So I first heard about Tailscale from the Changelog Podcasts. Adam would often bring it up when discussing homelabbing for years! However, I never had a compelling reason to use it until recently.
Recently, I made a push to self-host applications that I normally rely on SaaS products for. The process of opening ports in my home network and ensuring there were no security holes was daunting. Enter Tailscale

Private Applications

The first thing I wanted to move was my Vaultwarden installation from a Hetzner server to an old Raspberry Pi 4 in my closet. Given that I only need to access it from personal devices, Tailscale is perfect for this scenario.

To set up Vaultwarden on the Pi, I followed these simple steps:

1. Install Tailscale on my pi
2. Log in
3. Install Tailscale on my phone
4. Log in again
5. Connect to the local IP address where the app is installed

That's it.

While setting up DNS, SSL certificates, ACL rules, and other settings were necessary, this was essentially all I needed to get started with using Tailscale. The ease of use caught me off guard and allowed me to set up Ntfy and Jellyfin, enabling custom notifications and access to music and media outside my home network. Goodbye Spotify

Public-Facing Applications

Surprisingly, Tailscale also makes sense for public-facing applications.

From what I understand, Tailscale establishes a direct connection between devices, unlike traditional VPNs that require connecting to a remote server to complete the round trip, which greatly reduces latency. This allows me to use a small Caddy server in the cloud with Tailscale installed on it, to reverse-proxy requests to machines in my local network without any lag. I can further fine-tune what the Caddy server can access using ACLs. I used this method to host the blog you're reading now powered by Ghost. Yes, my blog is being semi-hosted from a Pi in my closet.

With these two methods, I'm able to chop down my monthly cloud bill by over 50% and maintain control of my data's privacy.

No More Keys?

Another feature I caught myself using more often is Tailscale SSH. When enabled, it allows allowed devices in your tailnet to connect without the need for SSH keys. This simplifies locking down a server significantly. With this feature, I can block incoming connections to port 22 and only allow SSH connections through Tailscale SSH. This effectively blocks all potential attacks coming through SSH.

Resources

I still haven't explored all the features of Tailscale beyond what I mentioned earlier. Their Knowledge Base is an excellent resource, including a comprehensive videos on YouTube, where I learned much of what I discussed today.

I encourage everyone to at least check it out - it's free for up to 100 devices and open-source. There is also an open-source version of the Admin panel called Headscale that I haven't used yet but might be worth exploring if you want your own self-hosted admin panel.