Step 14 · Networking Easy · 10 min

🕸️Tailscale: your private network

Reach your machine from anywhere, a café, a train, your couch, as if it were sitting right next to you. Encrypted, without opening a single port, in five minutes.

Your mini-PC sits at home, behind your router. Great as long as you’re on the same Wi-Fi. But the moment you step out, a café, the train, the office, it becomes unreachable. It lives on a private network, tucked behind your router’s NAT, with no public address of its own.

The 2000s method to fix this is port forwarding on the router: you redirect port 22 to the machine and pray nobody else finds it. Except the entire Internet scans that port nonstop. You’ve just exposed your front door to the planet. Fragile, stressful, to be reconfigured every time you change routers.

Tailscale takes the problem from the other end: instead of opening a breach toward your machine, it builds a private network that links all your devices together. Your mini-PC, your laptop, your phone see each other as if they were on the same cable, wherever they are on Earth. Encrypted end to end (WireGuard runs underneath, the fastest VPN around), and zero ports open on your router.

fig.Who talks to whom: your private network via Tailscale, the public via Cloudflare.

How it works, in one picture

Each device gets a stable IP address in a separate range (100.x.y.z). That set of devices is your tailnet : your little personal network. When your laptop wants to talk to the mini-PC, Tailscale establishes a direct, encrypted connection between the two, punching through NATs on its own. The data never passes through Tailscale’s servers: it goes peer-to-peer.

The concrete result: you type ssh ulrich@mini from a train, and it’s as if you were in your living room. No router to configure, no port exposed.

The setup, step by step

Create a Tailscale account (free)

Go to tailscale.com and sign up. No password to invent: Tailscale leans on an account you already have, Google, GitHub, or Microsoft. That account is what defines who gets to enter your tailnet. The free plan covers personal use easily (up to 100 devices).

Install Tailscale on the mini-PC

On the machine, one line installs the service:

# Install the Tailscale client (detects your distro on its own)
curl -fsSL https://tailscale.com/install.sh | sh
# Connect the machine to the tailnet
sudo tailscale up

tailscale up prints an authentication link. Open it in a browser (on any device), log in with your account, and the machine joins the network. It now has its 100.x.y.z address for life.

Install the app on your laptop and your phone

Grab the Tailscale app on your Mac/PC and your mobile (the site offers the right installer), log in with the same account. Each device you add shows up on the network. To see the list from the mini-PC:

tailscale status   # lists all your devices and their 100.x.y.z IPs

Enable MagicDNS to talk in names, not numbers

Nobody wants to remember 100.118.42.7. In the Tailscale admin console (DNS tab), enable MagicDNS. Each device becomes reachable by its name. Your ssh becomes readable:

ssh ulrich@mini   # instead of ssh [email protected]

The life-changing bonus: Tailscale SSH

Here’s the feature that makes you go “oh, nice.” Normally, doing clean SSH requires generating keys, copying them to the machine, managing their rotation. With Tailscale SSH, the tailnet handles authentication for you.

# Re-enable Tailscale allowing SSH managed by the tailnet
sudo tailscale up --ssh

From there, you can SSH between your tailnet devices without managing a single key: Tailscale already knows it’s you (your account owns both machines), and it takes care of identity. Handy, magical, and access cuts off instantly if you remove the device from the network.

Two extras worth knowing (optional)

Exit node. You can route all your laptop’s traffic through your home machine with sudo tailscale up --advertise-exit-node (then you pick your machine as the exit on the client side). Useful on sketchy public Wi-Fi: you browse as if you were home.
Subnet routing. You can expose other devices on your home LAN (a printer, a NAS) to the tailnet without installing Tailscale on them, by declaring the machine as a subnet router. An option, not an obligation.

The honest part

Tailscale is a third-party coordination service. Your data stays peer-to-peer and encrypted, it never passes through them, but it’s their infrastructure that orchestrates who can reach whom (the directory, authentication, connection setup). For nearly all uses, it’s an excellent trade-off: you gain enormously in simplicity and security against a dependency on a serious player.

If you insist on 100% self-hosted, the alternative is called Headscale: an open-source coordination server you host yourself, compatible with the Tailscale clients. More work, more control. Worth keeping in a corner if total sovereignty is a criterion.

The alternatives, if Tailscale isn't for you

Tailscale isn’t the only way in. Depending on your hardware and your taste for tinkering:

“Bare” WireGuard : the protocol that powers Tailscale, but installed and configured by hand. More work (managing keys, IPs, the firewall yourself), but total control and no dependency on a third party. The purists’ reference.
OpenVPN : the veteran, very widespread and battle-tested. Heavier and slower than WireGuard, but documented to infinity and compatible with just about anything.
Your router’s VPN server : many routers already act as a VPN server. The Freebox, for example, offers a built-in WireGuard/OpenVPN server: you enable it in the interface, and you connect to your home network without installing anything more on the server side. A “zero extra software” option not to be overlooked.
Headscale : the option above, to keep the Tailscale experience 100% self-hosted.

My advice: start with Tailscale (the simplicity/security ratio is unbeatable), and look at these alternatives the day you want to drop the third party or make use of what your router already knows how to do.