Networking & access
VPN or reverse proxy for remote access?
Do I need a VPN or a reverse proxy for remote access to my home server?
Short answer
Do I need a VPN or a reverse proxy for remote access to my home server?
For one person reaching a handful of services, a VPN (WireGuard or Tailscale) is the better default: nothing is exposed to the public internet, and every service is reachable by name over the tunnel. Reach for a reverse proxy instead when you need to share a clean link with someone who won't install a VPN, or you're running enough services that memorising ports has become the problem.
A VPN builds a private encrypted tunnel from your device into your home network, so you reach services as if you were on the couch — nothing is public. A reverse proxy is a public front door: one service that accepts requests from the internet and routes each to the right app by hostname.
- 0public ports a VPN needs openTailscale/WireGuard punch out, nothing listens inbound
- 2public ports a reverse proxy opens (80/443)
- 1 personthe point below which a VPN is almost always the answer
Start with the honest default
Most people asking this question want to reach their own stuff from their phone or a laptop. For that, you don’t need to put anything on the public internet at all — and not putting things on the public internet is the single biggest security win available to a home setup.
A VPN gives you exactly that. You install a client, and from anywhere your services are reachable by name, encrypted end to end, with zero ports listening for strangers. If that covers your need, you’re done, and you’ve dodged the entire category of “someone found my exposed app” problems.
When the reverse proxy earns its place
Two situations flip the answer:
- You need to share. A VPN is great until you want to send a family member a link to a photo album or a game server and they won’t install anything. A public URL behind a reverse proxy is the humane option there.
- You’ve got a lot of services. Once you’re running a dozen apps, clean shared hostnames
(
vault.example.com,photos.example.com) with automatic HTTPS in one place is genuinely nicer than a VPN plus a mental list of ports.
The short version
Default to a VPN — Tailscale if you want it working in ten minutes. Add a reverse proxy when you need public links or your service count has outgrown a tidy set of names. Reaching for the proxy first, before you actually need to expose anything, is the common mistake: it’s more attack surface than the job requires.
| Approach | Public exposure | Who it's for | Setup |
|---|---|---|---|
| VPN (WireGuard/Tailscale) | None | You + people who'll install a client | Very easy with Tailscale |
| Reverse proxy | Ports 80/443 public | Sharing links; many services | A bit more, per-app |
| Both | Proxy for public apps, VPN for the rest | Mixed needs | Most involved |
If it's just me and my household, I don't expose anything — the VPN reaches every service by name and there's simply no public attack surface to worry about.
Common questions
Is exposing a reverse proxy dangerous?
It's a managed risk, not a reckless one. You expose two ports instead of many and terminate HTTPS in one place — but anything public must be patched and have real authentication. A VPN avoids the exposure entirely, which is why it's the default when only you need access.
Can I use both?
Yes, and many people do: a reverse proxy for the one or two things that genuinely need to be public (a shared photo album, a status page), and a VPN for everything private. It's the most flexible setup once you've grown past a handful of services.
Is Tailscale a VPN?
Yes — it's a WireGuard-based mesh VPN that's dramatically easier to set up than raw WireGuard. For most people wanting remote access to their own services, it's the shortest path to a working, no-public-ports setup.