← All Guides
beginner

Tailscale for Your Homelab: Remote Access Without Port Forwarding

Set up Tailscale on your homelab server and access every service securely from anywhere — no port forwarding, no public IP required.

Budget Homelab ·
networkingvpnhome-network

Before Tailscale, remote access to a homelab meant one of two things: open ports on your router (exposing services to the internet) or run a traditional VPN like OpenVPN or WireGuard (annoying to configure, certificate management, the whole thing). Tailscale replaced both of those for me and has been running without a problem since.

Tailscale creates an encrypted mesh network — a “tailnet” — between your devices. Your laptop, phone, and homelab server are all on the same private network, regardless of where they physically are. No ports open on your router. No public IP required for your server.

This guide covers basic setup plus the subnet routing configuration I run, which gives you access to your entire homelab network (not just the machine Tailscale is installed on).

Prerequisites

A working homelab server (Linux, running Docker or Proxmox) and a Tailscale account. The free personal tier covers up to 100 devices — plenty for a home setup.

Create an account at tailscale.com if you don’t have one.

Step 1: Install Tailscale on your server

SSH into your server and run:

curl -fsSL https://tailscale.com/install.sh | sh

This installs the Tailscale daemon and CLI. After it completes:

sudo tailscale up

This prints an authentication URL. Open it in a browser, log in with your Tailscale account, and your server is added to your tailnet. You’ll see it appear in the Tailscale admin console at login.tailscale.com/admin/machines.

Check the IP Tailscale assigned:

tailscale ip -4

This gives you a 100.x.x.x address — your server’s address on the tailnet.

Step 2: Install Tailscale on your other devices

Download Tailscale on your laptop, phone, or anywhere else you want access:

Log in with the same Tailscale account on all devices. They’ll all appear in your admin console with 100.x.x.x addresses.

Step 3: Test connectivity

From your laptop (with Tailscale running), ping your server using its Tailscale IP:

ping 100.x.x.x

If it responds, you have connectivity. Now try accessing a service by IP and port:

curl http://100.x.x.x:81

That should reach your Nginx Proxy Manager UI (if you have NPM running). Any service on your server is now accessible from your laptop by its Tailscale IP, even when you’re away from home.

Step 4: Enable subnet routing (access your whole network)

The basic Tailscale setup only gives you access to the machine Tailscale is installed on. Subnet routing advertises your home network’s IP range to your other devices, so you can reach any device on your network (router, NAS, IoT devices, other servers) by their local IP.

On your server, enable subnet routing:

sudo tailscale up --advertise-routes=192.168.1.0/24

Replace 192.168.1.0/24 with your actual home network range. My network is 192.168.1.0/24 — a broader range that covers all my homelab subnets:

sudo tailscale up --advertise-routes=192.168.1.0/24

After running this, go to the Tailscale admin console, find your server, click the three dots, and enable the advertised subnet routes. Tailscale requires manual approval for subnet routes as a security measure.

On your client devices, accept the routes. On macOS:

tailscale up --accept-routes

Now you can reach any device on your home network by its local IP from anywhere. My NAS, router admin page, and other servers are all accessible from my laptop on the road without any port forwarding.

Tailscale subnet routing — the detailed guide →

Step 5: Set up split DNS (access services by hostname)

With subnet routing, you can reach 192.168.1.100 from anywhere. But npm.homelab.lan is nicer, and it’s what your SSL certificates are issued for.

Split DNS tells your devices to resolve homelab.lan (or whatever internal domain you use) using your internal DNS server, while everything else resolves normally through public DNS.

In the Tailscale admin console, go to DNS → Add nameserver → Custom. Enter your internal DNS server’s IP (Technitium, Pi-hole, or AdGuard Home) and the domain it should handle.

From that point, npm.homelab.lan resolves to 192.168.1.100 when you’re on Tailscale, just like it does at home.

Full split DNS setup with Technitium →

Enabling MagicDNS

Tailscale’s MagicDNS feature lets you reach devices by their machine name on the tailnet without IP addresses. Enable it in DNS → Enable MagicDNS in the admin console.

With MagicDNS on, your server (if you named it pve) is reachable as pve from any device on the tailnet. Useful for SSH: ssh root@pve instead of ssh [email protected].

Running Tailscale as a Docker container (optional)

If you’re running a Docker-heavy setup and prefer not to install Tailscale as a system package, you can run it as a container:

services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    hostname: my-homelab
    restart: unless-stopped
    network_mode: host
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - ./tailscale-data:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    environment:
      TS_AUTHKEY: tskey-auth-xxxxxxxxxxxx
      TS_EXTRA_ARGS: --advertise-routes=192.168.1.0/24
      TS_STATE_DIR: /var/lib/tailscale

Generate an auth key in the Tailscale admin console under Settings → Keys → Generate auth key. Use a reusable key if you’re going to redeploy containers frequently.

Security considerations

Tailscale is reasonably secure by default, but a few things worth knowing:

Once Tailscale is running, pair it with Nginx Proxy Manager for clean HTTPS access to all your services, and Technitium DNS for internal hostname resolution.