How to set up a powerful home VPN with Tailscale (2024)

If you're running services in your home, whether a media server like Plex or fully fledged network-attached storage (NAS), there inevitably comes a time when you want to access these services away from home. But exposing services to the internet can be dangerous — and it isn't something we recommend. By making your services accessible to the internet, you open a vast attack surface that can leave your whole home network exposed.

You could use a VPN, but these often need to be hosted either on your network or on your router (if it supports this), and this can present its own complexities. VPNs also lack some features, like easy access control or internal DNS, which allows you to translate your local IPs (such as 192.168.1.20) to domain names (like plex.xda-developers.com.)

This is where Tailscale comes in.

What is Tailscale?

A Peer-To-Peer VPN fabric built on Wireguard

Tailscale is an SaaS product that scales from individual users to entire enterprises, and it's based on the Wireguard VPN protocol. Instead of running a single VPN server that acts as an entry and exit point for your networks, Tailscale creates a decentralized mesh network known as a tailnet. This tailnet is coordinated by a central control server, hosted by Tailscale, which is responsible for peer discovery within a tailnet (such as sharing IP addresses and public keys).

This decentralized mesh network allows your devices to effectively exist on their own private VPN, whether they're in your home or not. This means your phone, laptop, and home server can all easily connect to each other without having to run a dedicated VPN server in your home.

While there are disadvantages to Tailscale relying on a central-control server, there are also benefits. For example, Tailscale uses purely single-sign-on to authenticate, meaning that your Google or Microsoft account is all that's needed to get online.

The architecture of Tailscale is robust, avoiding a single point of failure wherever possible. Tailscale also uses a technique known as hole-punching to establish connections between devices even if they're both behind NAT (such as on your home private network.) These techniques are similar to what's used by VOIP calls or other peer-to-peer services to escape NAT. If you're interested in how this works, Tailscale has an extensive summary available.

How much does it cost?

Unlike most VPN solutions, personal use isn't the target market.

Source: Tailscale

While a lot of common VPN providers target individual users and the consumer market, Tailscale is pitched differently. Its mesh-network architecture makes it perfect for large enterprises trying to control access to their private clouds without exposing a single huge VPN interface to the wider internet. The benefit of this approach is that, like a lot of enterprise-focused products (think: GitHub and LinkedIn), it's free for most people and includes the features required to scale to a business or enterprise level that's locked behind expensive paywalls. This means that for up to 3 users on a single tailnet, Tailscale is completely free. There's a limit of 100 devices, but this should be more than plenty for anyone except the most serious power users or homelabbers.

These paywalled enterprise features include things like more advanced SSO integrations, unlimited access control, enterprise support, and admin roles. None of this is required for personal use, so while you can pay for Tailscale, there's really no pressing need, and we recommend that almost all users stay on the free plan (unless you're a homelabber with a specific need identified).

Getting started with Tailscale

As simple as signing in to Google

Due to the nature of Tailscale's centralized control plane, it's easy to get started with. It features SSO integrations for Google, Microsoft, Apple, and GitHub, as well as any other OIDC-supported provider. Therefore, it can integrate with Keycloak, Authelia, or similar entities if you're running a homelab.

To get started with setting up an account in Tailscale, and your own tailnet, follow these steps:

1. On the Tailscale homepage, select Get started at the top right.

   

   Source: Tailscale

2. Select your preferred identity provider. For this example, I've authenticated with GitHub.

   

   Source: Tailscale

3. Once authenticated, you should see a screen prompting you to add your first device. We'll set up some more complex devices later, but to start with, we'd recommend that you set up Tailscale on your phone or computer. Download the relevant Tailscale app for your device.

   

   Source: Tailscale

4. In the Tailscale app download, click Get started and follow the app's prompts to grant relevant permissions for your device. You'll then be prompted to Sign into your Tailnet. Click this button, and you'll see the same SSO login screen as in Step 1. Log in to the same account as you did earlier.

5. 

   You'll be prompted to confirm the connection of your device to your tailnet. Click Connect.

   

   Source: Tailscale

6. You'll be redirected back to your app, where your device should now be connected. Looking back at your original web browser, your new device should now appear online in Tailscale's admin console.

   

   Congratulations, you've now created your own tailnet. But this isn't quite a full VPN yet. Your tailnet allows devices on the tailnet to communicate with each other, but doesn't funnel all your internet traffic like a conventional VPN. To redirect all of your traffic, you need to designate an exit node.

