I am setting up a VPN solution to connect multiple companies to my VPS, where I host several open-source services such as Guacamole, GLPI, and Vaultwarden.
Each company has a similar IP range (10.1.1.0/24), and to avoid conflicts, I plan to NAT each network to a unique subnet (e.g., 10.1.1.0/24 -> 10.10.1.0/24). This way, when traffic reaches the VPS, it arrives as a translated subnet.
The main goal is to remotely access company machines using Apache Guacamole, without opening any external ports in their firewalls.
Image example
Network Setup:
- Each company has a local subnet (e.g., 10.1.1.0/24).
- The VPS receives traffic using NAT (e.g., 10.1.1.0/24 → 10.10.1.0/24).
- All traffic should be routed properly between the VPS and the companies.
- I need a stable, scalable, and secure VPN solution for this.
Considerations:
- What would be the best open-source solution for this scenario?
- I need a product that supports tunneling, NAT, and proper routing—what would meet all these requirements?
- The company’s employees can access a client to connect to the company via VPN!
I would appreciate insights on the best way to implement this while ensuring security, stability, and ease of management. Thanks! 
Well, you can go IPsec/L2TP which will work fine p2p, or maybe openVPN with remotes connecting in. Really depends on what sort of security you want and how complex you need it to be?
OpenVPN and don’t listen bastards with “talescale/zscaler”:
- No site to site
- You must pay all time for nothing (this paid solution is rebranded vpns)
- No router support
What do you mean by ‘multiple companies’? Is this their employees on workstations, or a servers or something like that?
I’m making assumptions here, but speaking from the ‘company’ side of things, I’d rather set up a site-to-site tunnel with an ACL, and would suggest something like a small Fortigate. I would not want my employees installing VPN or ZTNA software clients managed by vendors to access those vendors products/systems. What if some of your customers already have VPNs or ZTNA solutions that have some kind of isolation access to block other subnets or aren’t compatible with whatever you chose for client side?
You shouldn’t dictate how other companie’s employees should connect to something. So a back end infrastructure connection is the proper way to set this up, then let the IT of these companies figure out how their users reach it.
For GLPI and Vaultwarden I would question whether a VPN is the correct way to do things. Those are HTTPS services that you should be able to secure adequately. Worst case, it your clients have static public IPs, you can lock things down with your VPS firewall to allow access from only their IPs.
Guacamole is the wildcard. Will they be connecting through it to services in your VPS? Or to services inside their own networks? Is that why you need the VPN tunnel from their network to yours?
So, just to confirm if I understood correctly: I should create a Docker container with Tailscale for each company, set up a separate Tailscale account for each one using a unique authentication email, and establish an individual connection to expose each company’s subnet inside its respective container. Each of these containers will have its own network interface, and Guacamole will have access to all Tailscale container network interfaces. Would this be the correct approach?
exactly this; get away from VPN and move towards ZTNA solutions
