i dont have that much knowledge about security, but would it be reasonable to expose a single raspberry in a dmz behind a firewall as a headscale vps?

i mean it would be hard for an attacker to get past the physical firewall into the main network, right?

on the other hand they wouldnt need to get past the firewall if they take over the headscale server… edit: but that would also happen, if a vps hosted somewhere else, got infected, right?

boxes is great, if you just want to try a distro and are already on linux.

there are distros that run on debian sid, if you prefer debian as a distro, but want a more up to date experience.

im running pika os, because it offers up to date gaming tweaks, but doesnt force you to update as often. keep in mind: that os is not something i would recommend for a environment where stability is the goal, because there are only a few maintainers. its just an example of debian sid!

i bought a asrock n100 board and put 2 additional nics on it. then i configured ipfire with the red, green and orange mode. (red = wan, green = lan and orange = dmz) that way i can self host a vps inside the dmz and run the lan network without a vlan. i dont know if thats the best way to do it, but there are so much new things to learn i still dont know anything about and want to keep it as simple as possible.

you could start with a simple thin client with multiple nic‘s and get a similar price then my n100 with 4gb ram but i wanted the ability to swap some parts if needed and thin clients are rather limited in that aspect. edit: also i needed a nic with poe for my wan and thats hard to find in a regular thin client. i didnt search that hard though.

im in the same boat as you. tried opnsense for a week, but the webui is really not that friendly for a total beginner like me. im running ipfire right now, which offers less options but thats a + while im still learning the basics.