It’s quite fine, but not as feature complete as the proprietary control plane. My main issue is that it doesn’t support tailnet lock yet, and it’ll take a while before they’ll implement grants instead of the old ACL system

Yes, the app is the only “Android VPN”. The exit node is deployed on another network, but there should be no problem deploying it locally.

My phone would be attempting to make direct WireGuard connections to my other Tailscale nodes (be it the server, the exit node, or any other device), so it’ll prefer local connections. When it can’t (e.g. in a different and restrictive network), it will relay these traffic through DERP servers. Tailscale automate these processes very well, so no port forwarding is needed.

Note that to establish these encrypted direct tunnels, Tailscale clients have to talk to a control server to fetch required metadata. I selfhost this piece via Headscale along with the DERP servers. The stack would be quite complicated for those who already had a wireguard tunnel, but I found myself liking it because Tailscale has other cool features too.

Alternatively, I guess you could also do “split-route” by defining different peers in your Android WireGuard app, and use different AllowedIPs for them.

I use Tailscale with an exit node container that forwards all traffic to the commercial VPN via a wireguard config. This “hopping” solution serves me well enough, and works for Android too.

If you want to simultaneously have two VPN interfaces, you may wanna consult this and this guide. The principle should apply with non-Tailscale wireguards too I think

• Why do you want your own Lemmy instance? Can’t you just create a community on another instance?
• May not be the answer you want, consider exposing your laptop’s service(s) via Cloudflare Tunnels. That’s the best way if you don’t have an exposable public IP.
• Lemmy and other services will make outbound requests and leak your residential IP. If this is a problem for you, you should proxy outbound traffic on the machine
• Have you considered Oracle but in another region? Or do they geo-restrict you?
• For questionable content, look onto moderation tooling for Lemmy. Keep watch on your media folder(s) regularly and delete offensive ones

I believe as of now, the databases do not diverge and hence a binary swap/container image swap is doable. If you already set up SSO logins, then I’m not sure because Continuwuity doesn’t support that yet.

Please re-ask the question with the folks in #continuwuity:continuwuity.org to be extra sure before doing anything. Oh and without saying, do clone and backup the data paths for easy reverts later

It’s claimed to be official. But I went with https://continuwuity.org/ since it seemed to have a more active community. Plus ever since then, the core maintainer of Tuwunel has been making threats against Continuwuity including personal attacks, and seems to be quite unpleasant to deal with in general. There’s also been a thread about it here. So I honestly lost all taste to reconsider.

For Matrix consider Continuwuity instead of Synapse if you want something easier to maintain. You’ll also want to set up Element Call (i.e. the “new” calling stack) for wider client support.

Notifications can be unreliable but it depends on your push provider (e.g. don’t use the default ntfy.sh instance, use another one or selfhost yours). Do let me know of any other nits though.

For XMPP, notifications is most reliable as it maintains an in-band connection to the server. A/V is a bit more lacking, as mobile clients can only do 1:1 calls, and it misses some smaller features compared to matrix. But it’s very lightweight and should be more than capable for use with family and friends.