12 KiB
12 KiB
SearXNG Networking Architecture Comparison
Executive Summary
This document compares two networking architectures for SearXNG deployment in a home lab environment:
- Current Architecture: SearXNG + Tailscale VPN + Internal Reverse Proxy
- Alternative Architecture: SearXNG + Self-hosted WireGuard VPN + Tailscale Exit Node
Both solutions provide privacy and security, but with different trade-offs in complexity, control, maintenance, and features.
Architecture Comparison
Current Architecture: SearXNG + Tailscale + Internal Proxy
[Client Device]
↓ (Tailscale VPN - encrypted mesh)
[Home Lab Network]
↓ (Internal HTTP/HTTPS)
[SearXNG Service]
↓ (HTTP proxy requests)
[Internal Reverse Proxy]
↓ (Outbound NAT to internet)
[Search Engines]
Alternative Architecture: WireGuard + Tailscale Exit Node
[Client Device]
↓ (Self-hosted WireGuard VPN)
[Home Lab Network]
↓ (Internal HTTP/HTTPS)
[SearXNG Service]
↓ (Direct or via local proxy)
[Reverse Proxy as Tailscale Exit Node]
↓ (Tailscale tunnel to internet)
[Search Engines]
Detailed Analysis
1. Privacy & Anonymity
Current Architecture (Tailscale + Internal Proxy)
Benefits:
- ✅ Complete traffic isolation within home network
- ✅ No external VPN provider sees your search traffic
- ✅ Search engines see your reverse proxy's IP, not client IP
- ✅ Tailscale encrypted mesh network for client access
- ✅ Zero-log proxy configuration possible
Limitations:
- ⚠️ Depends on Tailscale service availability
- ⚠️ Tailscale company could theoretically see connection metadata
Alternative Architecture (WireGuard + Exit Node)
Benefits:
- ✅ Complete control over VPN infrastructure
- ✅ No third-party VPN service dependencies
- ✅ Search engines see Tailscale exit node IP
- ✅ Full traffic encryption with WireGuard
- ✅ Open-source VPN solution
Limitations:
- ⚠️ Search traffic still routes through Tailscale infrastructure
- ⚠️ More complex key management and client configuration
2. Security
Current Architecture
Strengths:
- 🔒 Tailscale's battle-tested security (WireGuard-based)
- 🔒 Network access controlled by Tailscale ACLs
- 🔒 Internal HTTP proxy reduces attack surface
- 🔒 Service-level IP restrictions (systemd)
- 🔒 Defense in depth with multiple layers
Vulnerabilities:
- 🚨 Single point of failure if Tailscale keys compromised
- 🚨 Dependency on Tailscale's infrastructure security
Alternative Architecture
Strengths:
- 🔒 Self-controlled WireGuard ensures no external dependencies
- 🔒 Tailscale exit node provides IP obfuscation
- 🔒 Full control over VPN server hardening
- 🔒 Can implement custom authentication/authorization
Vulnerabilities:
- 🚨 Self-managed security requires more expertise
- 🚨 Manual key rotation and certificate management
- 🚨 Potential for misconfiguration without managed service
3. Operational Complexity
Current Architecture
Complexity Level: 🟢 Low-Medium
Setup Requirements:
- Install Tailscale on devices (simple)
- Configure SearXNG service (NixOS module)
- Configure internal HTTP proxy (Squid/Nginx)
- Set firewall rules for internal access
Ongoing Maintenance:
- Tailscale handles device management
- Automatic key rotation and updates
- Monitor proxy and SearXNG services
- Regular NixOS system updates
Time Investment:
- Initial setup: 2-4 hours
- Monthly maintenance: 30 minutes
Alternative Architecture
Complexity Level: 🟡 Medium-High
Setup Requirements:
- Deploy and configure WireGuard server
- Generate and distribute client configurations
- Configure Tailscale exit node on reverse proxy
- Set up proper routing and firewall rules
- Implement client key management system
Ongoing Maintenance:
- Manual WireGuard key rotation
- Client configuration updates
- Monitor VPN server performance
- Troubleshoot connectivity issues
- Maintain exit node Tailscale connection
Time Investment:
- Initial setup: 8-16 hours
- Monthly maintenance: 2-3 hours
4. Performance
Current Architecture
Performance Characteristics:
- 🚀 Single VPN hop (Tailscale)
- 🚀 Low latency for internal services
- 🚀 Mesh networking optimizes routes
- 🚀 HTTP proxy adds minimal overhead
- 📊 Bandwidth: ~95% of base connection
Network Path:
Client → Tailscale → Home Lab → Internet
(1 encryption layer, optimized routing)
Alternative Architecture
Performance Characteristics:
- 🐌 Double VPN tunneling overhead
- 🐌 Additional latency from two hops
- 🐌 More complex routing decisions
- 🐌 Potential bandwidth limitations
- 📊 Bandwidth: ~80-85% of base connection
Network Path:
Client → WireGuard → Home Lab → Tailscale Exit → Internet
(2 encryption layers, suboptimal routing)
5. Reliability & Availability
Current Architecture
Availability Factors:
- ✅ Tailscale has 99.9%+ uptime
- ✅ Redundant Tailscale infrastructure
- ✅ Local services independent of external connectivity
- ✅ Automatic failover and reconnection
- ⚠️ Single point of failure: Tailscale service
Failure Scenarios:
- Tailscale outage → No external access to SearXNG
- Internal proxy failure → No search functionality
- Home internet outage → Complete service loss
Alternative Architecture
Availability Factors:
- ✅ Self-hosted VPN eliminates external dependencies
- ✅ Can implement custom redundancy
- ⚠️ Requires more manual monitoring
- ⚠️ Two services must be operational (WireGuard + Tailscale)
Failure Scenarios:
- WireGuard server failure → No VPN access
- Tailscale exit node failure → No internet routing
- Either service down → Complete service loss
6. Cost Analysis
Current Architecture
Financial Costs:
- 💰 Tailscale Personal: Free (up to 3 users, 100 devices)
- 💰 Tailscale Teams: $6/user/month (for larger deployments)
- 💰 Infrastructure: Existing hardware
- 💰 Total Monthly Cost: $0-18
Resource Costs:
- Minimal CPU/RAM overhead
- Existing reverse proxy hardware
- No additional server requirements
Alternative Architecture
Financial Costs:
- 💰 WireGuard: Free (open source)
- 💰 Tailscale: Free for exit node functionality
- 💰 Infrastructure: Existing hardware
- 💰 Total Monthly Cost: $0
Resource Costs:
- Additional CPU for double encryption
- More complex monitoring requirements
- Higher administrative time investment
7. Scalability
Current Architecture
Scaling Characteristics:
- 📈 Easy device addition via Tailscale
- 📈 Automatic device discovery and connectivity
- 📈 Centralized access control via Tailscale admin
- 📈 Supports up to 100 devices on free plan
- 🔧 Service scaling through load balancers
Alternative Architecture
Scaling Characteristics:
- 📈 Manual client configuration for each device
- 📈 Custom automation required for device management
- 📈 Unlimited device support (self-hosted)
- 🔧 More complex load balancing setup
- 🔧 Requires custom device provisioning system
8. Compliance & Audit
Current Architecture
Compliance Aspects:
- 📋 Tailscale provides audit logs and compliance features
- 📋 Centralized access control and monitoring
- 📋 Professional support available for Teams plan
- 📋 SOC 2 Type II compliance (Tailscale)
Alternative Architecture
Compliance Aspects:
- 📋 Complete audit trail control (self-hosted logs)
- 📋 Custom compliance implementations required
- 📋 No third-party compliance dependencies
- 📋 Requires internal audit and monitoring systems
Specific Use Case Analysis
For Home Lab Environment
Current Architecture Advantages
- Rapid Deployment: Get secure remote access in under an hour
- Family-Friendly: Easy to add family devices without technical knowledge
- Maintenance-Free: Updates and key rotation handled automatically
- Professional Features: Access controls, device management, audit logs
- Support: Community and professional support available
Alternative Architecture Advantages
- Complete Control: No external service dependencies
- Cost: Zero recurring costs regardless of scale
- Privacy: No metadata visible to any third party
- Customization: Full control over VPN server configuration
- Learning: Deeper understanding of VPN technologies
Recommended Decision Matrix
| Priority | Current (Tailscale + Proxy) | Alternative (WireGuard + Exit) |
|---|---|---|
| Ease of Use | ⭐⭐⭐⭐⭐ | ⭐⭐ |
| Privacy | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| Performance | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ |
| Reliability | ⭐⭐⭐⭐ | ⭐⭐⭐ |
| Cost (Long-term) | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| Learning Value | ⭐⭐ | ⭐⭐⭐⭐⭐ |
| Time Investment | ⭐⭐⭐⭐⭐ | ⭐⭐ |
Implementation Recommendations
Stick with Current Architecture If
- You value simplicity and time efficiency
- You have family members or non-technical users
- You want professional-grade features without complexity
- You're satisfied with Tailscale's privacy model
- You need reliable, low-maintenance solution
Consider Alternative Architecture If
- You want complete control over your privacy infrastructure
- You enjoy learning and implementing complex networking
- You have unlimited time for setup and maintenance
- You want zero recurring costs
- You're concerned about any third-party service dependencies
- You need to comply with strict data sovereignty requirements
Hybrid Approach Option
A third option is to implement both architectures in parallel:
- Keep current Tailscale setup for daily use and family access
- Add WireGuard option for maximum privacy scenarios
- Use selective routing based on security requirements
This provides flexibility while maintaining the benefits of both approaches.
Migration Path (If Choosing Alternative)
Phase 1: Prepare Infrastructure
- Set up WireGuard server on dedicated hardware
- Configure exit node functionality on reverse proxy
- Test connectivity and performance
Phase 2: Gradual Migration
- Configure one test client with WireGuard
- Verify SearXNG access and functionality
- Monitor performance and stability
Phase 3: Full Deployment
- Generate client configurations for all devices
- Distribute and configure clients
- Decommission Tailscale (optional)
Phase 4: Optimization
- Fine-tune performance settings
- Implement monitoring and alerting
- Document procedures and troubleshooting
Conclusion
The current architecture (SearXNG + Tailscale + Internal Proxy) is recommended for most home lab users because:
- Proven Reliability: Battle-tested in production environments
- Time Efficiency: Minimal setup and maintenance overhead
- Professional Features: Access controls, audit logging, device management
- Performance: Single VPN hop with optimized routing
- Support: Professional support and large community
The alternative architecture (WireGuard + Exit Node) should be considered only if:
- You have significant networking expertise and time
- Complete control over infrastructure is a hard requirement
- You want to learn advanced VPN technologies
- You have specific compliance or sovereignty requirements
For most users, the current architecture provides the optimal balance of security, privacy, performance, and maintainability for a home lab environment.