Home Tailscale is great
Post
Cancel

Tailscale is great

Posted May 27, 2025 Updated May 30, 2025
By Simon Haas
2 min read

Tailscale is great.

I use it on basically every device I can put it on. With it I do not have to wory about which device is in which network or hosted on which cloud provider, I do not have to wory about firewall rules and port forwarding (for stuff only I use) and do not have to wory about hosting and maintaining my own VPN server - and the best part: Tailscale is free for personal use.

Tailscale runs a great youtube channel with a lot of great tutorials.

Following are a few features of tailscale I use and some specific things I do.

tailscale lock

I use tailscale lock to better secure and explicitly controle which devices are on my tailnet. Physical devices (like my laptop, phone and tablet) and long-lived devices (like my windows VM are setup as signing nodes so I do not lock myself out.

taildrop

I have enabled taildrop to easily send files between devices.

tailscale ssh

I use tailscale ssh on devices I want to ssh into.

key expiry

I disable key expiry on devices I do not regularly log into, like servers.

subnet router

I use a subnet router in my LAN to also be able to access devices which do not have tailscale installed.

user approval

I have enabled manual user approval.

ACL file

I manage my access control file in a private git repository.

exit nodes

I use various exit nodes as a substitue for traditional VPNs like mullvad or nordvpn and to browse the internet as I were sitting at home. My subnet router at home is also an exit node. To hide my location or to access the internet from a different country I have tailscale exit nodes running which in turn route all their upstream traffic through a different VPN provider. This way I have to pay the VPN provider only for a single device but can use it on every node in my tailnet. Even on devices that normally would not be compatible with the VPN provider.

I use gluetun and a tailscale sidecar container.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

simon@vps:~$ cat gluetun/compose.yaml
services:
  gluetun:
    image: qmcgaw/gluetun
    # container_name: gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    restart: unless-stopped
    volumes:
      - ./data/gluetun:/gluetun
    environment:
      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
      VPN_SERVICE_PROVIDER:
      VPN_TYPE:
      # OpenVPN:
      #- OPENVPN_USER=
      #- OPENVPN_PASSWORD=
      # Wireguard:
      WIREGUARD_PRIVATE_KEY:
      WIREGUARD_ADDRESSES:
      # Timezone for accurate log times
      #- TZ=UTC
      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      UPDATER_PERIOD: 24h
      DNS_KEEP_NAMESERVER: off

  tailscale:
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - ./data/tailscale/var/lib:/var/lib
      - ./data/tailscale/state:/state
      - /dev/net/tun:/dev/net/tun
    network_mode: "service:gluetun"
    restart: unless-stopped
    environment:
      TS_HOSTNAME: gluetun
      TS_AUTHKEY:
      TS_EXTRA_ARGS: --advertise-exit-node
      TS_NO_LOGS_NO_SUPPORT: true
      TS_STATE_DIR: /state
    image: tailscale/tailscale
homeserver, network
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents