To be clear, these are game problems, not NVDIA GPU problems. Some games only work on Windows and need to use a translation wrapper, which has overhead.

So what benefit does Pangolin actually provide then if you already have to provide the VPS? Routing back to your network from a VPS is trivially easy, it’s getting the affordable VPS (given bandwidth prices) that’s actually the sticking point of any solution.

Warning: Cloudflare Tunnel ToS explicitly prohibits hugh-bandwidth activities on it, naming media streaming in particular. Some people take the chance anyway until Cloudflare might suddenly terminate your connection, it’s merely a low-stakes risk to using it.

Also worth mentioning: Cloudflare has historically had some involvement with DMCA detection and take down, so if your running a media server with them able to MitM your traffic, they’re almost certainly able to detect and scan if they so chose. They’re a big company so they may not do any relevant scanning on your Tunnel, or you may have only completely Public Commons content on your server, but something you should be aware of.

Related: I was doing something similar also from Ohio not that long ago. It turned out that most of the ISPs in Ohio have horrible reputations in the global network routing, so they are given low-priority and poor interconnects to other Internet routing companies. It affected both my incoming and outgoing network speeds and reliability. Cloudflare speed tests were the only ones giving any good values, I constantly had disconnects and timeouts for everything else. But when I put a VPN (that had a decent interconnect) on my router with an exit node in D.C. or Chicago, suddenly all my speeds went back to normal values matching Cloudflare results.
TL;DR your ISP having a poor reputation with their gobal interconnects is very likely to blame for the poor speed issues without Cloudflare Tunnel, and literally any tunneling solution would probably resolve it.

I’ve been trying to figure out what purpose Pangolin serves in this. Do they offer a paid service that has the internet-accessible entry/exit point that I’m not seeing?

Self-hosters aren’t lacking in tools to connect between a home server and some internet exposed server so they can tunnel from that public internet server back to their home server, they’re lacking in affordable options for the internet accessible server itself. Cloudflare Tunnel, Tailscale Funnel, and similar can easily be trivially replaced by a simple Wireguard connection from your home server to a public VPS with a couple trivial routing rules. But you have to have an affordable VPS with reasonable bandwidth and high reliability. Pangolin appears to just be Tailscale-ike permission-based routing software, but without the actual connections tools or hosting. That’s already available for free with Headscale, but Headscale also includes the connections part too. Am I missing something that would make Pangolin even equivalent, let alone better than, the free Headscale project?

Funnel has some significant limits on what you can use it for, esp with respect to streaming media FWIW. Not sure if it’s relevant here, but worth noting.

Why are you involving Cloudflare at all at that point? It sounds like you setup your own “Tunnel” service using Tailscale and/or direct Wireguard already.

Serious limits on Cloudflare Tunnels:

1. Only works if you use Cloudflare as your domain registrar for that domain
2. You can’t use it for anything high bandwidth, specifically including streaming media (e.g. Plex/Jellyfin)
3. They reserve the right to terminate your service tunnel randomly at any time without warning for any/no reason unless you pay them for the service.

And that doesnt address the issue of getting in bed with Cloudflare (which has its own ethical ramifications).

I’d recommend one of the alternatives like localxpose.io that offer the same thing but without the limitations. Or you can slap together your own with a wireguard tunnel to a minuscule VPS with some routing rules on it. Both are about €5/month, which is cheaper (the same?) as paying for Cloudflare Tunnel to avoid the random termination and vendor lock in.

I usually combine with using client certificate authentication as well for anything that isn’t supposed to be world accessible, just internet accessible for me. Even if the site has it’s own login.

People sleep on the DNS-01 challenges option for TLS. You don’t need an internet accessible site to generate a LetsEncrypt/ZeroSSL certificate if you can use DNS-01 challenges instead. And a lot of common DNS providers (often also your domain registrar by default) are supported by the common tools for doing this.

Whether you’re doing purely LAN connections or a mix of both LAN and internet, it’s better to have TLS setup consistently.

Yes, I did the DNS challenge as I mentioned in my OP and retrieved a wildcard certificate for all my local needs :)

Saw that, I just wasn’t sure if you knew why it worked, which is why I mentioned it again. Glad you figured it out.

Ah, that’s why it’s not working with Firefox then too. Firefox comes with one of the secure DNS options turned on by default (DoH), which guarantees it will always reach a public DNS server and not get trapped into one from your home router, a cafe’s router, or your ISP. Since it knows the DNS will always be public, it also knows that the 192.168.10.20 address is not routable on the internet where it found it. S ome malicious sites can use a DNS record with a non-public IP address like this to get you to run JavaScript in your browser from the site you visited, to attack a device on your home network. So Firefox blocks that IP address from public DNS replies.

Generally people will have a home router that allows them to have their own recursive DNS where they can insert their own records to things within their home network, and will disable the DoH or DoT (“secure DNS”) settings in their browsers as the way to do this. Putting the private IP in the Public DNS record doesn’t hurt though, it just might get stopped by various modern security protections is all.

