Tailscale: Access Your Home Services Securely Without Opening Ports
If you run services at home — a web server, a Pi-hole, Home Assistant, a NAS, anything behind your router — you've probably faced the same question: how do I access these from outside without exposing them to the internet?
The traditional answers are Dynamic DNS (DDNS) with port forwarding, or setting up a full VPN like WireGuard or OpenVPN. Both work, but both require configuration on your router, managing public IPs, and keeping tunnel endpoints updated.
Tailscale offers a third path: a zero-config mesh VPN that works through NATs, firewalls, and carrier-grade networks without touching your router at all.
What Is Tailscale?
Tailscale is a managed WireGuard-based mesh VPN service. You install its client on every device you want connected, log in with a Google, Microsoft, or GitHub account, and within seconds all your devices appear on the same virtual network.
No router configuration. No port forwarding. No DDNS. No public IP required.
How It Works (Briefly)
Each Tailscale device runs a lightweight daemon that establishes WireGuard tunnels to other peers in your network. The magic is in how it handles connectivity:
- Direct peer-to-peer — If two devices can reach each other directly (both have public IPs, no restrictive NAT), Tailscale uses a direct WireGuard connection.
- Relay (derper) — If direct connections fail (symmetric NAT, CGNAT, corporate firewalls), traffic routes through Tailscale's relay servers automatically.
- MagicDNS — Tailscale provides an internal DNS so every device is reachable by name (
raspberry-pi,home-server,nas) without manual hosts files or local DNS setup.
All traffic is encrypted end-to-end with WireGuard. Tailscale's control plane only coordinates key exchange — it never sees your actual data on direct connections.
Installing Tailscale
Tailscale runs on Linux, macOS, Windows, iOS, Android, and most routers (OpenWrt, pfSense, OPNsense). The free plan supports up to 100 devices, which is more than enough for a home lab.
Linux (Debian/Ubuntu/Raspberry Pi OS)
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
The tailscale up command opens a browser window with an authorization link. Click it, log in, and your device joins your Tailnet.
macOS
brew install --cask tailscale
Or download the app from tailscale.com. It runs as a menu bar app and connects automatically on login.
Windows
Download the installer from tailscale.com/download and run it. Tailscale installs as a background service and shows a system tray icon.
Docker
If you run services in Docker, you can install Tailscale on the host and access containers through their host IP, or use the Tailscale Docker companion pattern to give individual containers their own Tailscale interfaces.
Accessing Home Services
Once your devices are on the same Tailnet, accessing services is straightforward.
Direct Device Access
Every device gets a 100.x.x.x Tailscale IP. If your Raspberry Pi shows 100.84.21.5 in the Tailscale dashboard, you can reach it from anywhere:
ssh [email protected]
With MagicDNS enabled (default on Scalepy plans, free for personal use), you can use the device name instead:
ssh [email protected]_name.ts.net
Exposing Specific Services with Tailscale Serve
Tailscale's serve command lets you expose specific ports without opening them to the internet. Only devices in your Tailnet can reach them:
# Expose port 8080 on your home server
sudo tailscale serve --help
# Example: route incoming :80 to a local service
sudo tailscale serve 80:http://localhost:8080
Tailscale Funnel (Public Access)
If you need to expose a service to the public internet (a personal website, for example), Tailscale Funnel creates a secure HTTPS endpoint without port forwarding:
sudo tailscale funnel 80
This generates a public URL like funnel.raspberry-pi.tail123.ts.net that routes through Tailscale's infrastructure to your device. The free tier supports limited Funnel usage; paid plans offer more.
Why This Matters for Self-Hosting
The traditional self-hosting stack looks like this:
DDNS provider → Router port forwarding → Internal service
Each layer adds complexity:
- DDNS tokens expire or services change APIs (as covered in our DuckDNS update guide).
- Port forwarding exposes services to internet scans and requires careful firewall rules.
- Getting a public IP is no longer guaranteed — CGNAT is common on many ISPs.
With Tailscale, the stack becomes:
Your device → Tailscale app → Any other device on your Tailnet
No router touch. No open ports. No DDNS. If your home internet loses its public IP or gets behind CGNAT, it still works.
Comparison: DDNS vs Tailscale
| Aspect | DDNS + Port Forwarding | Tailscale |
|---|---|---|
| Router config needed | Yes | No |
| Public IP required | Yes | No (relay fallback) |
| Encryption | Depends on your setup | WireGuard (always) |
| Setup time | 30 min — several hours | 5 minutes |
| Access from anywhere | Yes | Yes (Tailnet devices) |
| Public exposure | Open ports | Closed by default |
| Free tier | Varies by provider | Up to 100 devices |
Combining Both Approaches
Nothing stops you from using both. Keep DDNS for services that need public access (a personal website, game server), and use Tailscale for everything else (admin panels, development servers, Pi-hole, Home Assistant).
If you've already reconfigured your router to get direct internet access — for example, by activating bridge mode on a MEO router — Tailscale still makes sense for internal services. You get the public IP for what needs it, and encrypted mesh access for everything else without additional port forwarding.
Practical Tips
Install on everything. Phone, laptop, desktop, server, NAS, router. The more devices on your Tailnet, the more useful it becomes.
Use Exit Nodes carefully. Tailscale lets you route all traffic through a specific device (Exit Node). Useful for bypassing network restrictions on public Wi-Fi, but be aware it routes everything — including non-Tailscale traffic — through that device.
Key rotation. On Linux servers, the auth key expires after a set period (default 180 days on the free plan). Run sudo tailscale up again to re-authorize. Set a reminder or use the Tailscale dashboard notifications.
Monitor connections. The Tailscale dashboard shows active peers, connection status (direct vs relay), and network topology. Check it when setting up new devices to confirm connectivity type.
Final Thoughts
Tailscale removes the friction from remote access. For home labs, personal servers, and anyone tired of managing DDNS tokens and router port forwards, it's one of those tools that makes you wonder why you didn't use it sooner.
Install it on two devices, connect them, SSH from one to the other, and you'll see what the hype is about.
Already using Tailscale? What's your main use case? Leave a comment below.