SOLVED: CGNAT setup issues

[TheDreadPirate]

If by "overhead" you mean extra bytes of overhead for the VPN protocol per packet, AFAIK Tailscale directly implements Wireguard as is with no extra overhead. It's the config management that Tailscale automates and simplies.

If you mean extra overhead in the sense of memory and CPU, I doubt it adds any meaningful overhead.

There are a few things you can do to strength security on the VPS.

- Setup PKI key logins
- Disable password logins
- Disable root login via SSH
- Use a non-standard port (preferably an ephemeral port 49152–65535)

That last one reduces the likely hood of a script kiddie even getting a chance to scan anything.

If you do setup PKI logins, and disable password logins, just make sure you put your private key on every device you would ssh to your VPS from. Or put it in an encrypted file in your cloud storage or something.

Using PKI for SSH makes life a lot easier. If you have friends that run servers and you need access to it for whatever reason, you can simply give them your public key. No need for them to set a password.