Tailscale for Home Lab: Zero-Config Remote Access
WireGuard is excellent. It's fast, it's simple, and it's built into the Linux kernel. But setting it up properly requires port forwarding, dynamic DNS, key management, and firewall configuration. If your ISP uses CGNAT, it might not work at all without a relay server.
Tailscale takes WireGuard and wraps it in a coordination layer that handles all of that for you. No port forwarding. No dynamic DNS. No key management headaches. You install it on your devices, log in, and they can talk to each other — even through NAT, firewalls, and CGNAT. It's WireGuard underneath, so the performance and security are the same.
For homelabs, Tailscale is particularly compelling because it lets you access your home network from anywhere without exposing any ports to the internet.
How Tailscale Works
Tailscale uses a coordination server to help your devices find each other and exchange WireGuard public keys. The actual traffic flows directly between your devices (peer-to-peer) — Tailscale's servers never see your data.
When two devices can't establish a direct connection (both behind strict NAT), Tailscale uses DERP (Designated Encrypted Relay for Packets) relay servers. These are encrypted relays that forward traffic — they can't read it because it's still WireGuard-encrypted end-to-end.
In practice, most connections are direct. Tailscale's NAT traversal is remarkably good at punching through firewalls.
Each device on your Tailscale network (called a "tailnet") gets a stable IP address in the 100.x.x.x range. These addresses persist even if your physical network changes.
Setting Up Tailscale
Install on Linux (Your Homelab Server)
# One-line install
curl -fsSL https://tailscale.com/install.sh | sh
# Start and authenticate
sudo tailscale up
This prints a URL. Open it in your browser, log in with your identity provider (Google, Microsoft, GitHub, etc.), and the device is added to your tailnet.
Install on Other Devices
- macOS: Download from the Mac App Store or
brew install tailscale - Windows: Download from tailscale.com
- iOS/Android: Install from the App Store or Google Play
- Linux VMs/Containers: Same
curl | shcommand as above
Each device you install Tailscale on joins your network and can reach every other device directly.
Verify Connectivity
After installing on two or more devices:
# Check status
tailscale status
# Ping another device by its Tailscale name
tailscale ping my-laptop
# See your Tailscale IP
tailscale ip
You can now SSH to your homelab server from your laptop using its Tailscale IP or hostname, from anywhere in the world.
Subnet Routing: Access Your Entire LAN
By default, Tailscale only lets you access devices that have Tailscale installed. But your NAS, printers, IoT devices, and other machines probably don't (and shouldn't) run Tailscale.
Subnet routing solves this. You designate one Tailscale device as a subnet router that advertises your home LAN to the rest of your tailnet.
On your homelab server:
# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
# Advertise your home subnet
sudo tailscale up --advertise-routes=192.168.1.0/24
Then go to the Tailscale admin console (login.tailscale.com), find the device, and approve the route.
Now, from any device on your tailnet, you can access 192.168.1.x addresses — your NAS at 192.168.1.50, your printer at 192.168.1.200, your router at 192.168.1.1 — all through the encrypted tunnel.
Multiple Subnets
If your homelab has multiple VLANs:
sudo tailscale up --advertise-routes=192.168.1.0/24,192.168.10.0/24,10.0.0.0/24
Exit Nodes: Route All Traffic Through Home
An exit node routes ALL your internet traffic through a specific device. This is like a traditional full-tunnel VPN — useful when you're on untrusted WiFi and want everything encrypted back through your home connection.
On your homelab server:
sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node
Approve the exit node in the admin console.
On your client (phone, laptop):
# Use the exit node
sudo tailscale up --exit-node=homelab-server
# Or on mobile, toggle it in the app settings
Now all your traffic exits through your home internet connection. Your browsing appears to come from your home IP, and all traffic between your device and home is encrypted.
Trade-off: Everything goes through your home upload bandwidth, which adds latency. Only enable exit node when you need it (public WiFi, hotel networks).
Tailscale SSH (Skip SSH Key Management)
Tailscale can handle SSH authentication using your Tailscale identity, eliminating the need to manage SSH keys across all your devices.
On the target machine:
sudo tailscale up --ssh
In your Tailscale ACL policy, add:
{
"ssh": [
{
"action": "accept",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"]
}
]
}
Now you can SSH to any Tailscale machine without managing authorized_keys files:
ssh user@homelab-server # Uses Tailscale identity, no key needed
ACLs: Controlling Access
If you share your tailnet with family members or have devices with different trust levels, ACLs (Access Control Lists) let you control who can reach what.
