Tailscale VPN: Connect All Your Devices in Minutes

14 Automation & Tools Technology

Tailscale VPN: Connect All Your Devices in Minutes

By Alex Torres | March 2026 | IGNA Online

Let me paint a picture you might recognize. You’re away from home, maybe at a coffee shop or a hotel, and you need
to access a file on your home server. Or you want to check your security cameras. Or you left a service running on
your homelab that you need to manage. The traditional answer has always been “set up a VPN,” and if you’ve ever
tried configuring OpenVPN or IPsec from scratch, you know that can mean hours of troubleshooting certificates,
firewall rules, and port forwarding. I’ve been there more times than I care to admit.

Then I discovered Tailscale, and honestly, it felt like cheating. A WireGuard-based mesh VPN that connects all
your devices in minutes with virtually zero configuration? It sounded too good to be true. But after running it
across my entire homelab for over a year now, I can tell you it’s the real deal. In this Tailscale tutorial, I’ll
walk you through everything: what it is, how to set it up on every platform, and how to unlock its most powerful
features.

What Is Tailscale and Why Should You Care?

At its core, Tailscale is a zero config VPN built on top of WireGuard, the modern VPN protocol
that’s known for being fast, lightweight, and cryptographically sound. But where WireGuard gives you a protocol,
Tailscale gives you a product. It handles all the painful parts — key exchange, NAT traversal,
peer discovery, DNS — so you don’t have to.

Unlike a traditional VPN where all traffic routes through a central server (creating a bottleneck), Tailscale
creates a WireGuard mesh VPN. Every device in your network, which Tailscale calls a
tailnet, connects directly to every other device peer-to-peer. That means if your laptop in a hotel
needs to reach your home server, the traffic goes directly between them. No middleman, no added latency, no
single point of failure.

Here’s why Tailscale is a game-changer, especially for homelabbers:

  • No port forwarding required. Tailscale uses NAT traversal techniques (including STUN and DERP relay servers as a fallback) to punch through firewalls. You don’t need to touch your router configuration at all.
  • No public IP needed. Behind CGNAT with your ISP? Doesn’t matter. Tailscale works anyway.
  • End-to-end encryption. All traffic is encrypted with WireGuard. Tailscale’s coordination servers never see your data — they only help devices find each other.
  • Works everywhere. Linux, Windows, macOS, iOS, Android, FreeBSD, Synology, QNAP, Raspberry Pi — you name it.
  • Free tier is generous. Up to 100 devices and 3 users at no cost. That covers most homelabs easily.

Tailscale vs. Traditional VPN: What’s the Difference?

If you’ve used a traditional VPN setup before — say, OpenVPN running on a VM or a dedicated appliance — you’re
used to the hub-and-spoke model. All remote clients connect to one central VPN server, and all traffic flows
through that server. This works, but it has drawbacks:

  • The central server is a single point of failure.
  • All traffic is bottlenecked through one machine’s bandwidth.
  • You need a public IP address and open ports on your router.
  • Certificate management and configuration are complex.
  • Adding new devices means generating new client configs.

Tailscale flips this model entirely. There’s no central server handling your traffic. Each device connects
directly to the others using WireGuard tunnels. Adding a new device means installing the app and logging in —
that’s it. The coordination server (run by Tailscale) only handles authentication and key distribution; your
actual data never touches their infrastructure.

For those who want a self-hosted alternative to Tailscale’s coordination server, there’s
Headscale, an open-source implementation. But for most people, Tailscale’s managed service
with its free tier is the easiest path, and that’s what we’ll focus on here.

Tailscale Setup: Installation on Every Platform

The Tailscale setup process is remarkably consistent across platforms. You install the client, authenticate with
your identity provider (Google, Microsoft, GitHub, or others), and the device joins your tailnet. Let me walk
through each platform.

Linux (Ubuntu / Debian)

This is where most homelabbers will start. Tailscale provides an official install script: 

# Install Tailscale using the official script
curl -fsSL https://tailscale.com/install.sh | sh

# Start Tailscale and authenticate
sudo tailscale up

# Check your Tailscale IP
tailscale ip -4

Running tailscale up will print a URL in your terminal. Open that URL in a browser, log in with
your identity provider, and the device is added to your tailnet. The whole process takes about 60 seconds.

On distros like Fedora or Arch, Tailscale is also available through their respective package managers, but the
install script works universally across most Linux distributions.

macOS

On Mac, you have two options. The easiest is to grab the app from the Mac App Store — search for “Tailscale” and
install it. Alternatively, if you prefer the command line: 

# Install via Homebrew
brew install tailscale

# Or install the Mac App Store version via mas-cli
mas install 1475387142

Once installed, click the Tailscale icon in your menu bar, sign in, and you’re connected. The macOS app runs as
a menu bar utility and stays out of your way.

