i dont have that much knowledge about security, but would it be reasonable to expose a single raspberry in a dmz behind a firewall as a headscale vps?

i mean it would be hard for an attacker to get past the physical firewall into the main network, right?

on the other hand they wouldnt need to get past the firewall if they take over the headscale server… edit: but that would also happen, if a vps hosted somewhere else, got infected, right?

i bought a asrock n100 board and put 2 additional nics on it. then i configured ipfire with the red, green and orange mode. (red = wan, green = lan and orange = dmz) that way i can self host a vps inside the dmz and run the lan network without a vlan. i dont know if thats the best way to do it, but there are so much new things to learn i still dont know anything about and want to keep it as simple as possible.

you could start with a simple thin client with multiple nic‘s and get a similar price then my n100 with 4gb ram but i wanted the ability to swap some parts if needed and thin clients are rather limited in that aspect.

im in the same boat as you. tried opnsense for a week, but the webui is really not that friendly for a total beginner like me. im running ipfire right now, which offers less options but thats a + while im still learning the basics.

also no inbuilt ai as far as i know.