MajorWiki/02-selfhosting/dns-networking/tailscale-homelab-remote-access.md

---
title: "Tailscale for Homelab Remote Access"
domain: selfhosting
category: dns-networking
tags: [tailscale, vpn, remote-access, wireguard, homelab]
status: published
created: 2026-03-08
updated: 2026-03-08
---

# Tailscale for Homelab Remote Access

Tailscale is how I access my home services from anywhere. It creates a private encrypted mesh network between all your devices — no port forwarding, no dynamic DNS, no exposing anything to the internet. It just works, which is what you want from networking infrastructure.

## The Short Answer

Install Tailscale on every device you want connected. Sign in with the same account. Done — all devices can reach each other by hostname.

```bash
# Install on Linux
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Check status
tailscale status

# See your devices and IPs
tailscale status --json | jq '.Peer[] | {Name: .HostName, IP: .TailscaleIPs[0]}'
```

## How It Works

Tailscale sits on top of WireGuard — the modern, fast, audited VPN protocol. Each device gets a `100.x.x.x` address on your tailnet (private network). Traffic between devices is encrypted WireGuard tunnels, peer-to-peer when possible, routed through Tailscale's DERP relay servers when direct connection isn't possible (restrictive NAT, cellular, etc.).

The key thing: your home server's services never need to be exposed to the public internet. They stay bound to `localhost` or your LAN IP, and Tailscale makes them accessible from your other devices over the tailnet.

## MagicDNS

Enable MagicDNS in the Tailscale admin console (login.tailscale.com → DNS → Enable MagicDNS). This assigns each device a stable hostname based on its machine name.

```
# Instead of remembering 100.64.x.x
http://homelab:3000

# Or the full MagicDNS name (works from anywhere on the tailnet)
http://homelab.tail-xxxxx.ts.net:3000
```

No manual DNS configuration on any device. When Tailscale is running, hostnames resolve automatically.

## Installation by Platform

**Linux (server/desktop):**
```bash
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
```

**macOS:**
Download from Mac App Store or tailscale.com/download/mac. Sign in through the menu bar app.

**iOS/iPadOS:**
App Store → Tailscale. Sign in, enable the VPN.

**Windows:**
Download installer from tailscale.com. Runs as a system service.

## Making Services Accessible Over Tailscale

By default, Docker services bind to `0.0.0.0` — they're already reachable on the Tailscale interface. Verify:

```bash
docker ps --format "table {{.Names}}\t{{.Ports}}"
```

Look for `0.0.0.0:PORT` in the output. If you see `127.0.0.1:PORT`, the service is bound to localhost only and won't be reachable. Fix it in the compose file by removing the `127.0.0.1:` prefix from the port mapping.

Ollama on Linux defaults to localhost. Override it:

```bash
# Add to /etc/systemd/system/ollama.service.d/override.conf
[Service]
Environment="OLLAMA_HOST=0.0.0.0"
```

```bash
sudo systemctl daemon-reload && sudo systemctl restart ollama
```

## Access Control

By default, all devices on your tailnet can reach all other devices. For a personal homelab this is fine. If you want to restrict access, Tailscale ACLs (in the admin console) let you define which devices can reach which others.

Simple ACL example — allow all devices to reach all others (the default):

```json
{
  "acls": [
    {"action": "accept", "src": ["*"], "dst": ["*:*"]}
  ]
}
```

More restrictive — only your laptop can reach the server:

```json
{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:laptop"],
      "dst": ["tag:server:*"]
    }
  ]
}
```

## Subnet Router (Optional)

If you want all your home LAN devices accessible over Tailscale (not just devices with Tailscale installed), set up a subnet router on your home server:

```bash
# Advertise your home subnet
sudo tailscale up --advertise-routes=192.168.1.0/24

# Approve the route in the admin console
# Then on client devices, enable accepting routes:
sudo tailscale up --accept-routes
```

Now any device on your home LAN is reachable from anywhere on the tailnet, even if Tailscale isn't installed on that device.

## Gotchas & Notes

- **Tailscale is not a replacement for a firewall.** It secures device-to-device communication, but your server still needs proper firewall rules for LAN access.
- **Devices need to be approved in the admin console** unless you've enabled auto-approval. If a new device can't connect, check the admin console first.
- **Mobile devices will disconnect in the background** depending on OS settings. iOS aggressively kills VPN connections. Enable background app refresh for Tailscale in iOS Settings.
- **DERP relay adds latency** when direct connections aren't possible (common on cellular). Still encrypted and functional, just slower than direct peer-to-peer.
- **Exit nodes** let you route all traffic through a specific tailnet device — useful as a simple home VPN if you want all your internet traffic going through your home IP when traveling. Set with `--advertise-exit-node` on the server and `--exit-node=hostname` on the client.

## See Also

- [self-hosting-starter-guide](../docker/self-hosting-starter-guide.md)
- [linux-server-hardening-checklist](../security/linux-server-hardening-checklist.md)
- [setting-up-caddy-reverse-proxy](../reverse-proxy/setting-up-caddy-reverse-proxy.md)