[imiric]

Have you considered using Wireguard for this? It's relatively straightforward, see: https://www.procustodibus.com/blog/2020/11/wireguard-hub-and...

This way you don't depend on a VPN provider, and can easily host it on any VPS. I suppose it would work on fly.io as well.

I use the hub and spoke setup to access my home network over the internet, and Wireguard works great.

This also doesn't require any special gateways or DNS setup. All connected hosts just use the DNS server on my main router, which resolves all internal domains.

[WirelessGigabit]

Wireguard to this day does not handle IPv6 correctly. When connecting to a domain with A and AAAA records it stupidly prefers the A one.

Which works horribly on 464xlat providers, as now you're routing your VPN traffic over a IPv6->IPv4 proxy. While that's fine for outgoing stuff it breaks all incoming stuff as soon as you put your phone to sleep, as nothing can send stuff your way anymore.

[imiric]

Ah, that's a shame. How does Tailscale work around it?

I don't use IPv6, so this hasn't been an issue for me. It sounds like a relatively simple thing to fix, though.

[PLG88]

Tailscale makes outbound connections so it circumvents the need for IPv6 with things like CGNAT.

OP, why not use an open source equivalent to Tailscale Funnel? For example, I work on the OpenZiti project and we created zrok.io which is fully open source alternative - https://github.com/openziti/zrok.

[WirelessGigabit]

I apologize, it's in the DNS handling of Wireguard's iOS app. I've seen it being reported many times but no action.