Yeah, one of the issues I was having with running VPN on router is that you need a somewhat beefy router if you want to use your full bandwidth—my router maxes out at about 90Mbps with WireGuard, even though it can NAT around 1Gbps (which is our service).

I implemented two workarounds, one was to use my access point as a VPN router since it had a beefier CPU, and the other was to just use an ARM SBC with Linux to handle that task. (I ended up with the latter, as the former ended up maxing out at around 400Mbps, and introduced some additional headaches.)

I also have an SSID that doesn’t get VPN’d, though my DNS is always VPN’d.

As for accessing JellyFin, etc., I think we have somewhat different setups. My self hosted services are by default accessible without a VPN (SSID is on a VLAN with e.g. 192.168.0.0/24, servers are on 192.168.1.0/24, router routes between them). For the blanket VPN’d SSID I have a routing rule that routes over the main, not VPN, table, so local services can be accessed.

So: local traffic has a rule to route without VPN, reddit routes with a specific VPN, and general traffic routes with a different VPN.

There are lots of VLANs involved in my setup, and I’m sure it’s overly complicated and has gaping security issues, but it’s just a home network and it’s kinda fun :(

I have this set up on my router. My wifi is blanket tunneled through a VPN. For annoying sites that restrict access like reddit, my router routes through a specific VPN server that doesn’t (yet) get blocked (I don’t post/comment/browse, but occasionally find a post that answers a question). That way it works on my whole home network, regardless of device.

Same could be done for YouTube presumably, but maybe a little more complicated (reddit seems to work with a single /32 address).

Plus, it’s fun to set up—MikroTik router, Mullvad, and an ARM SBC doing the VPN duties for me, but myriad ways to get it working for other configurations.

deleted by creator

Per the Linux kernel coding style:

Tabs are 8 characters, and thus indentations are also 8 characters. There are heretic movements that try to make indentations 4 (or even 2!) characters deep, and that is akin to trying to define the value of PI to be 3.

Maybe not a service in the typical sense, but setting up your router+server to route your home network traffic through a VPN is a fun project.

My router (MikroTik) supports WireGuard, so I can use it with Mullvad for the whole house—but wg is demanding and it’s a slow router, so while it can NAT at ~1Gbps, it can’t do WireGuard at more than ~90Mbps. So, I set up WireGuard/Mullvad on a little SBC with a fast processor, and have my router use that instead. Using policy based routing and/or mangling, I can have different VLANs/subnets/individual hosts selectively routed through the VPN.

It’s a fun exercise, not sure I implemented it in a smart way, but it works :)

I know right? What a poser!

/s

I used Photoprism years ago, so my knowledge is probably pretty outdated.

My experience of Photoprism was that mobile was not tightly integrated. At the time I used Syncthing to sync photos — it worked ok for me, but I wasn’t going to set it up on my partner’s phone, for example.

Immich Just Works on both mobile and desktop. Multi user is great, sharing is great, and the local ML and face detection work remarkably well.

Whatever works for you is the best of course! Immich fits the bill for me, and it was very much worth it for me to “buy” it.

Regarding DNS servers, what router do you have? Some routers have simple enough DNS capabilities — I have a MikroTik, and have it set up with DNS entries for internal services (including wildcard). Publicly accessible services just use my registrar’s DNS (namecheap — no complaints).

Oracle Free tier, amd64. Only use it because it’s free—limited bandwidth, but given I have slow upload at home it’s never really been a bottleneck. Hate to admit it given it’s Oracle, but I’ve been completely happy with it.

If I switch to a paid VPS I will probably go with racknerd (suggestions welcome though if you have thoughts).

Especially after adding in all the power draw of the automation requires…

What exactly is the incremental power draw for automation? My network gear and server (a little nuc) are sunk power costs as I self host other services.

Idling, my home uses around 100W with the fridge off. One 10W light is an additional 10% of my power budget, and I have a lot more than one light in my house. I also pay about $0.40/kWh.

I can be a bit neurotic about turning off lights when I leave a room, so Home Assistant was a nice way to free up brain space for me. A few motion sensors here and there + some simple automations, and the lights mostly handle themselves. Zigbee sensors and Zigbee or Matter-over-WiFi bulbs, so everything is local. A free VPS+WireGuard setup means I can access them remotely should I need to, with TailScale as a backup.

Cloud failures mean I can’t access remotely, but local control is unaffected—if my smart devices stop working it’s almost certainly my fault :)

There’s an interesting discussion in the comments about the architecture: https://www.cnx-software.com/2025/10/20/banana-pi-bpi-r4-pro-board-offers-2x-10gbe-sfp-cages-6x-10gbe-2-5gbe-gbe-ports-wifi-7-support/

Sounds like there are bottlenecks, and you can’t run all ports at line speed. User TLS says:

Is it just me, or is the MaxLinear MxL86252C switch connected to one of the 10 Gbps PHYs? The MT7988 only has a single 2.5 Gbps MAC and it’s shared with the second 10 Gbps MAC. It seems like they’re routing a 10 Gbps signal to the MxL86252C, which has two 10 Gbps SerDes interfaces, making the second set of 10 Gbps connected via the switch. This suggests that if the 10 Gbps port is running at full speed, you won’t be able to use the 2.5 Gbps ports.

I’ve been really impressed with Immich, can’t recommend it enough.

I’d put substitute first, but yours sounds better :)

(I’m a big Immich fan, and I’m taking and sharing photos more than ever before, in part because Immich is awesome, self hosted, and open source [the other part is that I have kids now so I’m taking way more photos that grandparents want to see].)

That only appears to apply to hard drives though.

If you want to use M.2 SSDs for your storage pool and cache, then you still need to use a Synology-certified SSD (which doesn’t necessarily mean that it needs to be Synology branded, just tested and certified).

From https://liliputing.com/synology-backtracks-and-adds-3rd-party-hard-drive-support-to-its-2025-nas-lineup-network-attached-storage/

On low end CPUs you can max out the CPU before maxing out network—if you want to get fancy, you can use rsync over an unencrypted remote shell like rsh, but I would only do this if the computers were directly connected to each other by one Ethernet cable.

Not sure I agree.

First, stocks tend to be highly correlated with “the market” (see financial “β”/“beta coefficient”). For example, look at, say, The Home Depot or Ford Motors. From January 2000 to January 2003 (spanning the dot com bubble) they each lost about a third of their value, yet these are not “dot com”-centric companies.

Second, the promise of AI is that it will help every company that has desk jobs. So every company has this expectation now priced into their stock, and if the bottom falls out, well…

Not an analyst/I don’t pick stocks, but just my 2¢.

If you’re running it via docker compose it’s trivial to upgrade, and there are no breaking changes. Pull, down, up, you’re done.

Frigate is pretty good, too. I’ve only been running it for a few months but I’m very happy with it.