Go to the admin console, then Access Controls. The policy is JSON:
{
"acls": [
// Admins can access everything
{
"action": "accept",
"src": ["group:admin"],
"dst": ["*:*"]
},
// Family can only access the NAS and media server
{
"action": "accept",
"src": ["group:family"],
"dst": [
"nas:445",
"jellyfin:8096"
]
}
],
"groups": {
"group:admin": ["user@gmail.com"],
"group:family": ["spouse@gmail.com", "kid@gmail.com"]
}
}
This keeps your homelab management interfaces (Proxmox, router admin, SSH) restricted to you, while family can access shared resources.
MagicDNS: Hostnames Instead of IPs
Tailscale includes MagicDNS, which lets you use device hostnames instead of 100.x.x.x addresses. Enable it in the admin console under DNS.
Once enabled:
ssh homelab-server # Instead of ssh 100.64.0.1
ping nas # Instead of ping 100.64.0.2
curl http://grafana:3000 # Instead of http://100.64.0.3:3000
You can also set a custom search domain (like lab.ts.net) so all your devices are reachable as hostname.lab.ts.net.
Split DNS
If you run Pi-hole or another local DNS resolver, you can configure Tailscale to use it for specific domains while using Tailscale's DNS for everything else:
In the admin console under DNS, add a nameserver:
- Nameserver:
192.168.1.53(your Pi-hole) - Restrict to domain:
home.lan
Now, anything.home.lan resolves through your Pi-hole, while other domains use Tailscale's global DNS settings.
Tailscale on Proxmox
Running Tailscale on your Proxmox host gives you remote access to the Proxmox web UI and all your VMs/containers:
# Install on Proxmox
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --advertise-routes=192.168.1.0/24,10.0.0.0/24
Now you can access the Proxmox web UI at https://proxmox:8006 from any Tailscale device, even from your phone on cellular data. No port forwarding, no exposing your hypervisor to the internet.
Tailscale vs Self-Hosted WireGuard
This is a common debate. Here's the honest comparison:
| Feature | Tailscale | Self-Hosted WireGuard |
|---|---|---|
| Setup complexity | Minutes | Hours |
| Port forwarding needed | No | Yes |
| Works through CGNAT | Yes | No (without relay) |
| Key management | Automatic | Manual |
| Cost | Free for personal (100 devices) | Free |
| Privacy | Tailscale sees metadata | Fully self-hosted |
| Dependency | Tailscale's coordination server | None |
| Subnet routing | Built-in | Manual iptables |
| Multi-user ACLs | Built-in | Manual config |
Choose Tailscale when: You want it to just work, you're behind CGNAT, you want to share access with family, or you're tired of managing WireGuard configs.
Choose self-hosted WireGuard when: You want zero external dependencies, you're privacy-conscious about metadata, or you want to learn the underlying protocol.
Use both: Many homelabbers run Tailscale for convenience and keep a self-hosted WireGuard config as a backup in case Tailscale has an outage.
Headscale: Self-Hosted Alternative
If you want Tailscale's convenience without depending on Tailscale's servers, Headscale is an open-source implementation of the Tailscale coordination server. Your devices still run the official Tailscale client, but they coordinate through your own server.
# Install Headscale on a VPS or homelab server
docker run -d --restart=unless-stopped \
-p 8080:8080 \
-v /etc/headscale:/etc/headscale \
--name headscale headscale/headscale:latest
This gives you full control over the coordination server, at the cost of running and maintaining it yourself. It's a solid option for homelabbers who want the best of both worlds.
Practical Tips
Install Tailscale on your most important device first: Your main server or Proxmox host. Then add your phone and laptop. You'll have remote access within 10 minutes.
Use tags for device groups: In the admin console, tag devices by function (tag:server, tag:workstation, tag:iot). Reference tags in ACLs for cleaner policies.
Enable key expiry wisely: By default, Tailscale keys expire after 180 days and you need to re-authenticate. For servers, disable key expiry in the admin console so they don't go offline while you're away.
Monitor with tailscale status --json: Pipe this into your monitoring system to track which devices are online and their connection types (direct vs relayed).
Tailscale has become the default remote access solution for homelabs because it removes friction. You install it, you authenticate, and your devices can talk to each other regardless of where they are or what network they're on. The free tier covers 100 devices with 3 users — more than enough for any homelab. Set it up once, and remote access is just no longer something you think about.