Sign in Subscribe

Turning a $6 VPS into a Vercel Replacement: A Guide to Securing Your Server with Tailscale, UFW, and Cloudflare

Yvo Keller

4 min read
Turning a $6 VPS into a Vercel Replacement: A Guide to Securing Your Server with Tailscale, UFW, and Cloudflare
Photo by Christian Wiediger / Unsplash

Foreword

Like many developers, I was tired of paying $20/month for hosting platforms like Vercel. After some research, I decided to switch to a more cost-effective solution: a $6 VPS from Netcup. Not only did I set up an open-source alternative, Coolify, to handle auto-deployments, but I also learned a lot about server security along the way.

This guide outlines how to set up a VPS for application deployment, secure it using Tailscale and UFW, and further protect it behind Cloudflare. By the end, you’ll have a solid, affordable alternative to platforms like Vercel—fully secured and optimized for self-hosting.

Disclaimer: I've written this as a rough guide based on my own process, but I’m not entirely sure everything is included or if the order of steps is 100% correct. Be sure to adapt it to your specific needs and double-check along the way!

Netcup VPS & Coolify Setup Guide

This guide walks you through ordering a new VPS from Netcup, securing it with Tailscale, installing Coolify for application deployments, and protecting it behind Cloudflare.

1. Order New VPS on Netcup

  1. Head over to Netcup and order a new VPS instance that fits your needs.
  2. After receiving your VPS, retrieve your SSH access credentials (IP address, username, and password).

2. Access VPS via SSH and Install Tailscale

For secure SSH access, we’ll install Tailscale—a tool that creates a secure, private network between your devices and your VPS.

Steps for Tailscale Setup:

Install Tailscale:
SSH into your VPS and run this command:

curl -fsSL https://tailscale.com/install.sh | sh

Enable SSH Access via Tailscale:
Secure SSH by running:

sudo tailscale up --ssh

Get Your Tailscale IP:
Obtain the Tailscale IP for your server:

tailscale ip

Connect via Tailscale:
Now, SSH into your server using the Tailscale IP:

ssh ubuntu@your_tailscale_ip

3. Secure Your VPS with UFW (Uncomplicated Firewall)

Next, lock down access to your VPS, allowing only Tailscale traffic.

Enable UFW:

sudo ufw enable

Set Default Policies:
Block all incoming traffic except for Tailscale connections:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in on tailscale0

Check UFW Status:
Verify UFW is working:

sudo ufw status

At this point, only devices in your Tailscale network can access your server.

4. Install Coolify

Coolify simplifies app deployments similar to Vercel. Here’s how to install it.

Run Coolify Install Script:
Use your Tailscale connection to install Coolify:

curl -fsSL https://cdn.coollabs.io/coolify/install.sh | sudo bash

Allow Docker Network Traffic:
Coolify uses Docker for app management. Let’s ensure Docker networks can communicate:

  • List Docker networks:
  • Inspect the subnets under "IPAM -> Config" and allow traffic between them:
sudo docker network ls

sudo docker network inspect bridge
sudo ufw allow from 172.18.0.0/16 to 172.17.0.1
sudo ufw allow from 172.17.0.0/16 to 172.18.0.1

5. Put Everything Behind Cloudflare

Cloudflare provides SSL certificates, protects your server against DDoS attacks, and ensures efficient traffic management through its global CDN. It encrypts traffic between users and your server, and its robust security features like DDoS mitigation and a Web Application Firewall (WAF) help safeguard against malicious threats. Plus, it boosts performance by caching assets closer to your users.

Move Domain DNS to Cloudflare:

  • Log in to Cloudflare, add your domain, and update your domain settings at the registrar to use Cloudflare’s nameservers.

Activate SSL:

  • In the SSL/TLS section, set the mode to Full (Strict) to ensure full encryption from the client to Cloudflare and to your server.

Enforce HTTPS:

  • Enable Always Use HTTPS under SSL/TLS settings.

6. Secure Your Netcup Server for Cloudflare Traffic Only

Only Cloudflare traffic should reach your server. Here’s how:

Allow Cloudflare IP Ranges via UFW:
Add UFW rules to permit only Cloudflare traffic on port 443 (HTTPS).

IP Ranges
This page is intended to be the definitive source of Cloudflare’s current IP ranges.
Cloudflare
Make sure you get the latest Cloudflare IP ranges.
for ip in 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 \
108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 \
162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22; do
   sudo ufw allow from $ip to any port 443 proto tcp
done
IPv4
for ip in 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 \
2a06:98c0::/29 2c0f:f248::/32; do
   sudo ufw allow from $ip to any port 443 proto tcp
done
IPv6

Prevent Docker from Bypassing UFW:
By default, Docker will bypass UFW. Disable this by editing Docker's configuration:

sudo nano /etc/docker/daemon.json

Add the following:

{
  "iptables": false
}

Restart Docker:

sudo systemctl restart docker

7. Complete Coolify Setup

Access Coolify:
Open Coolify in your browser using the Tailscale IP and port 8000:

https://your_tailscale_ip:8000

Onboarding:
Follow the onboarding wizard to create your Coolify account and set up your server.

8. Post-Installation Steps

Configure FCN and Wildcard Domains:
Set up wildcard domains (e.g., *.yourdomain.com) in Coolify’s proxy settings.

Enable Notifications:
Use a Telegram bot for monitoring and alerts.

Enable Two-Factor Authentication (2FA):
Secure your Coolify account with 2FA.

9. Deploy Your Apps

Deploy Next.js Apps:

  • Add your Next.js applications (or whatever else you wanna host) and configure environment variables. Refer to the Coolify docs for this.

By following these steps, you can have a secure, scalable, and cost-efficient VPS setup with Coolify handling your app deployments—just like Vercel, but at a fraction of the cost.