Here is a clean, simple, and secure plan to host a website from your home using Caddy as a reverse proxy on a cheap VPS, with Tailscale (Tailnet) handling the secure tunnel between the VPS and your home server.This is one of the most popular and reliable ways to do home hosting in 2026.Why This Setup?
- No port forwarding on your home router.
- Your home IP is never exposed publicly.
- Full custom domain + automatic HTTPS (Let’s Encrypt via Caddy).
- Very secure (everything between VPS and home is encrypted via WireGuard).
- Cheap and simple.
- Easy to expand to multiple services later.
Architecture Overview
Internet (browser)
↓ HTTPS (yourdomain.com)
VPS (public IP)
└── Caddy (reverse proxy + auto HTTPS)
↓ Tailscale tunnel (encrypted)
Home Server (Tailscale IP: 100.x.x.x)
└── Your website/app (e.g. port 3000 or 8080)
Recommended Tools
- VPS: Hetzner Cloud, DigitalOcean, or similar (~$3–6/month is plenty).
- Domain: Any cheap registrar (Namecheap, Porkbun, Cloudflare, etc.).
- Tailscale: Free for personal use.
- Caddy: On the VPS only (handles reverse proxy + certificates perfectly).
Step-by-Step Plan1. Get a Domain + VPS
- Buy/register a domain.
- Spin up a cheap VPS running Ubuntu 22.04 or 24.04.
- Note down the public IPv4 of the VPS.
2. Install Tailscale on Both MachinesRun these commands on both the VPS and your home server:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
- Authenticate via the link in your browser.
- On your home server, get its Tailscale IP:
(Example output: 100.85.123.45)3. Run Your Website on the Home ServerRun your site/app however you normally would (Docker, Node, static files with Caddy/Nginx, etc.).It just needs to listen on a port (e.g. 3000, 8080, 80, etc.) and be reachable from the Tailscale IP.Example (if using a simple static site or Docker):
- Make sure it binds to 0.0.0.0 or the Tailscale interface.
4. Point Your Domain to the VPSIn your domain’s DNS settings, create an A record:
- Host: @ (or www)
- Value: Your VPS public IP
- TTL: Automatic or low
(Propagation usually takes 5–60 minutes.)5. Install Caddy on the VPSRun these commands on the VPS:
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy -y
Caddy will start automatically as a systemd service.6. Configure Caddy (The Reverse Proxy)Edit the config file:
sudo nano /etc/caddy/Caddyfile
Add this basic config:
yourdomain.com {
reverse_proxy http://100.85.123.45:3000 # ← Replace with your home Tailscale IP + port
}
Save and reload:
sudo systemctl reload caddy
Caddy will automatically get a Let’s Encrypt certificate on the first request.More advanced Caddyfile example (recommended):
yourdomain.com {
encode gzip
reverse_proxy http://100.85.123.45:3000
}
www.yourdomain.com {
redir https://yourdomain.com{uri}
}
7. (Strongly Recommended) Add Tailscale ACLsGo to the Tailscale admin console → Access Controls and add something like this:
{
"acls": [
{
"action": "accept",
"src": ["tag:vps"], # or the specific VPS Tailscale IP
"dst": ["tag:home:3000", "tag:home:8080"]
}
]
}
This ensures only your VPS can reach the services on your home server.
Testing
- Wait for DNS to propagate.
- Visit https://yourdomain.com in a browser.
- You should see your site with a valid HTTPS certificate.
Alternative: No VPS Needed (Tailscale Funnel)If you want something even simpler and don’t mind a *.ts.net domain:On your home server only:
tailscale serve https / http://localhost:3000
tailscale funnel 443
This gives you a public URL like https://yourmachine.yourtailnet.ts.net.Pros: Zero cost, very easy.
Cons: No custom domain (easily), bandwidth limits, less “professional” looking.You can combine it with Caddy on the home machine if you want nicer local serving.
Security & Hardening Tips
- VPS: Use SSH keys only, disable password login, set up ufw firewall (ufw allow 80,443).
- Use Tailscale ACLs (as shown above).
- On home server, you can restrict the web app to only listen on the Tailscale interface if desired.
- Keep everything updated.
Cost Estimate
- VPS: $3–6/month
- Domain: $8–12/year
- Total: Very cheap for what you get.
This setup is battle-tested by many self-hosters and works extremely well. Caddy + Tailscale is a fantastic combination.Would you like me to expand on any part (Docker Compose version for Caddy, multiple services/subdomains, basic auth, static site example, etc.)?