Secure Your Homelab with Tailscale: Access Self-Hosted Services from Anywhere

Services today are getting more invasive while becoming more expensive. At some point, I figured it might be worth trying to host a few things myself instead.

But self-hosting comes with its own set of challenges . How do you access your services over the internet ? How do you secure them ? And how to manage access without overly complicated setup. This led me to using Tailscale. Tailscale is a mostly zero-config mesh VPN, which enables connecting to your devices over the internet through a private network.

In this article , I will guide you through setting up Tailscale on your home lab and use it to access self-hosted services from anywhere. We’ll also explore exposing services to the internet when required.

Signing up for Tailscale

1. Navigate to login.tailscale.com

2. Sign up using your preferred method (Google, GitHub, Microsoft, or email)

3. Download the Tailscale client for your operating system

4. Open the client and sign in — this will automatically register your device to your private Tailscale network (called a tailnet)

5. Repeat the process on any additional devices you want to connect.

To confirm everything is working, try reaching one device from another using its Tailscale IP address — Ping the IP address of one of your devices from the other

Securing Tailnet

Now that devices are able to connect to each other lets move on to securing them before hosting any services. There are multiple ways to implement Access control, the easiest being using tags . We will create tags, assign them to devices and based on the tags restrict the ports.

By default Tailscale allows all devices on the network to talk to each other on all ports. Adding ACL changes this to deny-by-default and only allows if a Access rule is present.

1. In the admin console , navigate to Access Control > Tags.

2. Click on create tags — ideally create at least two tags — server & client.

3. Navigate to the machines tab, and for each devices you have added, you can add the tag by clicking on the three dots > Edit ACL Tags > Add the tag from drop down. Save
   ️Before saving, make sure every device is tagged. Untagged devices will lose the ability to communicate once ACLs are enabled.

4. Now navigate to Access Control > General Access Rule.

5. Click on create rule.

6. Add the tag:client as the source and tag:server as the destination. For the port add tcp:80 and tcp:443. Add other port if your services requires those ports. (Add tcp:22 if you also want to SSH into the server devices). Save.

Now all your server devices can be accessed from the clients only on port 80 — http and 443-https.

Before moving on, it’s worth setting up a few tests in the Tests tab. Tests let you define connections that should always be allowed in your tailnet. Every time you make a change to your access rules, these tests are automatically validated — if any test fails, Tailscale will prevent you from saving the change, protecting you from accidentally breaking access to your services

MagicDNS

Just like on the internet, where you communicate with a server using a URL instead of IP address, you can do that on Tailscale network. Tailscale provides a feature called MagicDNS — a private DNS for your tailnet.
Each tailnet gets a domain somestring.ts.net and devices can be accessed using hostname.somestring.ts.net instead of their IP addresses

MagicDNS is enabled by default, if for some reason it is not navigate to DNS in the admin console and enable it .

You can find your tailnet’s full DNS name on the DNS page of the admin console. Once MagicDNS is active, your devices are reachable using their hostname — for example, if your server is named home-server, you can access a service running on port 8096 at http://home-server:8096 or http://home-server.somestring.ts.net:8096 from any device on your tailnet.

The hostname is taken from the device’s hostname. You can always change it on the machines tab for a devices by clicking on the three dots > Edit machine name.

You now have a private, secure network where your devices can reach each other and your self-hosted services from anywhere. But what if you want to share a service with someone outside your tailnet — without opening ports on your router? In the next article, we’ll look at Tailscale Funnel and how it lets you selectively expose services to the public internet