I’m looking at doing something similar and I was looking at Yunohost but I think it doesn’t use any containers, just installs all the apps straight in the system. Which I didn’t like. I like the idea of separating apps. Can anyone confirm this?

After some digging I’ve decided to use https://cosmos-cloud.io/ which supports more apps (even lemmy) and uses containers. So my plan is to have a private VM, public VM and run cosmos in each.

Does it really matter if you disable Yunohost ports that are not exposed to the internet? You expose 80, 443 and VPN on the router and that’s it. Then I’m planning to run Caddy on OpenWRT to redirect traffic to internal ports.

Thanks, for now that what I will try to do but using Netmaker. I think it’s an overkill for what I need but it will be good practice.

Netmaker looks really nice. Has the lowest requirement, self-hosted and open-source. I will give it a shot but if the setup is too complicated I will just go with separate profile and wireguard.

Alternatively, I guess you could also do “split-route” by defining different peers in your Android WireGuard app, and use different AllowedIPs for them.

That’s exactly what I’ve been trying but it doesn’t work. Only one peer is able to do a handshake. It looks like it should work but I actually haven’t seen anyone recommending this or saying they manged to set it up. Everyone just ends up routing everything through private VPN. I will read some more about tailscale but I think it’s an overkill for me. I will probably just use different VPNs in separate android profiles.

Looks like most people are doing some version of option 3, routing everything through home network. I hoped there’s a simpler way but maybe I just have to go in this direction.

One question, the VPN client on your router routes everything from your network or just the phone?

So you’re using tailscale android app as the only VPN and all traffic from your phone goes through your local network, yes?

Your tailscale exit node is deployed on some server in your network, right? (I’ve set up my WG server on my router) Does your router just port forward all tailscale traffic to it?

The Android limitation is exactly what I found - only one VPN at a time. I checked the work profile trick and it does work, I can have two VPNs running. This is not ideal as apps from one profile still won’t use the commercial VPN but maybe I can live with that. I will do some more testing. Thanks for the tip.