Back to Blog

Secure Remote Access with Tailscale

How I use Tailscale to create a secure overlay network for remote administration without exposing management ports to the internet.

TailscaleSecurityNetworkingHomelab

One of the biggest security decisions I made for my homelab was simple: never expose management interfaces to the public internet. No SSH on port 22, no web UIs accessible from outside. The question then becomes—how do you administer your infrastructure when you're not home?

The answer is Tailscale.

The Problem with Traditional Remote Access

The traditional approach to remote access usually involves one of these patterns:

  • Port forwarding: Open SSH or admin ports through your router. Simple, but you're trusting your services to withstand internet-scale attacks.
  • VPN server: Run OpenVPN or WireGuard on your edge. Better, but now you're maintaining VPN infrastructure and managing certificates.
  • Jump boxes: Expose one hardened server and hop through it. Adds latency and operational complexity.

All of these work, but they share a common problem: something has to be exposed to the internet.

Enter the Overlay Network

Tailscale creates a mesh network between your devices using WireGuard under the hood. Every device gets a stable IP address on the Tailscale network, and traffic between devices is encrypted end-to-end.

The key insight is that nothing needs to be exposed publicly. Tailscale handles NAT traversal, so your devices find each other through Tailscale's coordination servers, but all actual traffic flows directly between devices.

My Setup

Every machine in my homelab runs the Tailscale client:

  • Proxmox host: Accessible for management from anywhere
  • Critical VMs: Monitoring, storage management, service hosts
  • Workstations: My laptop and desktop automatically join the mesh
  • Mobile devices: Even my phone can SSH into servers if needed

Access Patterns

When I'm at home, I use local network access for most things—it's faster and doesn't depend on external services. But when I'm traveling or working remotely, Tailscale gives me the same access I'd have if I were sitting at home.

Common use cases:

  • Emergency debugging: Something breaks at 2 AM? I can SSH in from my phone
  • Remote development: Access internal services and databases from a coffee shop
  • Secure file access: Reach my NAS storage from anywhere
  • Monitoring checks: Pull up Grafana dashboards on the go

Security Benefits

The security model is fundamentally different from traditional approaches:

No Public Exposure

My firewall has zero inbound ports open for management. Scanners and bots see nothing. The attack surface is reduced to the Tailscale client itself, which has a much smaller footprint than a full SSH server or VPN stack.

Device-Based Authentication

Access is tied to authenticated devices, not just credentials. Even if someone had my SSH key, they couldn't reach my servers without also being on my Tailscale network.

Encrypted by Default

All traffic is encrypted with WireGuard. There's no unencrypted management traffic flowing over my network or the internet.

Operational Simplicity

What I appreciate most about Tailscale is how little I have to think about it:

  • No certificate management: No renewing VPN certs or managing a CA
  • No port configuration: No remembering which port goes where
  • No firewall rules for access: The overlay handles routing
  • Works everywhere: Behind corporate firewalls, on cellular, on hotel WiFi

Lessons Learned

Implementing Tailscale taught me several things:

  1. Reducing exposure is the best security - The best defense against attacks on your management interfaces is not having them exposed
  2. Overlay networks change the game - Traditional network security assumptions don't always apply
  3. Operational simplicity matters - Security tools that are hard to use get bypassed or misconfigured
  4. Trust your tooling - WireGuard's cryptographic primitives are solid; Tailscale makes them accessible

Beyond Management

While I primarily use Tailscale for administration, it's also useful for sharing access with trusted people. Family members can access certain services without me exposing them publicly or setting up complex VPN configurations.

If you're running a homelab and still exposing SSH or admin ports to the internet, consider an overlay network. The peace of mind from knowing there's simply nothing for attackers to hit is worth the minimal setup time.