What’s your setup for securing access to self-hosted/homelab services? Do you keep an always-on VPN? Mesh VPNs like Nebula and WireGuard-based Tailscale, Pangolin, have become popular for homelab/self-hosting setups. For sensitive applications like Control panels (Cockpit), DNS resolvers, etc, a VPN seems non-contentious. But for services you may use more often daily (e.g. RSS feed readers, DNS-based ad blockers, game servers, etc), it seems inconvenient to keep access locked behind a VPN, particularly in mobile devices where battery drain is a concern if you keep a VPN always on, or devices where you can’t easily setup a VPN (<a href=“https://tailscale.com/blog/tailscale-jailbroken-kindle” rel=“ugc”>though this is behind pushed to the limit</a>) The alternatives are (a) exposing to the web with fail2ban and other measures in place (b) mutual TLS, though often poorly supported by clients.