change/remove their free tier). I’m still trying to wrap my head around how to configure Wireguard, but I guess my VPS would be the server and my other servers would be the clients (peers?). Trying to figure out if I would be able to access between peers or not, and if Wireguard would also route internet through it (and if it does, how to disable/stop that)

Also, it looks like one of the differences is that Tailscale is a Mesh VPN so there is no central server, while Wireguard on its own requires a server and the rest of the machine are clients/peers connected to the server (at least that’s how I understand it). This doesn’t really matter to me, I’m fine with having a single server be a centralized server that every other machine connects to. As long as in the end on all the machines it just looks like a regular network where all the machines are accessible through it.

If someone knows a good beginner tutorial for Wireguard please share it. Especially if it specifically replicates how Tailscale works (or is kinda similar). I’m decent at most general Linux stuff, but I’m not very good at networking stuff.

Also it would be useful if someone can share some keywords/terms I should know about this so I can search better. I don’t really know what I should Google, or if this specific thing I’m trying to do has a term/name

Conclusion: I think I’m just gonna stay with Tailscale, it seems to be working very well so far. Another alternative seems to be ZeroTier and there is also a self-hosted opensource implementation of the Tailscale control server called Headscale. Seems like running a VPN like Wireguard by myself is going to be too complicated, especially when you add the extra complication of NAT added by home ISPs.

If you are not familiar with VPNs set up, then use Tailscale. If it can make direct connections, you are done.

Otherwise, run a Wireguard server on VPs

Can’t recommend Tailscale enough.

No port forwarding, busts through CGNAT, and dead simple to set up with advertised routes or exit nodes.

Depends on how simple your setup is, You could run a wg server on your VPS and connect to it from your home lab, Install caddy or nginx as frontend proxy and forward requests to your home lab wg ip. I just used this method to get aws region that was close to where i am traveling now and the speed gain is real i can actually stream my libraries now.

I tried many services and I can give different recommendations in case of a mesh VPN but, if you just need to connect two peers, go for wireguard and call it a day.

An alternative could be nebula which is maybe slightly easier and can become a mesh VPN later on. Nothing beats wireguard in terms of potential speed, though.

I had a similar problem and solved it with Tailscale: What is Tailscale? · Tailscale Docs

Wireguard by itself won’t get you where you want. On most ISPs, even those with CGNAT, you can still route packets out and once the outgoing port is open if the IP/port is known you can send packets from another source back to it. Even BitTorrent uses this trick.

Okay, I tried Tailscale and it was very easy and does exactly what I was looking to do.

But I still kinda want to try to set up Wireguard myself so I don’t rely too much on third-party services. Do you know of any beginner-friendly Wireguard tutorial to replicate something similar to Tailscale? I’m decent at general Linux, but not really when it comes to Networking

I use this too, op should try it out. It’s pretty slick

Another vote here for tailscale. Its free, easy to set up and just works.

I mean, your VPS is a third party service…

Well yeah but a VPS is just a simple server, there’s many VPS providers and they basically provide the same service. But Tailscale is a bit more specific, and I have no idea where to move to if they shutdown or change/remove their free tier.

And also I said that I don’t want to rely too much on third-party services, not completely stop relying on third-party services. That would be wayyy too complicated for me.

You can set up Headscale if you dont want to rely on Tailscale.

People bring up this longevity argument all the time. The cold truth is that it’s a homelab - it’s really just for tinkering, not an enterprise grade/production network. If it goes belly up, you really haven’t lost anything. There are other mesh providers out there like ZeroTier which have been around for many years.

They just expanded their free tier due to popularity, and I presume exposure. I don’t think they’re going to close up any time soon.

I’ve set up Wireguard/OpenVPN tunnels. They’re a pain in the ass that I really don’t want the hassles with anymore. Especially if you have a dynamic IP. Once they’re up and working nothing really changes. I’d much rather focus on other things than maintaining a VPN.

Just my thoughts.

If Tailscale dies tomorrow, meh. I’ll move on to the next contender. But 3+ years in and it’s getting better all the time.

That looks interesting, I will check it out!

Well the reasons I gave wasn’t really a real/serious concern, I just wanted to see if I can do it myself (with Wireguard) or if it would be too complicated (in that case I would just stay with Tailscale, which is perfectly fine).

I just thought it would be relatively simple to do, just run a server on my VPS, configure some authentication stuff, run the client on my other servers and point it to the VPS, maybe change that one line of config or whatever so the internet access doesn’t get routed through, and then it would just work. Though that was obviously just my imagination, and the reality is going to be much more complicated.