Windows

Download the installer from tailscale.com/download and run it. After installation, Tailscale appears
in your system tray. Click it, sign in, and your Windows machine joins the tailnet. If you prefer command-line
management, Tailscale also installs a CLI tool you can use from PowerShell: 

# Check connection status (PowerShell)
tailscale status

# See your Tailscale IP
tailscale ip

iOS and Android

Install the Tailscale app from the App Store or Google Play Store. Open it, sign in with the same identity
provider you used for your other devices, and your phone is on the tailnet. I keep Tailscale running on my
phone at all times — it uses negligible battery because WireGuard is so efficient. When I need to access my
homelab from my phone, everything just works.

Raspberry Pi and ARM Devices

The same Linux install script works on Raspberry Pi and other ARM devices. I run Tailscale on a Pi 4 that
serves as a subnet router (more on that shortly) and an exit node for my network: 

# Works on Raspberry Pi OS (Debian-based)
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Remote Access Homelab: Subnet Routing

Here’s where Tailscale gets really powerful for homelabbers. By default, Tailscale only lets you access devices
that have Tailscale installed. But what about your NAS, your smart home devices, your network printer, or other
things you can’t (or don’t want to) install Tailscale on?

The answer is subnet routing. You designate one device on your home network as a subnet router,
and it advertises your entire local network to your tailnet. Any device on your tailnet can then access any
device on your home LAN, even if those LAN devices don’t have Tailscale installed.

To set this up, pick a device on your home network (a Raspberry Pi or your Linux server works great) and run: 

# Enable IP forwarding (required for subnet routing)
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

# Advertise your home subnet (adjust to your local range)
sudo tailscale up --advertise-routes=192.168.1.0/24

After running this, go to the Tailscale admin console at login.tailscale.com/admin, find the
device, and approve the advertised route. Once approved, any device on your tailnet can reach
192.168.1.x addresses as if it were sitting on your home network.

This is the feature that made me go all-in on Tailscale for remote access to my homelab. I can access my
Synology NAS web interface, my UniFi controller, my Proxmox dashboard — everything — from anywhere in the
world, without exposing a single port to the internet.

Exit Nodes: Route All Traffic Through Home

Subnet routing lets you access your home network. But what if you want all your internet traffic to
route through your home connection? Maybe you’re on an untrusted Wi-Fi network and want the security of your
home connection, or you need to appear as though you’re browsing from your home IP address.

That’s what exit nodes are for. You designate a device on your home network as an exit node,
and any device on your tailnet can choose to route all its traffic through that node. 

# On your home server, advertise it as an exit node
sudo tailscale up --advertise-exit-node --advertise-routes=192.168.1.0/24

# On your laptop or phone, use the exit node
sudo tailscale up --exit-node=homeserver

You can also select the exit node from the Tailscale GUI on macOS, Windows, iOS, or Android. I use this
constantly when I’m on hotel or airport Wi-Fi. All my traffic gets encrypted and routed through my home
connection, keeping me safe on sketchy networks.

Tailscale SSH: Ditch the Keys

This is one of my favorite Tailscale features and one that doesn’t get talked about enough. Tailscale
SSH lets you SSH into your machines using your Tailscale identity instead of managing SSH keys.

Think about how SSH key management typically works: you generate a key pair, copy the public key to every server,
manage authorized_keys files, rotate keys periodically (or more realistically, never rotate them). It works,
but it’s tedious and error-prone.

With Tailscale SSH, authentication is handled by Tailscale’s identity system. You enable it on the server side: 

# Enable Tailscale SSH on the target machine
sudo tailscale up --ssh

# Now from any device on your tailnet, just SSH in:
ssh user@hostname

Tailscale handles the authentication using your tailnet identity. You can configure ACLs (access control lists)
to define who can SSH into which machines and as which users. No keys to manage, no keys to rotate, and you
get audit logs of every SSH session through the admin console.

MagicDNS: Forget About IP Addresses

Every device on your tailnet gets a Tailscale IP address (in the 100.x.y.z range). But remembering
IP addresses is tedious. Tailscale’s MagicDNS feature automatically assigns DNS names to every
device based on its hostname.

If your home server’s hostname is homeserver and your tailnet is on example.ts.net,
you can reach it at: 

# Short name (works within your tailnet)
ping homeserver

# Fully qualified name
ping homeserver.example.ts.net

# Access services by name
http://homeserver:8080
ssh homeserver

MagicDNS is enabled by default on new tailnets. Combined with HTTPS certificates that Tailscale can provision
automatically (via Let’s Encrypt), you can even access your self-hosted services over HTTPS with valid
certificates. No more browser warnings about self-signed certs. 

# Get a TLS certificate for your device
sudo tailscale cert homeserver.example.ts.net

ACLs: Controlling Who Accesses What

Once you start adding more devices and possibly more users to your tailnet, you’ll want to control who can
access what. Tailscale’s ACL (Access Control List) system lets you define fine-grained access
policies using a JSON configuration file in the admin console.

