โ† back to projects

Remote Access

Secure remote access to the entire homelab network via Tailscale, without exposing a single port to the internet.

Tailscale Raspberry Pi 5 WireGuard VPN Networking
TAILSCALE MESH (tailnet) Raspberry Pi 5 Subnet Router ยท 192.168.1.242 advertises 192.168.1.0/24 Tailscale node Laptop Personal Tailscale client macOS / Windows Phone Personal Tailscale client iOS / Android Work PC Office Tailscale client Windows Homelab 192.168.1.0/24 Proxmox ยท Jellyfin Grafana ยท AMP ยท NAS All services accessible via subnet route subnet route Tailscale peer connection Subnet route Connected

The Setup

Remote access runs through Tailscale on the Raspberry Pi 5, which acts as a subnet router โ€” advertising the entire 192.168.1.0/24 network to the Tailscale mesh. Any device on the tailnet can reach any device on the homelab network as if it were sitting on the same local network.

Why Tailscale

Tailscale was the obvious choice for a few reasons. It's built on WireGuard โ€” a modern, audited VPN protocol known for being fast and lightweight compared to older options like OpenVPN. The key advantage over running raw WireGuard is that Tailscale handles all the key exchange, peer discovery and NAT traversal automatically. There's no manually managing keys, no dynamic IP headaches and no open ports required on the router. The control plane is handled by Tailscale's coordination server, but all traffic travels directly peer to peer โ€” it never passes through their infrastructure.

For a homelab where the goal is secure remote access with minimal configuration overhead, and solid security, it was the right choice.

What It's Used For

Day to day remote access covers a few things:

  • Managing Proxmox from the browser โ€” the full web UI is accessible remotely as if on the local network
  • SSH into any VM or container directly by IP
  • Accessing Jellyfin away from home for media playback
  • Spinning up and configuring new VMs when I'm away from home and bored..
  • Accessing any other web UI running on the homelab โ€” Jellyseerr, AMP and so on

Devices on the Tailnet

The tailnet currently has a handful of devices โ€” the Raspberry Pi 5 acting as the subnet router, a personal laptop, a phone and a work PC. The work PC being on the tailnet means the homelab is accessible during the day without needing to think about it.

Setup Experience

Genuinely one of the most straightforward things in the entire homelab. Install Tailscale, authenticate, enable subnet routing, approve the subnet in the admin console. The Pi 5 has been running it without issue ever since โ€” it just works in the background without any maintenance needed.