I'm a big VPN user since I am the citizen of one country and the resident of another. Even for government services I have to use a VPN. I tried to access the bureau of statistics of my home country through my foreign residential IP and got 404s on all pages. Enabled VPN and everything magically started working. For watching the election result video stream I also had to VPN but at least that one gave me a clear message. For doing taxes in my home country I then have to disable VPN since all VPN access is blocked but it's OK to use a foreign residential IP.
I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
Do you have friends or family in your home country that will run an AppleTV box with Tailscale for you as an exit node?
I can't get into work from a non-US IP, but I can Tailscale back to my house and it works just fine. I even gave my in-laws (who live several states away) an AppleTV box running TS just to have another endpoint if for some reason the power goes out at my house while I'm gone (rare, but happens).
Why do you need an AppleTV box and Tailscale for that? Use any PC (even a Raspberry Pi or any cheap "thin client") with Wireguard and you remove Apple and Tailscale from the equation entirely while keeping your setup 100% self-hosted.
Lots of people already have Apple TVs and the Tailscale integration is pretty good and can serve as an always online exit node. So no new hardware required. Could even remotely walk a non-techie through the process without too much effort.
personally, I've just upgraded my family's wifi to Ubiquiti and can then use Tailscale Wireguard running on the gateway as a proxy! (with their permission)
The only folks using Apple TV in 2026 are like 60+ yrs old.
I've literally not seen one in anyone's home for probably 5+ years. And even then nobody used them.
Apple TV was one of those products that relatively few people bought but they were loud about buying it, so it seemed more popular than it was. Then other services like Roku($20) quickly replaced it.
They’re not insanely common even in the US, since Roku and Android sticks are cheaper and I don’t live in a wealthy area, but they’re not hard to get or unheard of.
The distinction between AppleTV, the hardware, and Apple TV+, the streaming service, was lost on many. Now that they are “Apple TV 4K” hardware and “Apple TV” service, it’s even harder to convey the correct meaning.
I don’t work in technology, so my knowledge base is almost certainly in the bottom 10% (or lower) of HN readers. I can install Linux, or a BSD, and following guides I can be reasonably certain that I am doing so safely, which puts me comfortably in the top 10% of all users out there.
It’s not what I’m comfortable setting up for myself that is the issue; I am willing to put up with oddities for something that is just for my convenience and amusement. The problem is what I am knowledgeable enough to fix from far away if and when it goes wrong, and how to explain to my very non-technical family how to access it.
I have a NAS, and I could roll my own with that (in fact it’s my exit node at home, because I’m fairly sure it has better encryption speed than the AppleTV), but when something I’m in charge of maintaining goes in someone else’s house, the last thing I want to spend my spare time doing is trying to diagnose and fix issues over the phone with people who don’t own a computer.
It’s not the perfect solution to every situation. It is reliant on Tailscale and Apple, and there are cheaper, more capable systems (like the RPi) out there if you have the knowledge and inclination to set them up. But it’s a very, very straightforward solution that is unobtrusive and easy to maintain and thus is extremely well-suited for my needs. I thought it might be for OP as well. Anyone who is willing to shell out €360 a year for a truly residential-IP VPN should at least be made aware that it’s an option.
> Wireguard and remove Apple and Tailscale from the equation entirely
I agree you could send them a preconfigured pi, but can we stop pretending talescale is just wireguard - there is a lot of convenience in the NAT traversal that you otherwise need router config and/or a publically routable server to achieve.
I wish there was a way to use the tailscale app to connect to my own vanilla WireGuard endpoint at home. I don’t want to use and pay for tailscale when I can run WireGuard myself. But there seems to be no good WireGuard app for tvOS (there is for iOS and macOS though) and if the TS app works as well as it says, I’m jealous I can’t use it with my setup.
(There’s another really shitty VPN app for tvOS that I tried, but it also costs money so screw that. It’s also buggy as hell and crashes all the time.)
I should add that my use case is the occasional trip where we take the Apple TV with us places and want to access my media library. Or being able to share my media library with extended family (setting their Apple TV up with a vpn to my house.) More complex things like travel routers can work, but are more hassle than I want, although I’m increasingly leaning towards taking the plunge there…
Personal-level Tailscale is free for up to 3 users. So your immediate family is covered even on trips.
You could create an account with any one of their identity providers (or roll your own OIDC, it's possible) and just have it not have a linked credit card. The account you use to authenticate Tailscale doesn't have to be the Apple account that you use to log into the hardware device itself - my wife's laptop, phone, and iPads are logged in under my Tailscale account but separate Apple/iCloud accounts (we have family sharing for our apps, etc., but the TS is usually going to be up to me, so I haven't created another account for her). Free gets you 100 devices, so we're nowhere close to running out of those.
Doesn’t have to be an apple box either. A raspberry pi is what I’m using. I’m in the exact same situation, living in one country temporarily but citizen of another, and I have an exit point in my home country at my parents place on a raspberry pi. Basically any computer will work.
The advantage of the AppleTV is that it's basic consumer hardware that a lot of people have, that you can provide for them at a reasonably low cost if they don't, and that doesn't really require much in the way of tech skill for the person whose house it's in to keep it up to date. You don't even have to do anything to update versions - tvOS will do it automatically.
I can't find it right now but there was a post announcing the port to tvOS on their blog where a developer from the UK (but living in the US) talked about how it let him buy, configure, and ship a simple consumer box that uses little power and needs minimal hands-on maintenance to his parents' house as a replacement for a server he had been running in their house as a VPN endpoint for this sort of thing - so he could watch BBC, etc.
I wouldn't want to update a RPi that's in someone else's house on the other side of the ocean.
Android TV works great as well. I have it running on an old Chromecast that cost less than $50 new.
While I still prefer running a plain Wireguard VPN if possible (i.e. when there's a publicly reachable UDP port), the really big advantage of Tailscale over other solutions is that it has great NAT traversal, so it's possible to run a routing node behind all kinds of nasty topologies (CG-NAT, double NAT, restrictive firewalls etc.)
I have run into the firewall problems before. Even seen them that block authentication but -if already connected to the tailnet before joining the WiFi in question - will continue to pass data. OpenVPN would not connect and couldn’t handle the IP address switch.
At worst, I turn on phone hotspot, authenticate, then switch back to WiFi. A purely serendipitous discovery on my part, but a very welcome one.
Interesting, maybe they block the orchestration servers of Tailscale, but not the actual data plane (which is almost always P2P, i.e., it usually does not involve Tailscale servers/IPs at all)?
I'm sure they do, but the question is, why did OpenVPN fail? It's pure P2P. I've got a dynamic DNS through afraid.org, and that resolves on that network, so it's not just DNS-level blocking. I effectively have a static IP anyway; there's no CGNAT going on, so I've discovered that I misconfigured my DDNS once or twice only when afraid.org emailed to tell me that I hadn't updated in X months.
Were you using the semi-well-known port (1194)? Otherwise, maybe it's just more fingerprint-able, or whatever DPI the firewall uses hasn't caught up to Wireguard yet?
I built TunnelBuddy (tunnnelbuddy.net) just for this. I am the same: citizen of one country and resident of another. I have multiple friends and family where I am from. I get them to open tunnelbuddy (nobody needs to sign up), to share a one-off password (like TeamViewer) and I get to access the internet as if I was at their place.
Underneath, it uses WebRTC (the same tech as Google Meet). It is free to use, I just built to fix this problem that I have... I am quite surprised expats only get by using a traditional VPN whose IPs are known by online services...
AppleTV is pretty random and only vaguely incidental to the solution. Tailscale runs on computers. Basically anything will do. If you don't have a home server, just grab a cheap RPi or an old laptop. Or in a pinch drop it onto an old phone from your old phone drawer.
I have been thinking about it but it is tricky from a legal standpoint. What I'm trying to arrange next time I visit is to have a secondary line installed at my parents place that is in my name. So that when I pull heavy traffic from that line it doesn't impact them and I can't get them in trouble for posting a message that isn't government approved.
> I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.
For residential IPs you can't even pay per month like normal VPNs, normally they charge per GB, usually over $2 usd per GB.
Damn, I’m throwing away hundreds of dollars per month.
And I can get a semi-anonymous cable internet connection too (if your line is “hot”, you could sign up with any address… not sure if it has to be under the same node or just the same city). Would be difficult, but not impossible, to track down which residence the shadow connection is coming from.
Most of the people whose devices and connections are being used as residential proxy exit nodes are not aware of it.
They likely charge per GB because these residential connections are slow and limited compared to datacenter connections (doesn't help that they're often located in third world countries), and are often used for aggressive scraping, so charging a fixed monthly price would not be viable.
I would easily pay €30 a month for a VPN in my home country that uses a residential IP and isn't noticeable. I am aware that those exist, but 99% of them are shady.