Tailscale

Last Updated: 2026-03-06 Status: Active

Purpose

Tailscale provides secure remote access to the homelab via a WireGuard-based mesh VPN. All Proxmox nodes are enrolled, enabling remote management and service access without port forwarding.

Current Location

Tailscale runs as a daemon on each enrolled node. No centralized server.

Admin: https://login.tailscale.com/admin

Access

• Access homelab from anywhere by connecting to Tailscale and using node Tailscale IPs
• All Proxmox web UIs, SSH, and internal services are accessible via Tailscale

Enrolled Nodes

Node	Proxmox IP	Tailscale IP	Notes
JC-PVE01	192.168.4.21
JC-PVE02	192.168.4.22
JC-PVE03	192.168.4.23
JC-PVE04	192.168.4.24
Synology NAS

Configuration

• Tailnet name:
• MagicDNS:
• Subnet routes:
• Exit node:

Security Rules

• No port forwarding on router — all remote access via Tailscale
• No public SSH — SSH only via Tailscale IPs
• Admin UIs (Proxmox, DSM) only accessible via LAN or Tailscale

Common Commands

# Check Tailscale status
tailscale status

# Show this node's Tailscale IP
tailscale ip

# Ping another node
tailscale ping jc-pve02

# Check connectivity
tailscale netcheck

Recovery Notes

• Tailscale auth key required to re-enroll a node after rebuild
• Generate a reusable auth key from the Tailscale admin panel before disaster recovery
• If MagicDNS is enabled, DNS entries auto-register on re-enrollment

Known Issues

Issue	Status	Notes
—	—	—

Related Documentation

• Network
• Caddy
• Quick Reference