78
Suggestions to have a home server VPN and and Mullvad at the same time? (lemdro.id)
submitted 4 days ago* (last edited 4 days ago) by Xylight@lemdro.id to c/selfhosted@lemmy.world
16 comments fedilink hide all child comments

I set up Wireguard on my phone, server, and computer to let my phone access my home network when I'm outside of it.

It works for the most part, but the inconvenient thing is that on Android you can only have 1 VPN running at a time. I want to use Mullvad VPN for the rest of my network connections for privacy.

I could make a single Wireguard config that defines 2 peers to connect to mullvad and my home VPN at the same time, but by doing this, I lock myself to a single server without the benefits of being able to swap servers at the same time.

Locking myself to a single mullvad server results in:

  • less privacy, since my IP is more static
  • inability to switch to bypass a VPN block

On desktop, I can have multiple wireguard VPNs at once, but if I have both running at the same time, then my LAN is accessed over the home VPN which is routed through Mullvad VPN. It goes

Computer -> Mullvad server -> Home VPN -> Home server

which is pretty wasteful.

Additionally, I'd prefer not to not do something like: Phone -> Home VPN -> Mullvad server -> destination, as my upload speed is pretty bad and this would throttle every non-local connection

What options do I have?

top 16 comments
sorted by: hot top controversial new old
[-] artiman@piefed.social 5 points 4 days ago

tailscale has Mullvad add-on, but it's a paid add-on, you can self-host tailscale with headscale

[-] Xylight@lemdro.id 1 points 4 days ago

I tried self-hosting tailscale with headscale, but you cannot have a wireguard only exit node with headscale--and so I can't have mullvad as my exit node.

[-] Wispy2891@lemmy.world 1 points 4 days ago

Don't need to self host headscale, the mullvad addon has the exact same price of mullvad standalone, so just stop paying mullvad and pay It via tailscale, choosing the servers via exit nodes. This is the solution you want. Access to your local network + choosing any mullvad server as exit node

[-] Xylight@lemdro.id 3 points 3 days ago* (last edited 3 days ago)

I don't trust an external third party to manage the coordination server.

Headscale has an issue open for wireguard only exit nodes though, I guess ill wait for that.

[-] rumba@lemmy.zip 3 points 4 days ago

Privoxy on your always on VPN.

Tailscale home, proxy out VPN.

[-] acid_falcon@lemmy.world 3 points 4 days ago

Check out RethinkDNS. It lets you setup multiple wireguard tunnels, and assign what apps are affected by what tunnel

[-] AbsolutelyNotAVelociraptor@sh.itjust.works 3 points 4 days ago

Why don't you just use Shelter to create a work profile on your phone? The work profile can have a second vpn connection. I do this with my homeserver. The apps that connect to the home server are installed in the work profile so they have permanent access to the homeseraer while the normal profile is on my external vpn.

[-] acid_falcon@lemmy.world 2 points 4 days ago

This is so close to what I need. Unfortunately I have a self hosted bitwarden, and when the app is installed it doesn't auto fill passwords in apps to the other account

[-] AbsolutelyNotAVelociraptor@sh.itjust.works 1 points 4 days ago

Okay so... what about using tailscale? You set as exit node your server, which is configured with gluetun to connect to a VPN (or ideally, it's online through a router that has itself a VPN for all the connections). Then you connect through tailscale to your homeserver and exit the internet through it (which is already under a VPN).

[-] masterofn001@lemmy.ca 2 points 4 days ago* (last edited 4 days ago)

You would maybe need to configure separate virtual interfaces for each VPN. And do some routing or a local redirecting proxy (tinyproxy is easy) to ensure things go where you want.

On android there are things that allow you to send traffic to different vpns or proxies by setting listening ports. Something like sagernet or proxychainNG or nekobox.

[-] ohshit604@sh.itjust.works 2 points 4 days ago* (last edited 4 days ago)

I’m a bit confused on this comment here:

Additionally, I'd prefer not to not do something like: Computer -> Home VPN -> Mullvad server -> destination, as my upload speed is pretty bad and this would throttle every non-local connection

Because you also mention this:

Computer -> Mullvad server -> Home VPN -> Home server

Which would be the same thing, no? You’re just making a connection to the Mullvad server first then your home network?

I’ll share my experience but it looks like it’s not the solution you’re looking for, I opted to use my Asus WRT Router w/ Merlin Firmware to host my VPN server, the Merlin Firmware lets me connect to 5 different VPN clients at a time, in my case 4 different Proton clients and a buddies server, I use the “VPN Director” feature to route my VPN Server through one of the 5 different clients effectively creating the multi-hop.

I personally haven’t noticed much degradation in regard to connection speeds but at the same time I don’t constantly hop VPN clients or have the same internet speeds as you, I typically stick with the server closest to me.

Edit: To help visualize what i mean:

[-] tal@olio.cafe 1 points 4 days ago* (last edited 4 days ago)

Mulvad apparently uses Wireguard. Is there an Android Wireguard client that supports multiple VPNs and toggling each independently?

[-] RhondaSandTits@lemmy.sdf.org 3 points 3 days ago

Rethink DNS does this.

Despite the name, it is a wireguard client that allows you to have multiple wireguard connections simultaneously.
You can set the wireguard tunnel for each app individually.

[-] portnull@lemmy.dbzer0.com 1 points 4 days ago

I have something like this with tail scale. My homeserver has a tail scale docker as well as a docker tail scale. The docker tailscale advertises itself as an exit node. The tailscale docker is gluetunned to an extern wireguard server (your mullvad for example) Now I can connect to my home net with tailscale and toggle the exit node on and off. By adding a different tailscale container with a different wire guard exit you could just toggle the exit node like that.

Seeing as you are using mullvad you could also just pay the monthly sub to tailscale and they connect your tailnet directly to mullvad

[-] kyle@europe.pub 1 points 4 days ago

I’m pretty sure Tailscale would be a perfect solution here.

[-] LodeMike@lemmy.today 1 points 4 days ago

You could use the Mullvad given configuration and then also make a peer to your home network, but you're given a specific LAN IP address from Mullvad.

this post was submitted on 27 Sep 2025
78 points (100.0% liked)

Selfhosted

51908 readers
933 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz