I get asked about the best home VPN setup more than almost anything else, and the question usually arrives pre-confused. Someone watched a YouTube sponsor read, bought a NordVPN subscription, and now wants to know why they still can't reach their Synology NAS from a hotel room. The answer is that they bought the wrong product for the job—not a bad product, just one that solves a completely different problem.

So before we touch a single config file, let's fix the vocabulary. There are two things people call a "VPN":

  1. A remote access VPN. A tunnel into your home network so you can reach your NAS, cameras, Home Assistant, and printers from anywhere. You host this yourself. WireGuard and Tailscale live here.
  2. A commercial privacy VPN. A tunnel out through someone else's server so your ISP can't see your browsing and websites see the VPN provider's IP instead of yours. Mullvad, NordVPN, Proton VPN.

These are different tools. A Mullvad subscription will never let you reach your home file server. A WireGuard server on your router will never make Netflix think you're in the UK. I'll say it bluntly: if your goal is remote access to your own network, do not buy a commercial VPN. If your goal is hiding traffic from your ISP or geo-shifting, do not bother self-hosting—your home VPN server exits through your own ISP connection, which hides exactly nothing from them.

Most homeowners I work with actually want the first kind and were sold the second. This article covers both, but the self-hosted side gets most of the ink because that's where the real value is.

The Quick Answer

If you want my recommendation without the 2,500 words behind it:

  • You own a UniFi Dream Machine (any variant): turn on the built-in WireGuard server. It's already in your router, it takes ten minutes, and it costs nothing.
  • You have a mixed bag of hardware, family members on different networks, or a CGNAT connection: use Tailscale. It's the easiest remote-access VPN that has ever existed, and the free tier covers almost every household.
  • You genuinely need to hide browsing from your ISP or appear to be in another country: Mullvad, about $5.48/month, no account email required, flat pricing since 2009.

Now the details, because the details are where people get burned.

Option 1: WireGuard on a UniFi Dream Machine

If you run a UniFi Dream Machine Pro (~$379), a UniFi Dream Machine SE (~$499), or even the little UniFi Express, you already own a WireGuard server. Ubiquiti built it into UniFi OS, and it's genuinely good. I run this on my own network and on most client networks I manage.

Setting it up

In the UniFi Network application: Settings → VPN → VPN Server. Enable it, pick WireGuard as the protocol, and UniFi generates the server keys and picks a UDP port (51820 by default). Leave the port alone unless you have a reason not to.

Adding a client is the part that used to be painful with OpenVPN and is now almost embarrassing. Click Add Client, name it ("ryans-iphone"), and UniFi generates the keypair and shows a QR code. On your phone, install the official WireGuard app, tap the plus button, scan the QR code, done. Total time per device: under a minute. For laptops, download the .conf file and import it into the WireGuard desktop client.

Two things to check before you call it finished:

  • Dynamic IP? Most residential connections have one. Set up UniFi's built-in dynamic DNS (Settings → Internet → your WAN → Dynamic DNS) or use a provider like DuckDNS, and put the hostname in your client configs instead of the raw IP. Otherwise the tunnel dies the day your ISP rotates your address.
  • CGNAT? If your ISP puts you behind carrier-grade NAT—common on Starlink, T-Mobile Home Internet, and many fiber ISPs now—inbound connections can't reach you, and a self-hosted WireGuard server is dead on arrival. Check whether your WAN IP in the UniFi dashboard matches what whatismyip.com shows you. If they differ, skip ahead to Tailscale, because its NAT traversal exists for exactly this situation.

Why WireGuard and not OpenVPN or L2TP

UniFi still offers OpenVPN and L2TP as VPN server options. Ignore them. WireGuard is roughly 4,000 lines of code versus OpenVPN's several hundred thousand, it lives in the Linux kernel, it reconnects instantly when your phone hops between LTE and WiFi, and it's dramatically faster. OpenVPN is single-threaded, so it bottlenecks on one CPU core no matter how many your router has—on most consumer hardware that means 100–200 Mbps if you're lucky. WireGuard on the same hardware is often 3–5x faster. There is no case in 2026 where I'd deploy OpenVPN for a new home setup.

Option 2: Tailscale, the VPN for People Who Don't Want to Run a VPN

Tailscale is WireGuard underneath, but instead of one server and many clients, it builds a mesh—every device gets an identity and can talk directly to every other device on your "tailnet," wherever they are. Your laptop at a coffee shop connects peer-to-peer to your NAS at home, encrypted end to end with WireGuard, without you forwarding a single port.

The magic is the NAT traversal. Tailscale's coordination server helps devices punch through NAT to establish direct connections, and when that's impossible—hostile double NAT, corporate firewalls—traffic falls back to Tailscale's DERP relay servers. Relayed traffic is slower, but it always works. This is why Tailscale is the answer for CGNAT connections: nothing inbound ever has to reach your router.

Setup: install the Tailscale client on each device (there are packages for basically everything—Windows, macOS, iOS, Android, Linux, Synology, even Apple TV), sign in with Google, Microsoft, or GitHub SSO, and the device joins your tailnet. That's the whole procedure. My non-technical brother-in-law set it up on his own. I have never once said that about OpenVPN.

Pricing: the free Personal plan covers up to 100 devices and 3 users. For a household, that's effectively unlimited. You pay nothing until you're running a small business on it, and even then the paid tiers are reasonable.

The honest trade-off: Tailscale's coordination server is a third party. It never sees your traffic—WireGuard keys are generated on-device and traffic is end-to-end encrypted, including through DERP relays—but it does control the control plane. If that bothers you, the coordination server is replaceable with the open-source Headscale project. For most people, that's a purity exercise, not a security requirement. I run stock Tailscale.

Subnet routers: reaching devices that can't run Tailscale

Your smart plugs, cameras, and printer will never run a Tailscale client. The fix is a subnet router: one always-on device on your LAN (a Raspberry Pi, your NAS, a home server) that advertises your whole home subnet to the tailnet.

On the subnet router:

sudo tailscale up --advertise-routes=192.168.1.0/24

Then approve the route in the Tailscale admin console (Machines → the device → Edit route settings). On Linux, also enable IP forwarding:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Now any device on your tailnet can reach anything on 192.168.1.0/24—the cameras, the printer, the ancient thermostat—as if it were home. If you've segmented your network into VLANs (and you should have), advertise each subnet you actually need remote access to, and only those. Your IoT VLAN full of questionable firmware probably doesn't need to be reachable from your phone.

Tailscale ACLs: the part everyone skips and shouldn't

By default, every device on your tailnet can talk to every other device. Fine for one person, not fine once your kids' laptops and a shared gaming server are on it. Tailscale ACLs are a JSON policy file edited in the admin console (Access Controls tab), and they're worth thirty minutes of your time.

The pattern I use: tag devices by role, then write rules against tags instead of individual machines. A minimal real-world policy:

{
  "tagOwners": {
    "tag:server":   ["autogroup:admin"],
    "tag:family":   ["autogroup:admin"]
  },
  "acls": [
    // I can reach everything
    {"action": "accept", "src": ["ryjwalsh@gmail.com"], "dst": ["*:*"]},
    // Family devices can reach the media server, nothing else
    {"action": "accept", "src": ["tag:family"], "dst": ["tag:server:8096"]}
  ]
}

Tag a device at join time with tailscale up --advertise-tags=tag:server (tags must be declared in tagOwners first). Once a machine is tagged, it stops being tied to a user identity—useful for servers that should outlive any one person's login. The default policy Tailscale ships is allow-all; replacing it with explicit rules is the single highest-value hardening step on a tailnet.

Commercial VPNs: What They're Actually For

Time to deal with the elephant funded by podcast sponsorships.

Commercial VPNs—NordVPN, ExpressVPN, Surfshark, Mullvad, Proton VPN—route your outbound traffic through their servers. Legitimate uses:

  • Hiding browsing metadata from your ISP. In the US, ISPs can legally sell aggregated browsing data. If that bothers you, a VPN moves the trust from your ISP to the VPN provider. That's a trade, not an elimination—pick a provider worth trusting.
  • Geo-shifting. Watching another region's catalog, testing geo-targeted content, getting around regional blocks.
  • Genuinely hostile networks. Certain countries, certain corporate or campus networks that inspect and filter traffic.

What they are not, despite the ads: essential armor against coffee-shop hackers. It's 2026. Practically every site you use is HTTPS, browsers scream at you about the exceptions, and the "hacker stealing your banking password on public WiFi" scenario the ads describe has been mostly dead for a decade. "Military-grade encryption" is marketing noise—it means AES-256, which is what your browser already uses on every HTTPS connection, VPN or not. A commercial VPN on public WiFi hides which sites you visit from the local network operator. That's a modest, real benefit. It is not what the ad implied.

If you want one, my pick is Mullvad: about $5.48/month (they price in euros—€5 flat, unchanged since 2009), no email address required to sign up, numbered accounts, cash payments accepted, and they've passed real-world tests of their no-logging claims, including a 2023 police raid that left with nothing because there was nothing to take. NordVPN is fine and fast, but the perpetual "78% off!!" coupon pricing and fear-based marketing annoy me professionally. Skip anything free—if you're not paying, your traffic is the product.

And to repeat the blunt version: a commercial VPN gives you zero remote access to your home network. Different product, different problem.

Split Tunnel vs. Full Tunnel

Every VPN client makes you choose, usually without explaining it.

  • Full tunnel: all device traffic goes through the VPN. Your Netflix stream, your Zoom call, everything rides the tunnel back home and out through your home ISP. Maximum coverage, maximum overhead—your remote speed is capped by your home upload bandwidth, which on many US connections is the sad number (35 Mbps up is still common on cable).
  • Split tunnel: only traffic destined for your home subnets goes through the tunnel; everything else uses the local connection directly. In WireGuard, this is the AllowedIPs line—0.0.0.0/0 is full tunnel, 192.168.1.0/24 is split. Tailscale is split-tunnel by default and only routes tailnet and advertised-subnet traffic, unless you enable an exit node.

My default recommendation is split tunnel for daily use. It's faster, it doesn't chew battery re-encrypting your YouTube stream, and it still gets you to everything at home. Switch to full tunnel (or a Tailscale exit node, which turns any tailnet machine into your egress point) when you're on a network you actively distrust or you want ad-blocking from your home Pi-hole applied everywhere.

Real Performance Numbers

VPN throughput is a CPU story, not a bandwidth story. Conservative real-world figures I've measured or seen consistently reproduced:

  • UniFi Dream Machine Pro / SE: roughly 600–800 Mbps of WireGuard throughput. Plenty for any residential connection's upload, and honestly plenty period. The base UDM and UniFi Express land lower but still comfortably beat any home upload link.
  • Raspberry Pi 4 (~$55–75): around 300–400 Mbps on WireGuard, limited by its CPU and gigabit NIC. As a Tailscale subnet router or standalone WireGuard box, that's more than enough for a household. The same Pi running OpenVPN manages maybe 60–100 Mbps—single-threaded strikes again.
  • A modest x86 box (an Intel N100 mini PC, an old office desktop with an i5): WireGuard saturates gigabit without breaking a sweat, and a current-gen chip will push multiple gigabits. If you're one of the lucky people with symmetric 2 Gbps fiber and you want to actually use it remotely, this is the tier you shop in.

The pattern: WireGuard is fast enough on almost anything, OpenVPN is slow on almost everything, and your home upload speed is usually the real ceiling—not the hardware. Also remember Tailscale DERP relays: if your connection is being relayed (check with tailscale status; direct connections show the peer's real IP), expect a fraction of these numbers. Direct connections perform like plain WireGuard, because that's what they are.

Comparison Table

WireGuard on UDM Tailscale Commercial VPN (Mullvad)
Primary use case Remote access to home LAN Remote access + device mesh across networks Privacy from ISP, geo-shifting
Setup difficulty Easy if you own a UDM (10 min, QR codes) Easiest option available Trivial (install app)
Cost $0 (with existing UDM hardware) Free up to 100 devices / 3 users ~$5.48/mo
Throughput 600–800 Mbps on a UDM Pro WireGuard-speed when direct; slower via DERP relay 200–800 Mbps typical, server-dependent
Works behind CGNAT No Yes Yes
Remote access to home devices Yes Yes (subnet router covers non-client devices) No
Hides traffic from your ISP No No (unless using an exit node elsewhere) Yes
Third-party dependency None Coordination server (self-hostable via Headscale) Entire provider

What I Actually Run

My own setup, for the curious: a UniFi Dream Machine Pro with its WireGuard server enabled as the primary remote-access path—it's on the router, it has no extra moving parts, and it survives reboots of everything else. Tailscale runs alongside it on my NAS as a subnet router, partly as a belt-and-suspenders fallback and partly because sharing a single Jellyfin server with family in two other states via tailnet sharing is something plain WireGuard can't do gracefully. And a Mullvad account that gets used a handful of times a year, on networks I don't trust or when I need a different exit country.

That redundancy costs me $0/month plus occasional Mullvad top-ups. The failure mode where I'm locked out of my own network requires both my router and my NAS to be down simultaneously—at which point remote access is not my biggest problem.

Common Mistakes to Avoid

  • Exposing services directly instead of using a VPN. Port-forwarding your NAS admin page or an RDP port to the internet is how home networks end up in ransomware statistics. A VPN means exactly one hardened, key-authenticated port exposed—or zero, with Tailscale.
  • Skipping dynamic DNS on a self-hosted setup. Works great for three weeks, then your IP changes while you're traveling and you're locked out.
  • Leaving Tailscale's default allow-all ACL on a tailnet with more than one user.
  • Advertising your entire network as a subnet route when you only need one VLAN. Least privilege applies at home too.
  • Not testing from outside. Verify the tunnel from your phone on cellular data before you trust it from an airport. Every consultant has a story about this one; mine involves a client, a cruise ship, and $18 of satellite WiFi spent discovering a typo'd endpoint hostname.

Remote access is also only one layer—if the network behind the tunnel is a mess, the VPN is a fast lane into a mess. Home Network Security Checklist covers the rest, and How to Secure Your Home WiFi handles the wireless side.

Bottom Line

The best home VPN setup for most people in 2026 is boring: enable WireGuard on the router you already own if it's a UniFi Dream Machine, or install Tailscale on everything if it isn't. Add a subnet router for the devices that can't run a client, spend half an hour on ACLs, use split tunneling day to day, and treat commercial VPNs as the separate, occasional privacy tool they actually are—not the security blanket the sponsor reads promised.

If you want help designing or hardening a setup like this, that's literally what I do. Get in touch through the contact page.

Ryan Walsh is the Director of Unified Security at MOSS Telecommunications and runs Ryno Systems, a home networking and security consultancy.