Decision. Default stack: Tailscale for private remote access (free tier covers a household, traverses CGNAT)[3], Cloudflare Tunnel for any service you want public on a real domain, NUT + Uptime Kuma + a smart plug for always-on hygiene[13][16]. Self-host Pangolin ⭐ 20k (Apr 2026)[7] instead of Cloudflare if vendor-independence matters. Skip Synology QuickConnect — it terminates TLS at Synology’s edge[11].
The two-axis split
Remote access decisions split along two axes:
| Axis | Choices |
|---|---|
| Audience | Just you (private VPN) vs. anyone on the internet (public reverse proxy / tunnel) |
| Trust | Trust a SaaS control plane (Tailscale, Cloudflare) vs. self-host the control plane (Headscale, Pangolin, raw WireGuard) |
Most households need both — a private VPN for SSH/admin/SMB, plus a public tunnel for one or two services (Plex, Immich shares, a website) that need shareable links.
Mesh VPN — private remote access
WireGuard is the kernel-space protocol everything else builds on. The interesting decision is the control plane: who hands out keys and coordinates peers.
| Tool | Self-host? | Free for home | NAT/CGNAT traversal | Best for | ⭐ Stars |
|---|---|---|---|---|---|
| Tailscale | ✗ proprietary | ✓ 3 users / 100 devices | ✓ DERP relays | Default. Lowest setup time. | n/a (closed-control) |
| Headscale | ✓ | ✓ | ✓ (uses official Tailscale clients) | Tailscale UX without the SaaS dependency | ⭐ 38k |
| NetBird | ✓ (5 services + OIDC) | ✓ | ✓ | Full self-host with modern ACLs | ⭐ 25k |
| ZeroTier | ✓ (controller) | ✓ 25 nodes | ✓ | L2 mesh; rarely the right pick in 2026 | ⭐ 17k |
| WireGuard (raw) | ✓ | ✓ | ✗ port-forward or VPS | Zero deps and a public IP | n/a |
Tailscale is the right default for 2026[1]: free tier covers a household, DERP relays make CGNAT a non-issue[3], and Synology and most NAS-replacement OSes ship Tailscale natively. Run it as a subnet router on the new server so phones reach 192.168.x.x directly without installing a client on every IoT device[22].
Pivot to NetBird[27] if you want everything self-hosted from day one — since v0.65 (Feb 2026) it ships an integrated reverse proxy, removing a major reason to also run Cloudflare[1]. It also forces you to think in groups and policies rather than flat peer lists, which is a feature for new homelabbers[2]. The cost is a five-service Docker stack plus an OIDC provider (Zitadel/Keycloak/Authentik)[1]. Pick Headscale[26] instead if you already invested in Tailscale clients but want to drop the SaaS — useful past 50 devices where Tailscale’s per-seat tier kicks in[1].
Raw WireGuard alone is rarely worth it in 2026. It’s faster on paper, but you write configs by hand, manage key rotation, and break entirely behind CGNAT without renting a VPS[3][4]. The hybrid pattern — raw WireGuard on the router for low-latency family use, Tailscale on the NAS for everything else — is a real option but rarely earns the second tool.
Public reverse proxy / tunnel
Where TLS terminates and how packets get into your home are two separate problems.
| Approach | TLS termination | Ingress mechanism | Use when | ⭐ Stars |
|---|---|---|---|---|
| Cloudflare Tunnel | Cloudflare edge | Outbound cloudflared connection |
Zero port-forwarding, free, DDoS protection | n/a |
| Tailscale Funnel | Tailscale edge | Outbound Tailscale tunnel | Quick public link for *.ts.net host, beta limits |
n/a |
| Pangolin (self-host) | Your VPS | Outbound WireGuard home → VPS | You want Cloudflare’s UX without Cloudflare | ⭐ 20k |
| NPM / Caddy / Traefik + DDNS | Your home | Inbound 80/443 (port-forward) | Static-ish IP, no CGNAT | varies |
Cloudflare Tunnel adds 15-45 ms latency, Tailscale Funnel adds 10-80 ms[5]. Funnel is locked to ports 443/8443/10000, requires *.ts.net hostnames, and has non-configurable bandwidth caps while in beta — fine for a personal demo URL, not a production share[6].
Pangolin ⭐ 20k (Apr 2026) (Fossorial, YC ‘25)[8] is the closest open-source match to Cloudflare Tunnel. It pairs Traefik with WireGuard NAT traversal, identity-aware access controls, and automatic Let’s Encrypt — deploy on a $5/mo VPS and your home server connects outbound[7]. AGPL-3 community edition is free for personal and small-business use[7].
If you have a routable public IP (no CGNAT), running a reverse proxy directly on the home server is simpler:
| Proxy | Idle RAM | Config style | Best for | ⭐ Stars |
|---|---|---|---|---|
| Caddy | 20-30 MB | Caddyfile (declarative) | Auto-HTTPS by default, smallest footprint | ⭐ 72k |
| Traefik | 40-60 MB | Docker labels / YAML | Docker-heavy stacks, dynamic discovery | ⭐ 63k |
| NPM | 80-120 MB | Web UI | Beginners, click-driven setup | ⭐ 33k |
Recommendation: start with NPM, migrate to Traefik or Caddy as you outgrow click-ops[9][10].
Synology QuickConnect — what you’re replacing
QuickConnect is a reverse-proxy relay run by Synology: outbound connection from the NAS to quickconnect.to, TLS terminates at Synology’s edge[11]. That terminator means Synology can in principle observe credentials and traffic; brute-force attempts against weak admin passwords are also reachable from the public internet[11]. Replacement: Tailscale (private) + Cloudflare Tunnel or Pangolin (public) gives end-to-end TLS with no third-party termination and a smaller attack surface.