Try turning off WiFi on your phone and see if you can connect from there. Connecting from a device within your home network to a another device in your home network is different than connecting from a device out on the internet to a device in your home network. Phone using data is a good way to check that “internet device to home network” case.

If you’re just trying to do this within your home network, you’re doing what’s called “split DNS”, where the DNS in your home network is different from the global DNS.

I do this for services I host, though usually I can also access them remotely as well, just from a different IP address. The easiest from the TLS certificates (TLS is what gives you the S in HTTPS) is to use DNS-01 challenges for tour LetsEncrypt/ZeroSSL certificate generation because it doesn’t have to actually reach your domain’s site to prove you own the domain, it instead has you put extra temporary DNS records in instead.

Given your setup, I presume you’re trying to access your server via a domain name, only from within your home network? That’s what the linked blog posts are talking about.

EDIT: It seems several are confused by my use of internal IP addresses in this way, yes it is entirely possible. There are multiple people reporting to use exactly this kind of setup, here are some examples.

Or maybe your example IP address is just confusing. IP addresses in the ranges 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8 are all reserved for “private routing” and are not routable on the larger internet.Your home will have devices with those IP addresses because it’s a private LAN that uses Network Address Translation (NAT) at the boundary with your ISP. Your ISP might also have it’s own NAT called Carrier-Grade NAT (CGNAT) that has another translation boundary where it reaches the internet. If your ISP doesn’t have CGNAT, and allows incoming connections on your desired ports, you might be able to use the IP address your ISP assigned your router as the pubic IP, but if not you’ll need to figure out some other routing method (e.g. VPS hosting a private VPN exit point with routing rules to allow incoming and entry point somewhere in your network with routing rules to reply thru that VPN).

EDIT: Added quote

Oh yeah definitely. It’s a slow EInk Android tablet on a very old version of Android. If you need more than just an EReader it’s the only reputable brand.

I don’t think you’ve used anything but a Boox in a long time, and have forgotten what the standard is. Boox has 1/10 the battery life, takes forever to wake up, and doesn’t support deep sleep properly (so it either drains battery when sitting idle, or shuts off entirely taking 5+ minutes to power back on). It’s decent hardware with very badly designed software. Neither Kobo or Kindle devices have these problems, they have battery that actually lasts, deep sleep when idle for any length of time, and power back up, even from deep sleep in 10 seconds or less.

For me? Basic functionality. Even the Pixel 9 Pro is laggy as hell just opening apps like Garmin. God forbid I try to use the browser for anything. And that’s a flagship phone.

I know it’s the crazy badly designed apps, but I can’t change that. What I can change is a phone that can run them.

Also, it’s nice to be able to occasionally take a picture that’s not completely washed out and looks like it was taken with a pre-OG Razer flip phone. No joke, I have pictures from that old flip phone 120x120 pixel screen!) from 20 years ago that look better than what came off the mid range phones I’ve tried in the last few years. I’m confident it’s just poor implementation of much more capable hardware, but it doesnt change the fact that I can’t even expect to use it for the most basic of functions.

With the discontinuation of Disroot(?) A couple years ago, and now CalyxOS on a hiatus that’s going to require reimaging if they ever do come back, GrapheneOS is currently the only project that is supporting Android within the last 3-ish generations and us a fully put together OS. Lineage is at least 2 versions back currently, and only that new on a couple devices. Additionally it’s not really a fully fleshed OS so much as it’s the basis for custom ROMs, which frequently see no security awareness or concern at all, and only get a couple releases before disappearing. /e/ is really one of the only alternatives, and is just based on Lineage but with some security awareness and an actual update history.

So sure it’s not the original intent of GrapheneOS, but they have some of the best build tools I’ve ever seen, and are one of the few actually put together OSes.

I’m willing to settle for having to buy a google pixel for instance (which is always a 2 year old design by the time it’s released), and wait a bit before it’s supported, but I’m never interested in a mid-range device. I dont care how much I support your mission, I’ll throw a couple hundred at you as a donation before I even consider that. And that’s assuming I’m buying the device at mid-range price. It’s out of the question that I’d ever pay flagship prices for it.

Let me know when you have something that’s closer to a 3 year old flagship and we’ll talk, otherwise stop throwing your time and money at making a phone for a market that doesn’t exist.

I’ll never understand why privacy companies do this: sell a thoroughly mid-range phone for a flagship price. The privacy OS market in my experience is largely either tech nerds with enough cash to splash out on a new/second unnecessary device just so they can play around with trying to get the new OS working for themselves, until it eventually becomes their daily driver, or poor students who got a beat up phone from their friend’s cousin’s neighbor’s ex-girlfriend’s roommate and are slapping this alternative OS on it to use as their main with all consequences be damned. Obviously there are people in the middle there, but tjoses eem to be the two primary groups. So the bulk of people you’re selling to are those who want a higher end phone primarily, and probably would be willing to pay for it. Instead, they make a mid-range device that has low margins, often in small quantities because they throw in some niche feature that costs a ton to add to the existing design like a hardware kill switch, and then charge flagship phone prices for a mid-range device.