Designating an exit node

Optionally, turn your tailnet into a full VPN

Devices on your tailnet are assigned IP addresses in the 100.x.x.x range (100.0.0.0/8), and much like your private network at home, these devices can talk directly to each other over Tailscale. However, all other traffic goes directly over your devices' regular internet connection. This is what's important to understand about Tailscale — it's a powerful mesh network, not a VPN out of the box. Devices on your internet can talk to each other, but in order to talk to the wider internet, you'll need to designate an exit node. You may have heard of exit nodes if you're familiar with Tor.

An exit node is a device on the Tailnet that all non-Tailscale traffic flows through (that is, all internet traffic not destined directly for one of your other devices). This effectively turns the device you designate into a traditional VPN server, meaning that it will appear to the wider internet that all your connections originated from this device. We'd recommend using a device that's normally switched on (like a server or desktop computer) and that runs on your home network as your exit node. If you'd like a full uptime node, we'd recommend you set up a virtual machine in the cloud as a Tailscale exit node and use that, ensuring constant uptime.

This step is optional. If you're just looking to access internal services or your other devices directly over Tailscale (not redirect your traffic for privacy or anonymization reasons), there's no need to configure an exit node for Tailscale. Once an exit node is configured on devices, that node will need to be running in order to access the wider internet over Tailscale.

You can turn a client into an exit node in Tailscale by opening the client and selecting Run exit node. You'll receive a warning about traffic running through your device.

Installing Tailscale on Linux

Home servers are a great use for Tailscale's mesh networking and MagicDNS

Tailscale's enterprise focus and its positioning as a networking backbone for enterprises mean that it's got fantastic Linux support out of the box. There's a full manual installation guide for Linux in Tailscale's documentation. For most users, however, Tailscale provides a simple one-line script you can use to get up and running. You'll need to run this in a terminal if you're using a GUI.

curl -fsSL https://tailscale.com/install.sh | sh

Once it's installed, you'll be able to access Tailscale via the CLI tool. To start Tailscale, run the following command line:

sudo tailscale up

This will prompt you with a randomly generated URL, similar to the one below, which you can open in a browser on another device. From there, log in as normal, and your Linux machine will be authenticated with your tailnet. Once connected, you can check the IP of your new Linux server on the tailnet by running this command line:

sudo tailscale ip

We recommend that you check out some of the commands on offer in Tailscale's CLI if you're using it on Linux. Most are reasonably self-explanatory, but we've listed some useful ones below. Note that you may need to add sudo to each of these commands.

Using a Linux device as an exit node

As mentioned earlier, servers (whether at home or in the cloud) make great exit nodes, as they may well be running and connected to a network constantly. Getting a Linux device set up as an exit node is more complex. This requires IP forwarding to be properly configured.

To ensure that these instructions are as fully up to date as possible, we'd recommend you follow Tailscale's documentation at setting up a Linux Exit Node.

Once you've enabled IP forwarding, you can start Tailscale as an exit node on your Linux install by running the following:

sudo tailscale up --advertise-exit-node

Magic DNS

One of Tailscale's most valuable features

Source: Tailscale

Anyone who's worked with VPN configurations may know that DNS configuration can be painful, especially in private-cloud scenarios or where service discovery is required. Tailscale takes this into its own hands and magically sets up a DNS name for each device, based on its hostname. It achieves this by registering one of Tailscale's own DNS servers with all devices and giving each tailnet its own unique sub-domain. This sub-domain is configurable in the Tailscale admin console.

All devices registered on your tailnet are given DNS names under the name <hostname>.<tailnet>.ts.net format. For example, with a device registered under the name bob on my tailnet, I can ping this device with the following command line:

ping bob.tail01a1a1.ts.net

Alternatively, as my device has been configured by Tailscale on the same domain as other tailnet devices, I can ping the device just by using its hostname:

ping bob

This makes it incredibly easy to run and advertise services across your tailnet, accessible from anywhere via your own private mesh network.

Tailnet makes enterprise-grade networking easy

There's a lot more we could talk about with Tailscale. This is a symptom of our choice of product. Consumer VPNs make getting online anonymously quick, easy, and cheap. And running your own VPN on your router can be an easy way to get access to your own services at home without much hassle. But with a little investment of time and some technical inquiry, Tailscale can help you take your networking to the next level. If you're interested in what more Tailscale can do for you, we'd recommend you check out some of the more advanced features like Taildrop, which makes transferring files between machines a breeze. Or explore HTTPS on Tailscale, which allows devices to issue their own SSL certificates.

Tailscale is incredibly powerful, and it has quickly gained traction for everything from home use to business activities. Learning to use it can offer a range of benefits, and while it's not perfect (a centralized control plane has its benefits, but isn't ideal), it has quickly become a serious replacement to the likes of OpenVPN. Tailscale represents one of the most impressive uses of the Wireguard profile we've seen to date, and we fully expect to see it increasingly used in the future.