Tailscale — Accessing Homelab services outside my network

📆 · ⏳ 8 min read · ·

Introduction

In one of my previous post, I talked about how I use AdGuard Home for network wide ad blocking in my Home lab. But what if I want to have the same power of AdGuard Home when I’m not in my home network and I’m outside?

That’s where Tailscale comes in. Tailscale ↗️ is a VPN service that makes it easy to access your devices, services, and networks securely. So not just accessing my AdGuard Home, but I can also access all my other services like Vaultwarden, Linkding etc. from anywhere.

Tailscale in Brief

Before I start this section, a very quick disclaimer: I’m not a network expert. I’m just a hobbyist who likes to tinker with things. So if you’re looking for a deep dive into networking, this is not the post for you. And if you find any mistakes in this section, please let me know.

With that out of the way, here is what my understanding is about Tailscale and how it works. Tailscale is a VPN service that uses WireGuard under the hood. WireGuard ↗️ is a modern VPN protocol that is designed to be faster, simpler, and leaner than other VPN protocols.

Tailscale uses WireGuard to create a mesh network called tailnet between all your devices. This mesh network allows you to access your devices, services, and networks securely from anywhere. So when you’re outside your network, you can access your services as if you’re inside your network when you connect your device to the tailnet.

Tailscale P2P Mesh Network. Picture credit - tailscale.com
Tailscale P2P Mesh Network. Picture credit - tailscale.com

This is barely scratching the surface of what Tailscale can do. If you want to learn more about Tailscale, I recommend checking out their guide ↗️. But let’s move on to how I set up Tailscale in my homelab.

With this, now even though if you are CGNAT ↗️ or behind a firewall, you can still in a way expose your services to the internet without actually exposing them. This is because Tailscale creates a secure tunnel between your devices and their servers and then routes the traffic to your devices. So even though you are behind a firewall, you can still access your services from anywhere.

Setting up Tailscale

Setting up Tailscale is very easy. First and foremost you need to create an account on Tailscale. You can do that by going to their website ↗️. Once you have created an account, you need to install the Tailscale client on your devices. You can download the client here ↗️

In my setup, I have a tailscale node running on my Raspberry Pi which is running Debian Linux. This is as simple as running the following script:

Terminal window
curl -fsSL https://tailscale.com/install.sh | sh

Once the installation is complete, you need to authenticate your device with your Tailscale account. You can do this by running the following command:

Terminal window
sudo tailscale up

This will open a browser window where you can authenticate your device with your Tailscale account. Once you have authenticated your device, you can start using Tailscale to access your services from anywhere.

You can now start downloading clients for you other devices like your mobile (Android or iOS) and any other desktop or laptop you have. Once you have installed the client on your devices and you have the tailscale client running and connected to your tailnet, if you try to access any of your services from outside your network, it will work as if you’re inside your network.

Note for users running as subnet router or exit node

If you are running Tailscale on a device that is acting as a subnet router or an exit node, which you must be if you have also configured AdGuard Home with Tailscale, there are some optimizations that are recommended to be done. You can find more information on this here ↗️.

Basically you need to enable rx-udp-gro-forwarding and disable rx-gro-list for your network interface. You can find the network interface that you are using by running the following command:

Terminal window
ip route show 0/0 | cut -f5 -d' '

And then use the ethtool command for the network interface that you found:

Terminal window
sudo ethtool -K <network-interface> rx-udp-gro-forwarding on rx-gro-list off

Now this works fine in your current session, but if you restart your device, you’ll have to run this command again. To make this change permanent, Tailscale suggested to use networkd-dispatcher but I did not have that installed on the Raspberry Pi that I was using. So instead I just created a simple SystemD service that runs this command on boot.

Here is how I created it, if you want to do the same:

Terminal window
sudo vi /etc/systemd/system/ethtool-wlan0.service

Add the following content to the file:

Terminal window
[Unit]
Description=Configure ethtool for wlan0
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
ExecStart=/sbin/ethtool -K wlan0 rx-udp-gro-forwarding on rx-gro-list off
ExecStartPre=/usr/bin/sleep 5
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

Notice that I have the network interface as wlan0 in the above service file. You need to replace it with the network interface that you found using the ip route show 0/0 | cut -f5 -d' ' command.

