Tailscale VPN: Complete Homelab Setup Guide

Tailscale Logo

Secure VPN tunnel for accessing homelab services without port forwarding. access your homelab from anywhere with internet or service without exposing any ports keeping your private network secure and encrypted with wireguard, the de facto standard for modern lightweight VPN's.

Installation

1. Install Tailscale Client

curl -fsSL https://tailscale.com/install.sh | sh

Exit Node Configuration

only do this if you want traffic routed through this device. this will make it so devices will appear to be connecting as if you were this device.

2. Enable IP Forwarding

Check if /etc/sysctl.d/ exists:

ls /etc/sysctl.d

If directory exists:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

If directory doesn't exist:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

3. Advertise as Exit Node

sudo tailscale up --advertise-exit-node

4. Combined Subnet + Exit Node Setup

don't use --advertise-exit-node flag if you only want to enable subnet routing. subent routing is used to be able to communicate with devices on the network that don't have tailscale installed. no portforwarding so you don't open your private network up to the internet.

For routing entire local network:

sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node

Admin Panel Activation

  1. Locate your device

  2. Click "..." → Edit route settings

  3. Enable:

    • Exit Node

    • Subnet Routes (if used)

Verification

tailscale status
# Should show: "exit node enabled" and/or "subnet routes"

Usage Examples

Route all traffic through homelab:

tailscale up --exit-node=your-server-ip

Access local devices:

ssh username@192.168.1.x  # Through advertised subnet

Maintenance

Command
Purpose
sudo tailscale logout

Remove device from network

tailscale ping <device>

Test connectivity

sudo tailscale up --reset

Fix connection issues

Security Notes

  • All traffic encrypted with WireGuard®

  • No inbound firewall rules needed

  • Device approval required in admin console

  • Free for personal use (20 device limit)

Pro Tip: Use --advertise-tags=tag:homelab for granular access control.

Last updated