What's more secure? Wireguard + port forwarding or Tailscale? And can I simplify my setup?

I’d like to access some of my dockers from outside my home (e.g., Jellyseer and a few of the *.arrs).

For a long time, I had Wireguard set up with 51820 port forwarding on my router.

I just installed Tailscale and got it working - and deleted Wireguard and turned off the port forwarding.

​

Also:

My *.arrs access the internet via a reverse proxy through SABNZBVPN and a VPN provider (Privado).

My Jellyfin/Plex/Calibreweb/Navidrome, etc. are accessed via Cloudflare (argo) tunnel with Swag NGINX.

​

So… seems like overkill, maybe? Can this all be simplified?

Thanks for the help.

​

​

How secure is the WireGuard server port compared to others?

Tailscale for sure since no public ports are exposed.

I don’t think you actually need to forward a port to use Wireguard! I haven’t done so myself and it works just fine.

Also, AFAIK Tailscale works using the Wireguard protocol.

edit: you do need to forward a port, I just did it a long time ago. BTW unRAID also has a UPnP option in Settings>Management Access

Properly configured, tailscale.
Improperly configured both are bad

Assuming you accept tailscale into your circle of trust.

Know any good guide for how you set the .aars with reverse proxy? Thinking about trying to do the same.

Tailscale and then cloudflare zero trust is the anser. simple as hell

Well, I’ve read this.

If it’s true that I do not need to expose a port on my router for Wireguard, I’d probably just do that - it’s simpler to set up and use. The only reason I switched was that I wanted to close 51820 on my router, and I thought I couldn’t use Wireguard without it. But the poster below suggests that might not be the case anyway. I will investigate.

Thanks.

Why is thing being downvoted? I’m curious to learn Tailscale doesn’t need any ports for it to work, not saying Wireguard is insecure, but want to understand the reasoning .

Interesting. I was looking at this page, and it says you need to port forward to your unRAID server. I’ll check again.

If you run the WG server on your Unraid server, then you definitely do need to port forward. If it works without port forwarding, then your Unraid server is exposed to the internet (which defeats the purpose of WG).

If upnp is enabled, then your router may have automatically done the port forward for you. But I was not aware that the Wireguard supported upnp.

Thanks for this.

There wasn’t much to configure.

I’m using the Tailscale plugin on unRAID.

I use Github with two-factor for my authentication.

I’m not using either as an exit node.

I only have my unRAID server and my macbook pro configured as machines.

I have a strong admin password for my unRAID.

Anything else I should watch for?

This is what I read when I first started.

Of course the whole point of using wireguard or tailscale is so that you don’t have to expose those services to the internet.

Any application built on top of another application is less secure by definition just for the fact that it adds at least another potential point of failure. I’d go back to simple and plain wireguard.

Thanks for this.

I ended up setting up cloudflared - seems quite secure. I realize I’m relying on a third party, but overall, I feel like this is a reasonable solution.

Seems like easiest approach with no additional cost

Wireguard is selfhosted, tailscale isnt. You are relying on a third Party and that is another layer of problems. Tailscale will most likely not be insecure, but you never know. Wireguard has a small codebase and is well tested

I honestly don’t remember doing so but that was a while ago and can’t check my router settings atm

If you have UPnP on your firewall, you don’t have to port forward.

Yes, wireguard will require port forwarding. you can open a non-standard port… however, if you want to make it more secure, use cloudflare’s “cloudflared tunnel”.

If all seems too complicated then go with the tailscale.