DS Lite Problem - how to use Tailscale Tunnle via VPS instead?

Hi everyone,
i got DS Lite from Vodafone in Germany and want to make my Homeserver accessible from outside via IPV4.

Which solution would you recommend?

I thought about creating Tailscale connection between my HomeNetwork and the VPS. That’s already done, I am able to ping my home devices from my VPS. (I added my IP-Network-Area as subnet to my HomeNetwork-Client, which runs as an Unraid Docker)

Now I thought about creating an Nginx Reverse Proxy Server, so that I could route from my VPS, through Nginx, to my Devices/Servers in my HomeNetwork. (Minecraft for example).

At this point I got 2 more questions for you:

• would you host Nginx on the VPS or HomeServer(Unraid)? And why, where are the main security differences?
• how do I create routings in Tailscale? Is it done with seperate Firewalls, or can I do it with ACL in Tailscale? Do I have to define, an Exit-Point? Which Firewall would you recommend?

Thank you very much for your nice work, i’m looking forward for any kind of answer/tipps/support

Hello, I’m also interested in this topic. Basically I would like to access my home network (behind a cgnat Vodafone LTE) with a public ip published on a VPS.
Any suggestion appreciated!
Thank you!

(See English Version below)
Hi Weeedy, ich schreib das hier mal auf Deutsch und füge die Antwort unten nochmal in Englisch an.

Ich habe bei mir folgende Lösung: Tailscale auf meinem Server zuhause und Tailscale auf meinem VPS. Beide können miteinander kommunizieren.

Auf dem VPS läuft das Programm rinetd, damit kannst du einfaches Portforwarding wie z.B. auf einer Fritzbox machen. Also alles was z.B. auf Port 443 bei deinem VPS ankommt, wird über Tailscale an deinen Server zuhause 443 weitergeleitet. Das funktioniert natürlich auch mit anderen Ports, z.B. für einen Minecraft-Server mit Port 25565.

Deine “externe-ip” ist dann sozusagen die deines VPS. Damit lässt sich das DS-Lite Problem lösen und nichts anderes machen die ganzen kostenpflichtigen Anbieter für solche Lösungen auch.

Wenn du nur Webhosting, also Port 80/443 benutzt, kannst du das auch über Cloudflare lösen, indem du den Cloudflare-DNS Schutz benutzt. Der macht nämlich automatisch einen 4to6 Tunnel.

English Version

Hi Weeedy, I’ll write this in German and add the answer below in English.

I have the following solution: Tailscale on my server at home and Tailscale on my VPS. Both can communicate with each other.

On the VPS runs the program rinetd, so you can do simple portforwarding like on a Fritzbox. So everything that arrives on e.g. port 443 at your VPS is forwarded via Tailscale to your server at home 443. Of course this also works with other ports, e.g. for a Minecraft server with port 25565.

Your “external-ip” is then that of your VPS, so to speak. This solves the DS-Lite problem, and all the paid providers for such solutions do nothing else.

If you only use webhosting, i.e. port 80/443, you can also solve this via Cloudflare by using the Cloudflare DNS protection. This automatically makes a 4to6 tunnel.