Do I need to open any ports on my router for this?

No. The entire point of this setup is that you reach your homelab over Tailscale, which makes an outbound connection to a coordination server. There is no inbound port to forward, so router-level port forwarding stays empty.

Is Tailscale secure enough on its own, or do I still need Authelia?

Tailscale controls who can reach your network. Authelia controls what they have to prove once they are on it. They solve different problems. If you are the only user and every device is yours, Tailscale alone is a reasonable stopping point. Add Authelia when you share access or run services with weak or no built-in login.

What happens if Tailscale's servers go down?

Existing connections keep working because traffic is peer to peer, but you cannot authenticate new devices while the coordination server is unreachable. If that risk bothers you, Headscale is a self-hosted replacement for the coordination server that removes the dependency entirely.

How is this different from a traditional VPN like OpenVPN?

A traditional VPN still needs an open inbound port on your router and certificate management you maintain by hand. Tailscale uses outbound connections and handles key exchange for you, so there is nothing exposed to the public internet and far less to configure.

Do I really need a reverse proxy if everything is already private over Tailscale?

You can skip it, but a reverse proxy gives you clean hostnames, valid HTTPS certificates, and a single place to enforce Authelia rules. Without it you are typing IP and port numbers and clicking through certificate warnings, which gets old fast.

How to Secure Your Homelab: Authelia, Tailscale, and No Open Ports

Most homelab security advice is written for a threat you do not have. It assumes a determined attacker is targeting you specifically, so it tells you to install a SIEM, segment ten VLANs, and read firewall logs every morning. For a home setup that is the wrong starting point. The thing actually probing your network is an automated scanner looking for an open port and a default password, and you can shut that down completely without any of the heavy machinery.

This guide is the security story for the whole site, told as one layered build. It assumes you have read the getting started overview and want a clear order of operations rather than a pile of disconnected tips. If you want the absolute fundamentals first (SSH hygiene, updates, why a flat home network is usually fine), read homelab security basics and come back. Everything below is built on the stack I actually run, so the links point at the specific setup guides for each piece.

A quick disclosure: this guide links to other guides on this site that contain affiliate links, and it recommends a hardware security key. I only point at gear I would buy for my own rack.

The only threat model that matters at home

Before touching a config file, get the threat model right, because it decides everything else. A home network faces three realistic risks, in this order:

Automated internet scanning. Bots sweep the entire IPv4 space constantly, knocking on every public IP for open ports and known-vulnerable services. This is the overwhelming majority of what hits a home connection.
Credential reuse. A password you used somewhere that leaked, now tried against your stuff.
A service with a real vulnerability that you exposed to the internet before patching it.

Notice what is not on that list: a skilled human spending days to break into your Jellyfin server. That happens to banks, not to homelabs. Once you accept that, the strategy becomes obvious. Remove the public attack surface, stop reusing passwords, and keep things updated. The layers below do exactly that and nothing more.

The layered model

Think of it as four layers, each one independent of the others:

Layer	Job	Tool I use
1. Network access	Decide who can even reach the network	Tailscale
2. Transport	Clean hostnames and valid HTTPS	Nginx Proxy Manager
3. Identity	One login, optional 2FA, in front of everything	Authelia
4. Host	Keep the box itself boring and patched	SSH keys, updates, secret hygiene

The order matters. Layer 1 delivers about 90 percent of the real-world benefit for the least effort, so it goes first. Each subsequent layer is something you add when you are ready, not a prerequisite for the last one.

Layer 1: Close every inbound port

This is the single highest-value change you can make, and it is mostly subtraction.

Go into your router and delete every port forward pointing at your homelab. All of them. The goal is a router that forwards nothing inbound, because a port that does not exist cannot be scanned, brute-forced, or exploited. The instinct to “just forward 443 and put a proxy in front” feels safe but still leaves a public door that bots will hammer forever.

You reach your services instead with Tailscale. Tailscale builds an encrypted mesh between your devices using outbound connections, so your laptop and phone join the same private network as your server no matter where they physically are. Nothing inbound is required.

# On the homelab server
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Install the app on your laptop and phone, sign in with the same account, and you can already reach the server by its 100.x.x.x address from anywhere. Enable subnet routing and you reach the entire LAN:

sudo tailscale up --advertise-routes=192.168.1.0/24

Approve the route in the Tailscale admin console and you are done. If you would rather not depend on a commercial coordination server, Headscale is a self-hosted drop-in. And if you have one service you genuinely want public (a blog, say), Cloudflare Tunnels expose a single service without opening a port either. The full rationale for this approach is in why I do not open ports.

At this point an external scan of your home IP finds nothing. For a lot of people, this layer alone is a complete and reasonable security posture.

Layer 2: HTTPS on the inside with a reverse proxy

With the network locked down, the next problem is quality of life that also happens to be security. Reaching services by 192.168.1.100:8096 works, but you get certificate warnings, no clean names, and nowhere central to enforce rules.

Nginx Proxy Manager fixes that. It gives every service a real hostname like jellyfin.homelab.lan with a valid certificate, so browsers stop complaining and you stop memorizing port numbers. More importantly for security, NPM becomes the one chokepoint where Layer 3 plugs in.

Pair it with internal DNS so those hostnames resolve. I run Technitium DNS for that, and a wildcard SSL certificate issued through Cloudflare’s DNS challenge so one cert covers every subdomain without exposing anything publicly. None of this requires an open port, because the certificate is validated over DNS, not over an inbound HTTP request.

The security payoff is structural: every request to every service now passes through one piece of software you control. That is exactly what you need for the next layer.

Tailscale answers “can this device reach the network.” Authelia answers “has this person proven who they are.” Those are different questions, and on a shared homelab you want both.

Authelia runs as a forward-auth endpoint behind NPM. When a request comes in for a protected service, NPM asks Authelia whether the session is authorized. No valid session means a redirect to a single login portal. One set of credentials covers everything, and you can require TOTP two-factor on the sensitive services while leaving the harmless ones at single-factor.

access_control:
  default_policy: deny
  rules:
    - domain: auth.yourdomain.com
      policy: bypass
    - domain: proxmox.yourdomain.com
      policy: two_factor      # the keys to the kingdom: require 2FA
    - domain: "*.yourdomain.com"
      policy: one_factor       # everything else: one login is enough

The full forward-auth configuration, including the NPM advanced-config snippet, is in the Authelia setup guide. It is the most involved piece of this build, which is why it comes last. Do not start here.

For the second factor, a TOTP app on your phone is free and fine. If you want phishing-resistant 2FA, a hardware security key (a YubiKey or any WebAuthn key) is the upgrade, and it is the one piece of security hardware I think is worth buying for a homelab. Everything else here is software you already have.

Authelia is genuinely worth it when you share access with family, expose services to people who reuse passwords, or run apps with weak built-in auth. If you are a single user on your own devices, it is reasonable to stop at Layer 2 and revisit this later.

Layer 4: The boring basics that still do the heavy lifting

None of the layers above help if the host itself is soft. These steps are unglamorous and they prevent the failures that actually happen.

Use SSH keys, not passwords. Generate a key, copy it to the server, then disable password auth entirely:

ssh-keygen -t ed25519
ssh-copy-id user@your-server
# then in /etc/ssh/sshd_config:
#   PasswordAuthentication no
sudo systemctl restart ssh

Keep everything updated. Unpatched software is risk number three from the threat model. Container images drift the fastest, so automate them. The homelab automation guide covers scheduled updates and Watchtower for keeping images current without babysitting.

Keep secrets out of your compose files. Do not commit a docker-compose.yml with a database password in plain text to a repo, even a private one. Use a .env file that stays out of version control, or a real secrets manager. A self-hosted Vaultwarden instance also solves the credential-reuse problem (risk number two) by making unique passwords effortless.

Back up before you need to. Security includes being able to recover. If ransomware or a bad update ever does reach you, a tested backup turns a disaster into an afternoon.

The order I would build this in

If you are starting from a fresh homelab, do them in this sequence and stop whenever your needs are met:

Delete every router port forward and set up Tailscale. (Biggest win, least effort.)
Switch to SSH keys and turn off password login.
Stand up Nginx Proxy Manager with internal DNS and a wildcard cert.
Automate updates and back up your data.
Add Authelia with 2FA on the sensitive services.

Steps 1 and 2 take an evening and cover the two most common real-world risks. Steps 3 through 5 are about polish, scale, and sharing.

Verify it actually worked

Do not assume, check. From a device that is off your network and off Tailscale (cellular data on your phone is perfect), run an external port scan against your public IP. Use a site like a “what is my IP” lookup to find the address, then a public port scanner against it. Every port should read closed or filtered.

If something answers, you missed a forward in the router or a UPnP rule opened one automatically. Disable UPnP while you are in there; it is the usual culprit for ports you did not knowingly open.

A clean external scan is the whole goal of Layer 1, and it is the most satisfying confirmation in this entire build.

What I run, and what I skip

My setup is exactly the four layers above: Tailscale for access, Nginx Proxy Manager plus Technitium DNS and a wildcard cert for transport, Authelia for identity, and ordinary host hygiene underneath. No public ports, ever.

What I deliberately skip at home: a full SIEM, intrusion detection on every service, network segmentation into many VLANs, and most of the enterprise checklist. Those tools earn their keep when you have a large attack surface and a compliance requirement. A homelab with no open ports has neither. Adding them would be cost and complexity buying very little additional safety, which is the opposite of how this site thinks about everything.

Security at home is not about stacking every possible control. It is about removing the exposure that scanners actually exploit, then making your own access clean and unique. Four layers, built in order, and you are past the level of effort almost any attacker would spend on a home network.

See the full set of services this protects, and the guides for each one, at /stack/. Still deciding between Tailscale and a hand-rolled VPN for Layer 1? WireGuard vs Tailscale compares them on setup time, port requirements, and long-term maintenance.