Now enable the service and start it:

Terminal window
sudo systemctl enable --now ethtool-wlan0.service

This will enable and also start the service. Now if you restart your device, the ethtool command will be run automatically.

Exploring Tailscale UI

Tailscale also provides a web UI where you can see all your devices that are connected to your tailnet. You can access the web UI by going to https://login.tailscale.com/admin ↗️. Here you can see all your devices, their IP addresses, and other information on the default “Machines” tab.

Another tab that I find very useful is the “DNS” tab. Here you can see your tailnet network name, the nameservers that are being used, and the search domains that are being used. You can also add custom DNS servers and search domains if you want.

Tailscale also provides a Magic DNS ↗️ using which you can avoid typing the IP addresses of your services and use the hostname instead. This is very useful when you’re accessing your services from outside your network.

Now I personally don’t use Magic DNS since as I mentioned before, I already have a DNS resolver running in my network and I have a detailed blog post on how I use Tailscale with AdGuard Home for DNS resolution. So feel free to check that out if you’re interested in setting up Tailscale with AdGuard Home.

Things I haven’t explored yet

As I mentioned earlier, Tailscale provides a lot of features that I haven’t explored yet. Some of these features may only make sense in enterprise setting and since for me I am a sole user of my homelab, I haven’t explored them yet. But here are few of the things that I plan to explore more for few use-cases that I have in mind:

  • ACLs ↗️: Access Control Lists (ACLs) allow you to control which devices can access which services. This can be useful if you want to restrict access to certain services to only a few devices.

    One of the use-case that I think I can use this for off-site backups. Here is what I have in mind (and if you are reading this and have a better idea, please let me know). Basically I want to be able to perform off-site backups on my friends NAS and like wise I want to provide them with a way to perform off-site backups on my NAS (when I build one).

    Now I can use Tailscale to connect to my friends NAS and perform backups. But I don’t want them to access any other services on my network. So I can use ACLs to restrict their access to only the backup service. This way I don’t have to expose my NAS to the internet and I can still perform off-site backups.

  • Users and Groups ↗️: As I mentioned, right now I am the only user of my homelab. But in future if I have more users, I can use Users and Groups to manage access to my services. This can be useful if you want to give different users access to different services.

  • Subnets ↗️: Now this is something I am using but I feel I haven’t explored in much depth yet. If you read the Adguard + Tailscale blog, you’ll see the we are using subnets to route the DNS queries to AdGuard Home. But I feel there is more that I can do with subnets and understand it in more depth.

  • Funnels ↗️: Tailscale funnels is another great feature that Tailscale provides and I want to explore this more. Basically funnels allow you to route traffic from the wider internet to a local service running on your network. This can be useful if you want to expose a service to the internet without exposing your entire network.

    I have been using Cloudflare Tunnels to expose my services to the internet and I feel that funnels can be a better way to do this.

    If you use Cloudflare tunnels, you know that Cloudflare can essentially see everything and you have to trust them 100%. But from what I understand, with Tailscale funnels the traffic between the Funnel relay servers and you node is encrypted so Tailscale cannot see any information about the content that is being served which feels more secure to me.

Conclusion

Tailscale is a very powerful tool that I use in my homelab setup to access my services from anywhere. It’s very easy to set up and use and provides a lot of amazing features. If you’re looking for a way to access your services securely from anywhere, I highly recommend checking out Tailscale.

If you have any questions or suggestions, feel free to reach out to me on Twitter ↗️ / Reddit ↗️.

See you in another one where we’ll talk about some other service that I am self hosting 👋

You may also like

  • # homelab# selfhosted# networking

    Setup Caddy with automatic SSL certificates with Cloudflare

    Recently I migrated my homelab from using Nginx with local domain certificates to using Caddy with automatic SSL certificates from Cloudflare. This post will go over the steps I took to set up Caddy with Cloudflare.

  • # homelab# selfhosted# networking

    AdGuard Home — Network Wide Ad Blocking in your Homelab

    Let's talk about AdGuardHome, a network-wide ad blocking software that you can run in your homelab. It's a great way to block ads and trackers on your network without having to install ad blockers on every device.

  • # homelab# selfhosted# networking

    Nginx — The reverse proxy in my Homelab

    Nginx is a powerful reverse proxy that I use in my homelab to expose services to the internet. In this post, I'll show you how I use it and how you can use it too.