Tailscale

Updated: January 1, 2026

Tailscale is a zero-config VPN that makes it easy to create secure networks between your devices, servers, and applications. It’s particularly useful for homelabs where you need to access services running on various machines without exposing them to the public internet.

Setup
NixOS Implementation
Container Usage
Auth Keys and Service Tags
Homelab Use Cases
Commands

Setup

Install

Tailscale can be installed on various platforms:

# Linux
curl -fsSL https://tailscale.com/install.sh | sh

# macOS
brew install tailscale/tailscale/tailscale

# Windows
# Download from https://tailscale.com/download

# Or using package managers
pacman -S tailscale    # Arch
apt install tailscale  # Debian/Ubuntu

Initial Configuration

After installation, authenticate your device:

sudo tailscale up

This will open a browser for authentication with your Tailscale account. For headless setups, use auth keys (see below).

NixOS Implementation

Enable Tailscale as a system service in your NixOS configuration:

{ config, pkgs, ... }:

{
  services.tailscale.enable = true;

  # Optional: Enable IP forwarding for subnet routing
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;

  # Optional: Use Tailscale as exit node
  services.tailscale.useRoutingFeatures = "both";
}

Rebuild and switch:

sudo nixos-rebuild switch

Then authenticate:

sudo tailscale up

Container Usage

Docker

Run Tailscale in a Docker container:

version: '3.8'
services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    volumes:
      - /var/lib/tailscale:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
      - sys_module
    environment:
      - TS_AUTH_KEY=your-auth-key-here
      - TS_STATE_DIR=/var/lib/tailscale
    command: tailscaled
    restart: unless-stopped

Podman

Similar setup for Podman:

podman run -d \
  --name tailscale \
  --privileged \
  --net host \
  -v /var/lib/tailscale:/var/lib/tailscale \
  -e TS_AUTH_KEY=your-auth-key-here \
  tailscale/tailscale:latest

Auth Keys and Service Tags

Auth Keys

Auth keys allow headless authentication for servers and containers:

Go to Tailscale admin console
Navigate to Settings > Keys
Generate a new auth key
Use with tailscale up --auth-key=<key>

For reusable keys (not recommended for production):

tailscale up --auth-key=tskey-abc123...

Service Tags

Tags help organize devices and control access via ACLs:

# Tag a device
tailscale up --advertise-tags=tag:server

# For specific services
tailscale up --advertise-tags=tag:web-server,tag:database

In ACLs (tailscale.com admin):

{
  "acls": [
    {
      "action": "accept",
      "src": ["autogroup:member"],
      "dst": ["tag:web-server:*"]
    }
  ],
  "tagOwners": {
    "tag:server": ["user@example.com"],
    "tag:web-server": ["user@example.com"]
  }
}

Homelab Use Cases

Remote Access to Services

Access internal services without port forwarding:

# SSH to servers
ssh user@server.tailnet-name.ts.net

# Access web interfaces
# Point browser to: http://homeserver.tailnet-name.ts.net:8080

Subnet Routing

Route entire subnets through Tailscale:

# On the router/gateway machine
tailscale up --advertise-routes=192.168.1.0/24

# Approve in admin console under "Subnet routes"

Exit Node

Use a homelab server as an exit node for secure browsing:

# On the exit node server
tailscale up --advertise-exit-node

# Enable in admin console

Kubernetes Integration

Secure access to Kubernetes clusters:

# Install Tailscale operator
kubectl apply -f https://tailscale.com/operator.yaml

# Create ingress with Tailscale
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  annotations:
    tailscale.com/tailnet-fqdn: "my-app"
spec:
  ingressClassName: tailscale
  defaultBackend:
    service:
      name: my-app
      port:
        number: 80

Commands

Common Tailscale commands:

# Basic management
tailscale up                    # Bring up Tailscale
tailscale down                  # Take down Tailscale
tailscale status                # Show status
tailscale ip                    # Show Tailscale IP
tailscale ping <host>           # Ping a host in tailnet

# Device management
tailscale devices               # List devices in tailnet
tailscale whois <ip>            # Get info about an IP

# Network configuration
tailscale netcheck              # Check network connectivity
tailscale cert <domain>         # Get HTTPS cert for domain

# Advanced
tailscale serve <port> <target> # Serve local port over HTTPS
tailscale funnel <port>         # Make local port accessible from internet
tailscale file cp <src> <dst>   # Copy files between devices

# Admin
tailscale logout                # Logout and remove device
tailscale version               # Show version