Tailscale is a zero-config VPN built on WireGuard. Connect your devices in minutes, no port forwarding, no complicated firewall rules. Perfect for your homelab.
What Is Tailscale? π€
Imagine you could put all your devices, at home, at the office, or on the go, into one private network, without opening a single port. That's exactly what Tailscale does. It builds a mesh VPN where every device can communicate directly with every other device.
Unlike traditional VPNs like OpenVPN, you don't need a central server. Under the hood, Tailscale uses WireGuard, one of the fastest and most secure VPN protocols out there. Connections are established peer-to-peer, resulting in minimal latency.
WireGuard Under the Hood βοΈ
WireGuard is the foundation of Tailscale. It's a modern VPN protocol with only ~4,000 lines of code (OpenVPN has over 100,000). This means:
- Smaller attack surface, easier to audit
- Lightning-fast connections, handshake in milliseconds
- Low overhead, perfect for Raspberry Pi & friends
Tailscale handles all the tedious parts: key exchange, NAT traversal, and peer coordination. You don't have to worry about any of it.
Installation in 5 Minutes π
Installation is straightforward. Here are the steps for the most common platforms:
Linux (Debian/Ubuntu)
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upDocker
services:
tailscale:
image: tailscale/tailscale:latest
container_name: tailscale
hostname: my-server
environment:
- TS_AUTHKEY=tskey-auth-xxxxx
- TS_STATE_DIR=/var/lib/tailscale
volumes:
- ./tailscale-state:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
- sys_module
restart: unless-stoppedWindows / macOS / iOS / Android
Just download the app from the respective store, sign in, done. Tailscale supports all major platforms.
Connecting Devices π
After installation, you sign in with your Google, Microsoft, or GitHub account. Each device gets a stable IP address in the 100.x.y.z range. This address doesn't change, no matter where you are.
# Show status of all connected devices
tailscale status
# Output looks something like this:
# 100.64.0.1 my-laptop user@github linux active
# 100.64.0.2 homeserver user@github linux active
# 100.64.0.3 phone user@github android activeFrom now on, you can SSH directly into your homeserver, whether you're at a cafe or on a train:
ssh user@homeserver # MagicDNS makes it possible!MagicDNS πͺ
MagicDNS is one of Tailscale's killer features. Instead of remembering IP addresses, you simply use the hostnames of your devices. Tailscale automatically handles DNS resolution within your network.
You can even configure a custom DNS server (like Pi-hole or AdGuard Home) in your tailnet, so all devices automatically block ads.
Funnel & Serve π
With Tailscale Serve, you can expose a local service to other devices in your tailnet:
# Expose local port 3000 in your tailnet
tailscale serve 3000With Tailscale Funnel, you go one step further and make a service publicly accessible on the internet, with an automatic HTTPS certificate:
# Make a service publicly accessible
tailscale funnel 3000Perfect for quickly showing a demo or testing a webhook without setting up port forwarding or a reverse proxy.
Access Control Lists (ACLs) π
Tailscale offers fine-grained access control through ACLs. You define in a simple JSON file which devices or users can access which services:
{
"acls": [
{
"action": "accept",
"src": ["group:admins"],
"dst": ["*:*"]
},
{
"action": "accept",
"src": ["group:friends"],
"dst": ["homeserver:80,443"]
}
],
"groups": {
"group:admins": ["user@github"],
"group:friends": ["friend@github"]
}
}This way you can give friends access to your Jellyfin server without them being able to reach your other services.
Exit Nodes πͺ
An exit node routes your entire internet traffic through another device in your tailnet. This is useful when you:
- Want to protect your traffic on an insecure Wi-Fi network
- Want to browse as if you were at home while traveling
- Need to bypass geo-restrictions
# On the homeserver: advertise as exit node
sudo tailscale up --advertise-exit-node
# On the laptop: use the exit node
sudo tailscale up --exit-node=homeserverSubnet Routing π‘
Not every device on your local network can run Tailscale (think IoT devices, printers, NAS). With subnet routing, you make your entire local network accessible through Tailscale:
# On a device in the local network (e.g., homeserver):
sudo tailscale up --advertise-routes=192.168.1.0/24After that, you need to approve the route in the Tailscale admin panel. Once approved, you can access devices like 192.168.1.50 (e.g., your printer) from anywhere.
Sharing With Friends π€
Tailscale makes it easy to share individual devices with others. Through the sharing feature in the admin panel, you can:
- Share individual nodes with other Tailscale users
- Restrict access to specific ports via ACLs
- Revoke access at any time
This way you can give your buddy access to your Minecraft server without exposing your entire network.
Self-Hosted With Headscale π
Want full control? Check out Headscale, an open-source implementation of the Tailscale coordination server. With it, everything runs on your own infrastructure.
services:
headscale:
image: headscale/headscale:latest
container_name: headscale
volumes:
- ./headscale-config:/etc/headscale
- ./headscale-data:/var/lib/headscale
ports:
- "8080:8080"
- "9090:9090"
command: serve
restart: unless-stoppedYour clients then connect to your own server instead of Tailscale's servers. You retain full data control, perfect for privacy enthusiasts.
Conclusion π―
Tailscale is one of those tools that makes you wonder: Why didn't I use this sooner? The combination of WireGuard performance, zero-config setup, and the generous free plan makes it the perfect companion for your homelab.
Whether you just want to securely access your homeserver, reach your entire subnet on the go, or share services with friends, Tailscale makes it possible without requiring you to be a networking expert.