> Edit: specifically, Tailscale uses their own proprietary relay servers, and if you don’t want to use them you can’t use tailscale. ¯\_(ツ)_/¯
This is incorrect [0]. You can use your own relay servers [0].
However, Tailscale only uses the relay servers as a last resort. Most of the time, the connection will be established directly between the peers.
If you're able to configure port forwarding on your router as another commenter said, wireguard works well enough. You'll probably be able to also set up some form of dynamic DNS if you don't have a static IP (like no-ip or duckdns, etc). In this case, you don't need Tailscale.
However, there are more and more people who aren't able to do the port-forwarding thing any more, such as those behind CG-NAT. For example, in France and, from what I hear, the UK, this seems to spread. In these cases, Tailscale's NAT traversal techniques may still work – that is, your connection will be directly between your two peers and not through their relays.
Also, of note is that their relays are open source [1], and you can run your own. But if that's the case, you probably don't need Tailscale and can get away with some kind of hub-and-spoke setup.
I find it hard to model the flow of this stuff and it can be hard to get a sense reading through the product offerings, maybe I can ask and you'll know enough to give me an overview?
Currently I run a server on a digital ocean box I access via a custom domain with a let's encrypt cert (too much detail about this setup is here: https://zalberico.com/essay/2020/06/06/urbit-on-the-cloud.ht...). It'd be cool to have this run on my home Mac Mini and just access it from the web.
What is actually going on to require this? I still need the custom domain, but now that custom domain is routing somewhere else right? Either to some software that's still running on digital ocean that handles this (wireguard?) that I'd have to configure or some service that deals with this? What are the actual pieces that are required for this to work and if you wanted to do it and control it yourself what do you need to know to do it safely?
Any pointers in the right direction/high level explanation would be helpful - there are a lot of unknown unknowns when searching or just services you pay for that abstract it away with some tradeoff in control (at which point I might as well just leave it on digital ocean).
I'd say the most important thing, meaning the one with the biggest influence on what you end up doing, is how you connect your home Mac to the internet.
If my understanding is correct, you want this server to be publicly accessible, i.e. by anyone, not just you or a limited, well-defined set of people. If that's the case, you don't need Tailscale, which can be seen more like a VPN.
If you don't have CG-NAT (meaning your home router gets a public, routable IP) you can probably set up port forwarding to your Mac and some script that would update your DNS entry if your IP isn't static.
If you DO have CG-NAT, or for some other reason you cannot forward any ports, you'll have to use something external to at least route the traffic. I've glossed over your link, so this may not work, but you could look at proxying your traffic with Cloudflare. Look up cloudflared. If that doesn't work, then yes, something like wireguard between your DO VM and your home Mac could work.
All in all, I think this is more or less a classic "home server" setup, so you should be searching for "hosting a server at home" or similar.
I have a similar setup. I have a server at my house that I want to be able to access from anywhere.
What I did was:
1. Install Tailscale on my devices (server, laptop, phone, etc.)
2. Setup a cert with LetsEncrypt and import it into Apache. I use AWS Route53, so this was as easy as setting up my AWS credentials and running the certbot cli.
3. Setup a A & AAAA record pointing to my server's Tailscale IPv4 and IPv6 addresses. This is fine even though these addresses are only accessible through Tailscale. You'll obviously still need to be connected to Tailscale, but you can just use your custom domain name to connect.
4. Done!
I use this server for media streaming and file syncing. I manage it with Ansible; I've even have GitHub Actions set up to run my Ansible playbook whenever I commit!
This is incorrect [0]. You can use your own relay servers [0].
However, Tailscale only uses the relay servers as a last resort. Most of the time, the connection will be established directly between the peers.
If you're able to configure port forwarding on your router as another commenter said, wireguard works well enough. You'll probably be able to also set up some form of dynamic DNS if you don't have a static IP (like no-ip or duckdns, etc). In this case, you don't need Tailscale.
However, there are more and more people who aren't able to do the port-forwarding thing any more, such as those behind CG-NAT. For example, in France and, from what I hear, the UK, this seems to spread. In these cases, Tailscale's NAT traversal techniques may still work – that is, your connection will be directly between your two peers and not through their relays.
Also, of note is that their relays are open source [1], and you can run your own. But if that's the case, you probably don't need Tailscale and can get away with some kind of hub-and-spoke setup.
---
[0] https://tailscale.com/kb/1118/custom-derp-servers/
[1] https://github.com/tailscale/tailscale/tree/main/derp