Here’s a basic example of what an ACL policy looks like: 

{
  "acls": [
    // Allow all users to access their own devices
    {
      "action": "accept",
      "src": ["autogroup:members"],
      "dst": ["autogroup:self:*"]
    },
    // Allow the admin to access everything
    {
      "action": "accept",
      "src": ["alex@example.com"],
      "dst": ["*:*"]
    },
    // Allow a guest user to access only the media server
    {
      "action": "accept",
      "src": ["guest@example.com"],
      "dst": ["mediaserver:32400"]
    }
  ]
}

You can create groups, tag devices by role, and build policies that match your exact needs. For example, I have
a tag for my IoT devices that prevents them from initiating connections to my main servers but allows my admin
machines to connect to them. This kind of segmentation used to require VLANs and complex firewall rules. With
Tailscale ACLs, it’s a few lines of JSON.

A few practical ACL patterns I use:

  • Isolate IoT devices so they can only talk to specific services, not to each other or to sensitive machines.
  • Restrict SSH access so only my admin devices can SSH into production servers.
  • Limit guest access so friends I share my Plex server with can only reach port 32400 on the media server and nothing else.
  • Time-based access using Tailscale’s posture checks to require recent device authentication.

Free vs. Paid: Which Tier Do You Need?

Tailscale’s pricing has evolved over the years, and as of March 2026, the free tier remains remarkably generous
for personal and homelab use. Here’s how the tiers break down:

Personal (Free)

  • Up to 100 devices
  • Up to 3 users
  • All core features: subnet routing, exit nodes, MagicDNS, Tailscale SSH
  • Basic ACLs
  • Community support

Personal Plus / Starter

  • More users and devices
  • Advanced ACL features and posture management
  • Priority support
  • Custom DERP servers

Business and Enterprise

  • SSO/SAML integration
  • Advanced audit logging
  • Device posture management
  • Dedicated support

For the vast majority of homelabbers, the free tier is more than enough. I’ve been running it
with around 15 devices and a single user account, and I’ve never hit a limitation. The only reason to consider
a paid tier for personal use would be if you want to share your tailnet with more than 3 family members or
need advanced compliance features.

Putting It All Together: My Homelab Setup

Let me share how I actually use Tailscale across my homelab to give you some practical inspiration. My setup
includes:

  1. Proxmox server — runs Tailscale directly, acts as subnet router for my 192.168.1.0/24 network and exit node.
  2. Raspberry Pi 4 — backup subnet router and Pi-hole DNS server, also on Tailscale.
  3. Synology NAS — Tailscale installed via the Synology package. Accessible from anywhere for file management.
  4. MacBook Pro (daily driver) — Tailscale app running, uses the Proxmox server as exit node on untrusted networks.
  5. iPhone — Tailscale app running at all times. Can access all homelab services from cellular.
  6. Work laptop — Tailscale connects me to my home network without interfering with work VPN (Tailscale handles split routing gracefully).

With this setup, I can be anywhere in the world and access my entire home network as if I were sitting on my
couch. I can SSH into my Proxmox server, browse files on my NAS, manage my Docker containers through Portainer,
check my security cameras, and even print to my home printer — all without a single port forwarded on my router.

Tips and Gotchas

After running Tailscale extensively, here are a few practical tips I’ve picked up:

  • Key expiry. By default, device keys expire and need to be re-authenticated. For servers that run unattended, disable key expiry in the admin console for those specific machines.
  • Split DNS. If you run Pi-hole or AdGuard Home, you can configure Tailscale to use it as the DNS server for your tailnet. This gives you ad-blocking on all devices, even when away from home.
  • Funnel. Tailscale Funnel lets you expose a service on your tailnet to the public internet through Tailscale’s infrastructure. It’s great for sharing a dev server temporarily or running a webhook endpoint without port forwarding.
  • Container support. Running Docker? Tailscale has an official Docker image (tailscale/tailscale) that you can run as a sidecar container. This lets individual containers have their own Tailscale identity.
  • Performance. Because Tailscale uses WireGuard and establishes direct connections, performance overhead is minimal. In my testing, I consistently see less than 5% throughput reduction and negligible latency increase on direct connections.

Getting Started: Your First Five Minutes

If you want to try Tailscale right now, here’s a quick-start checklist:

  1. Go to tailscale.com and sign up with your Google, Microsoft, or GitHub account.
  2. Install Tailscale on two devices (your computer and your phone are a great starting pair).
  3. Log in on both devices with the same account.
  4. Try pinging one device from the other using its Tailscale IP or MagicDNS name.
  5. If you have a homelab, set up subnet routing on one machine so all your devices are accessible remotely.

That’s genuinely it. No certificates to generate, no config files to write, no ports to forward. In my
experience, most people go from zero to a fully functional mesh VPN in under five minutes.

Final Thoughts

I’ve tried a lot of networking tools over the years, and Tailscale is one of the few that I’d describe as
“it just works.” It takes the best VPN protocol available (WireGuard), wraps it in a user experience that
anyone can manage, and gives you features like subnet routing, exit nodes, SSH, and MagicDNS that would
take significant effort to replicate manually.

For homelabbers, Tailscale solves the remote access problem so completely that it frees you to focus on the
fun stuff — building and experimenting — instead of fighting with networking. If you’ve been hesitating, give
the free tier a try. I’m confident it’ll become a permanent part of your setup, just like it has for mine.

Got questions about Tailscale or want to share your own setup? Drop a comment below — I’d love to hear how
you’re using it.

— Alex