The Problem with Traditional Remote Access
Setting up WireGuard or OpenVPN yourself works, but it has requirements:
- A public IP (harder to get on CGNAT/IPv6-only connections)
- Port forwarding on your router
- Dynamic DNS if your IP changes
- Key management for each client
Tailscale removes all of these requirements. It creates an encrypted peer-to-peer mesh network between your devices without any port forwarding, and works through CGNAT, firewalls, and double-NAT.
How Tailscale Works
Tailscale is built on WireGuard. Each device gets a WireGuard key pair. Tailscale’s coordination server (not a relay server) shares public keys between devices so they can establish direct encrypted connections.
If a direct connection isn’t possible (strict firewall on both ends), traffic routes through Tailscale’s DERP (Designated Encrypted Relay for Packets) servers. But most home connections can do NAT traversal and get direct peer-to-peer tunnels.
Your traffic never passes through Tailscale’s infrastructure in the normal case — only the key exchange happens on their servers.
Installation
Tailscale has clients for every platform. The install is one command:
Linux:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
This opens a browser to authenticate your device to your Tailscale account (or you copy-paste a URL). After auth, the device appears in your Tailscale admin panel.
macOS / Windows / iOS / Android: Download the app from the respective store, sign in.
Repeat on every device you want in your tailnet (Tailscale’s term for your private network).
Accessing Homelab Services
Once your homelab server and laptop are both on Tailscale, you can connect using Tailscale IPs (100.x.x.x range) or MagicDNS names.
MagicDNS automatically assigns hostnames: pve-01.your-tailnet.ts.net. Enable it in the Tailscale admin panel under DNS.
Then from your laptop on mobile data:
ssh user@pve-01.your-tailnet.ts.net
No port forwarding, no VPN configuration — it just works.
Subnet Routing
By default, Tailscale gives you access to the specific devices running Tailscale. If you want to reach your whole LAN (devices that don’t have Tailscale installed — smart home devices, NAS shares, printers), enable subnet routing.
On your homelab server:
sudo tailscale up --advertise-routes=192.168.1.0/24
In the Tailscale admin panel, approve the advertised route. Now your devices on mobile data can reach anything at 192.168.1.x.
Exit Nodes
Tailscale supports exit nodes — route all internet traffic through a specific device. This is equivalent to a full-tunnel VPN.
On the exit node:
sudo tailscale up --advertise-exit-node
Approve in the admin panel, then enable from a client:
tailscale set --exit-node=pve-01
Now all traffic from that client routes through your home internet connection. Useful for accessing geo-restricted content or bypassing restrictive captive portals.
Taildrop
Tailscale includes a file-sharing feature called Taildrop. Send files directly between devices without any setup:
tailscale file cp photo.jpg desktop:
Or use the GUI apps on mobile/desktop. Files transfer peer-to-peer over the encrypted tunnel.
Tailscale Serve and Funnel
Tailscale Serve exposes a service to your tailnet without needing NPM or configuration:
tailscale serve https / http://localhost:8096 # expose Jellyfin to your tailnet
Access it at https://your-machine.your-tailnet.ts.net.
Tailscale Funnel (opt-in) exposes a service to the public internet through Tailscale’s infrastructure — no port forwarding needed:
tailscale funnel 443 on
tailscale serve https / http://localhost:8096
Now the service is accessible publicly at https://your-machine.ts.net. Useful for webhooks or sharing a development server temporarily.
Access Controls
Tailscale uses ACLs (Access Control Lists) to control which devices can talk to which. The default allows all devices in your tailnet to reach all others.
For a multi-user homelab or shared tailnet, define ACLs in JSON:
{
"acls": [
{
"action": "accept",
"src": ["tag:home-devices"],
"dst": ["tag:homelab-servers:*"]
}
],
"tagOwners": {
"tag:home-devices": ["autogroup:members"],
"tag:homelab-servers": ["autogroup:admin"]
}
}
Assign tags to devices in the admin panel.
Tailscale vs Self-Hosted WireGuard
| Tailscale | Self-Hosted WireGuard | |
|---|---|---|
| Setup | Minutes | Hours |
| CGNAT/NAT traversal | Automatic | Requires public IP |
| Key management | Automatic | Manual |
| Coordination server | Tailscale’s servers | N/A |
| Privacy | Keys stay on devices | Full control |
| Cost | Free up to 3 users/100 devices | Free |
| Offline operation | Works (keys cached locally) | Fully self-contained |
Tailscale is the pragmatic choice for most homelabbers. If you’re uncomfortable with any reliance on external servers (even for key exchange), run Headscale — the open-source self-hosted Tailscale coordination server.
Headscale (Self-Hosted Control Plane)
Headscale reimplements the Tailscale coordination server. Deploy it on a VPS or home server:
docker run -d \
--name headscale \
-p 8080:8080 \
-v ./headscale:/etc/headscale \
headscale/headscale:latest serve
Then configure Tailscale clients to point at your Headscale instance instead of Tailscale’s servers. All the WireGuard peer-to-peer magic still works — only the coordination layer changes.