CGNAT mitigation
If your ISP shares one public IPv4 across customers, no port-forward gets through[12]. Options ranked by typical homelab fit:
- Tailscale / NetBird / ZeroTier — outbound-initiated tunnels and relays; CGNAT is invisible[3].
- Cloudflare Tunnel / Pangolin — same outbound pattern but for public services[12].
- IPv6 — most ISPs offer it in 2026; works for v6-capable clients only[12].
- Ask the ISP — many offer a public IPv4 swap for €5-10/mo[12].
Avoid renting a VPS just to bounce raw WireGuard if Pangolin is on the table — same VPS, more features.
Always-on hygiene
“Always on” is three problems: power continuity, remote power control, and knowing when something dies.
UPS + graceful shutdown — NUT
A UPS without a shutdown signal just delays data loss. NUT (Network UPS Tools) is the cross-platform standard: upsd runs on the box wired to the UPS via USB, upsmon clients on every other host, and a critical-battery event sets the FSD flag and triggers SHUTDOWNCMD "/sbin/shutdown -h +0" on every node[13]. Put NUT on a Pi or directly on the NAS; spread upsmon to Proxmox hosts and any always-on services so a single UPS protects the whole rack[14].
Wake-on-LAN vs smart plugs vs IP-KVM
| Need | Tool | Cost | Notes |
|---|---|---|---|
| Wake from sleep / soft-off | Wake-on-LAN | $0 (built-in) | ⚠ unauthenticated — keep off the WAN, send magic packet through the VPN[15] |
| Hard reset / cold boot when WoL fails | Smart plug + BIOS “power on AC restore” | ~$25 | Pull-the-plug fallback when SSH dies[16] |
| BIOS / boot loop / OS install | IP-KVM (PiKVM or JetKVM) | $69-200 | True out-of-band; works when host is fully off[17][18] |
| Server-grade BMC | IPMI / iDRAC / iLO (Supermicro, Dell, HPE) | $0 if board has it | Vendor-locked but factory-integrated[19] |
JetKVM ⭐ 4.6k (Apr 2026) at $69 — 30-60 ms latency, 1080p60, built-in touchscreen, WebRTC remote — is the cheapest sensible IP-KVM in 2026[18]. PiKVM ⭐ 10k (Apr 2026) is more DIY but adds virtual media (mount an ISO over the network) and ATX power control[17]. For a home NAS, smart plug + WoL covers 95% of cases; reach for an IP-KVM only if you regularly tinker with BIOS or boot devices.
Idle power — the hidden TCO
Always-on is a 24×365 commitment. At ~10 W idle, an N100 mini PC costs about $12/yr in US electricity, ~$30/yr in EU[20]. Rule of thumb: every watt of idle ≈ $1/yr US, $2.50/yr EU[20]. A spare desktop pulling 60 W idle costs $150+/yr in EU power — over five years that’s a new mini PC.
A well-built mini-PC home server idles at 15-30 W; an ultra-tuned N100 + 2× SSD build sits at 15-25 W[21]. Factor electricity into the build-vs-NAS comparison; it’s where pre-built NAS hardware quietly wins back some ground against bigger DIY boxes.
Monitoring — know when it dies
| Tool | Type | Best for | ⭐ Stars |
|---|---|---|---|
| Uptime Kuma | Endpoint pings | Push-button setup, dozens of monitor types, polished UI | ⭐ 86k |
| Gatus | YAML-driven endpoint checks | Config-as-code, ~30 MB RAM, no DB | ⭐ 11k |
| Beszel | Host + Docker stats | CPU/RAM/disk/temp graphs, <10 MB agent | ⭐ 21k |
Uptime Kuma ⭐ 86k (Apr 2026) supports 20-second check intervals and dozens of monitor types[23]; pair it with Beszel ⭐ 21k (Apr 2026) for resource graphs[25] — together they cover “is it up?” + “is it healthy?”. Gatus ⭐ 11k (Apr 2026) replaces Uptime Kuma when you want all monitor definitions in git[24]. Push alerts to Discord, ntfy, or Pushover; email is too slow when an HBA decides it’s done.
Sample stack for a Synology replacement
A concrete default for a single-household NAS-replacement build:
| Layer | Pick | Cost |
|---|---|---|
| Private remote access | Tailscale, NAS as subnet router[22] | $0 |
| Public tunnel (1-2 services) | Cloudflare Tunnel + own domain | $0 + ~$10/yr domain |
| Internal hostnames | NPM or Caddy behind Tailscale (MagicDNS) | $0 |
| UPS + shutdown | NUT primary on NAS, USB to ~$120 1500 VA UPS | ~$120 + battery refresh |
| Hard-reset fallback | Tapo P110 or Shelly Plus smart plug, BIOS = “always on” | ~$25 |
| Monitoring | Uptime Kuma + Beszel containers | $0 |
| Out-of-band (optional) | JetKVM on the box you tinker with | $69 |
Total recurring: $0 SaaS, ~$10/yr domain, ~$8-15/yr electricity for the always-on bits.
When to deviate:
- Want zero SaaS dependencies → swap Tailscale for NetBird ⭐ 25k or Headscale ⭐ 38k, swap Cloudflare Tunnel for Pangolin ⭐ 20k.
- Behind CGNAT with no IPv6 → keep Tailscale; route public services through Cloudflare Tunnel or Pangolin instead of port-forwarding.
- Frequent BIOS work or remote OS installs → add PiKVM ⭐ 10k for virtual media.