I think the part you’re missing (and others haven’t addressed) is that you don’t send 100% of your traffic to one endpoint (much like how most use VPNs). You can route different things to different places.

For example, I’m in the US and have two Tailscale exit nodes. Both are located on VPS machines in the US, but one sends traffic down a double-hop VPN back out into the US, the other does the same but to Switzerland. My “default” route is through Switzerland (better privacy laws) but I am forced to route some things through the US exit node due to websites that won’t work outside the US. For my personal devices, traffic routes directly to them via WireGuard tunnels.

In addition, my wife doesn’t care about blocking everything that I do (social media, tracking) but her phone still needs to update sensors in Home Assistant. She can choose not to use the exit nodes but can still communicate with our nodes on Tailscale. She also uses it to print documents at home from her laptop while she’s at work.

Recently I was waiting in a hospital with public (unsafe) WiFi that blocked UDP traffic, but Tailscale does some magic that will relay traffic via TLS. I was able to access services at home with a 20ms latency. The tech is very, very nice to have.

I only have experience trying to run two Tailscale containers on the same machine and hit so many roadblocks that running it containerized just wasn’t worth it.

Containerizing is probably only worth it if you have an explicit need for it.

Was this due to DMARC/DKIM, SPF or something else?

To add to this, I’d personally just clone the card immediately to somewhere else then do all the recovery efforts on the clone; if only to avoid burning out the SD card even more during recovery.

Edit: Not sure if that would be better or worse.

If you’re just looking for WireGuard with some good support for hostile networks (and easier configuration) I’d probably just recommend Tailscale.

The problem is I need Unbound to send queries via one network interface (the VPN) while the specific zone needs to be routed through another.

I know what split tunneling is, but I have my routing set up exactly as I’d like.

The issue here is that Unbound seems unable to send queries to one forwarding zone using a specific interface/IP address and sending queries to a second forwarding zone using a completely different interface/IP address.

I’m almost at the point where I want to create a virtual interface that just has rules that say “if going to 192.168.143.1 use /dev/tailscale0” and then have a default route to /dev/wg0.

I’m not a professional but my current Tailscale + VPN setup has been extremely nice for the past year.

Plain HTTP means anyone between you and the server can see those credentials and gain access.

It it using HTTP Basic Auth by chance? It would be so easy to put nginx (or some other reverse proxy with TLS) in front and just pass the authentication headers.

Especially with music, if any of this is plain HTTP (or any other plaintext, non-encrypted protocol) and you live in a lawsuit happy jurisdiction you might end up with piracy letters in the mail.