Tailscale – Remote Access

Accessing all your devises from a remote location is a typical need for us who do a lot of traveling or have multiple offices/homes. I have been missing this for a long time after I didn't update my WireGuard connection for my new ISP. As a homelabber, this gave me an opportunity to test a new one – Tailscale. I have used it before, but I had not set it up on my homelab before.

Proxmox

A Debian VM

Download the Debian 13 Cloud-Image from

https://cloud.debian.org/images/cloud/trixie/latest/debian-13-nocloud-amd64.raw

Other

You may want to use another repo.
Download the newest Ubuntu LTS cloud image from https://cloud-images.ubuntu.com/resolute/.

https://cloud-images.ubuntu.com/resolute/current/resolute-server-cloudimg-amd64.vmdk

Install Docker

Install Docker with a one-liner for your homelab.

For production please reference the Docker homepage for instructions.

sudo curl -fsSL https://get.docker.com -o get-docker.sh
# READ THE CORE BEFOR CONTINUING #
sh get-docker.sh

You should always READ the script BEFORE execuiting it

sh get-docker.sh

Test for success

sudo systemctl status docker

Add your user to the docker group

sudo usermod -aG docker $USER

Alternative – Install the Docker Rootless

Download and execute the dockerd-rootless-setuptool.sh install

Other SW

For an easy-to-use GUI choose Dockhand or Dockge or Portainer...

Setup Docker for Tailscale

Create a VM with Docker and Portainer or Dockhand/Dockge and install Tailscale by a one-liner curl -fsSL https://tailscale.com/install.sh | sh.

Using Docker Compose

Compose.yml

services:
  tailscale:
    image: tailscale/tailscale
    container_name: tailscale
    restart: unless-stopped
    volumes:
      - ./var/lib:/var/lib
      - /dev/net/tun:/dev/net/tun
    environment:
      - TS_AUTHKEY=$TS_AUTHKEY
      - TS_ROUTS=$TS_ROUTS
      - TS_STATE_DIR=$TS_STATE_DIR
      - TS_EXTRA_ARGS=$TS_EXTRA_ARGS
    security_opt:
      - no-new-privileges:true  
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
networks: {}

The .env -file

The values are:

• TS_AUTHKEY – The auth key is taken from your Tailscale account
  • Go to Settings/Keys hit the button Generate auth key...
    • Give it a description for future you
    • Set Reusable to on
    • For a home lab the maximum of a 90-day key is fine
• ⚠️ Copy the key – it's only shown once
• TS_ROUTS – is from your network, i.e. VM is 192.0.2.55 then use 192.2.0.0/24
• TS_STATE_DIR – /var/lib/tailscale
• TS_EXTRA_ARGS – depends on your needs, i.e. --advertise-exit-node

TS_AUTHKEY=tskey-auth-kxmGbp2W7p11CNTRL-u5Lyy5fyoC3SPoq4ZfLaC3p1GTygAdUSD
TS_ROUTS=192.0.2.0/24
TS_STATE_DIR=/var/lib/tailscale
TS_EXTRA_ARGS=--advertise-exit-node

Start your container

Use docker compose up -d to activate the connection automatically

Edit the Machine

From the ... at the end of the line select:

• Open the Machine Name
  • Set Auto-generate from OS hostname to Off
  • Edit the Machine name to e.g. Pve-100
  • Hit Update name
• Hit Disable key expiry to keep the key for longer than 90 days

No expiry date for the key

You need to understand the security issues before doing this

Log in to Tailscale and Machines → ... and Select Disable key expiry

To reach other machines

Log in to Tailscale and Machines → ... and SelectEdit route settings ... and tag the IP Address

Install on your PC

Tailscale is providing a one-liner. If you're installing the client on a distribution of Linux that contains a package manager such as apt, yum, or zypper, run the following command:

curl -fsSL https://tailscale.com/install.sh | sh

wget https://tailscale.com/install.sh
# READ THE CODE IN THE SCRIPT
# RUN IT IF YOU FEEL SECURE
sh install.sh 

This is the same script available on the Download page. If you prefer not to use curl | sh, visit the Tailscale Packages - stable track page for manual installation instructions for your distribution.

After installation completes, start the Tailscale client:

sudo tailscale up

The output will display a URL that you can use to authenticate to your Tailscale network (known as a tailnet). After you authenticate, check the Machines page of the admin console to confirm the device appears in your tailnet.

I used the one-liner for my POP-OS machine, on my ARCH and Mac machines i followed the official guide.

Accessing your machines' by SSH

sudo tailscale set --ssh

Install Tailscale on Arch Linux

You can install the Tailscale client on Arch Linux (64-bit x86 only). Refer to the Arch Linux Tailscale page for more information.

pacman -S tailscale

Use systemctl to enable and start the service:

sudo systemctl enable --now tailscaled

Connect your machine to your Tailscale network
and authenticate in your browser:

sudo tailscale up

You can find your Tailscale IPv4 address by running:

 tailscale ip -4

If the device you added is a server or remotely-accessed device, you may want to consider disabling key expiry to prevent the need to periodically re-authenticate.

Post-install Hardening

As a hardening measure, you may want to consider setting the following sysctl values to set reverse path filtering to strict mode:

net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

By enabling this setting, the kernel will only accept packets from a source address if there exists a route back to the source address in the routing table, such as the internal interfaces on the machine.

Using Tailscale as a subnet router or exit node, you will need to set the value to:

• 2 (loose) or
• 0 (off)

to allow packets to be forwarded from the Tailscale network.

By default, these are set in /usr/lib/sysctl.d/50-default.conf.

References

Tailscale ^[1] About IPs ^[2]