Homelab / access

Tailscale Remote Access

The private overlay network that connects trusted devices, core services, DNS, SSH, media, smart home, and AI agent systems.

tailscaleremote accessidentityzero trust

Tailscale is the connective tissue of the lab. It links trusted personal devices, VMs, computers, core services, AI-agent environments, and DNS filtering without requiring broad firewall port exposure.

The most important use cases are remote access to Home Assistant, the NAS, media services, computers, AI-agent systems, private DNS, and browser/desktop gateways.

Features In Use

  • MagicDNS for private naming.
  • Tailscale SSH for administration.
  • Exit nodes for selected remote workflows.
  • Tailscale Serve/private service routes for browser-friendly access to internal apps.
  • Manual approval for new devices.
  • Key expiry is disabled on selected infrastructure-level devices to reduce surprise reauthentication on systems that are expected to stay reachable.

Subnet routing is not part of the current setup. ACLs are a future improvement area; the current posture works, but stricter device and role boundaries would make the system cleaner.

Service Routing Pattern

A small always-on service helps route private overlay names to containerized apps. That avoids installing Tailscale directly into every container while still giving important services browser-friendly private names.

This pattern supports tools such as Git, Guacamole, Homepage, Portainer, Uptime Kuma, and AI/automation interfaces without publishing public access paths.

The service-routing pattern has also been a real troubleshooting teacher. Same-host access, private service routing, DNS behavior, and Linux route advertisement issues all showed up as practical networking problems rather than abstract diagrams.

Lessons

Tailscale has been a networking lab by itself. Troubleshooting private service routing, same-host access, NAT behavior, Linux route behavior, DNS, and agent access has directly reinforced the networking concepts I care about professionally.

Private overlay networking makes a homelab much easier to manage, but convenience has to be balanced with device trust, key expiry decisions, ACL discipline, and a clear understanding of how traffic actually routes.

The next improvement is ACL discipline: the current setup works, but tighter role and device boundaries would make the private network easier to reason about as it grows.