Has anyone told you the good word about Tailscale? If not, I’m here to do it right now. This isn’t “sponcon”^[1], but in retrospect, I probably should have given Tailscale a call. 😆

If you have multiple computers in your life — including computer-adjacent things like network attached storage — it’s likely you’d like to have access to each of those devices, always. If I need to inspect a file on my Synology in my house while I’m a passenger in the car, I want to be able to do so.

The easiest way to do this is to expose the port(s) your device needs for remote access through your router/firewall. This way, when someone on the Internet says “I’d like to access information using port 80, please”, your router knows what device should respond.

Unfortunately, this exposes your device to the entire Internet and that’s… undesirable.

Traditional VPNs

The easy solution to this problem is a Virtual Private Network; broadly, this means you run some sort of server inside your network that will allow devices outside the network to tunnel into the network. Once a device is on the VPN — that is to say, tunnelled into your network — it can access anything within that network. Said differently, if your phone is on a VPN that is hosted in your house, then your phone can access all the devices in your house. Most corporate VPNs work this same way.

If you’ll permit some hand-waving and over-simplification, traditional VPNs tend to be a sort of funnel — there is one server running inside the network you wish to tunnel into, and all clients connect to that server. That makes setup easy, but generally, it’s sort of an all-or-none scenario: you’re either on the VPN or you’re not.

What if there was a better way?

Tailscale

Coming back to my initial conundrum — getting files from Synology → phone, what is the actual thing standing in the way of that happening? I need the two devices to be able to talk to each other, no matter what network each device is on. If the phone is on cellular in London and my Synology is on FiOS at home, I need them to be able to communicate. I don’t particularly care how, just that they can.

Tailscale is the how.

Tailscale is a mesh network of all your devices. Each device that is running Tailscale is on your “Tailnet”; every device in your Tailnet can talk to any other device on your Tailnet. This all works by way of fairly common VPN software, extremely clever tricks for poking holes in firewalls, and relay fallbacks when no other approach works.

The net effect is that I’m always able to connect to my Synology. Or my Mac mini. Or my ridiculous assortment of Raspberry Pis. And so on. I can also always connect to my Linode nanode that runs this website. Or a Digital Ocean droplet. I can access any of these devices no matter what network I’m on, and no matter what network the device I’m targeting is on.

It’s ✨ magic ✨.

In Practice

So how does this look, in brass tacks, in my everyday life? Tailscale works by giving every node on your Tailnet additional ways to access it:

• An IPv4 address in the 100.x.y.z address range
• An IPv6 address
• A bare hostname
• Optionally, a fully qualified domain name

For example, my MacBook Pro that I’m using to write this can be referred to as the following within my Tailnet:

• 100.12.34.56
• fd7a:115c:x::y:z
• blackbook-pro
• blackbook-pro.smiley-tiger.ts.net

Naturally, I’ve lightly changed the addresses, because I’m paranoid, but that shouldn’t be necessary: if you’re not on my Tailnet, it should be impossible to access my devices.

So, anywhere that you may have used an address such as 192.168.1.143, you can instead use 100.12.34.56. Or, even better, you can be IP-agnostic and use blackbook-pro.smiley-tiger.ts.net. Regardless of what network I’m on, if I need to access my MacBook Pro, I will find it at blackbook-pro.smiley-tiger.ts.net.

The smiley-tiger.ts.net is my “Tailnet name”, and is a randomly-assigned pairing of two hyphenated words, with the ts.net suffix.

Who cares?

Perhaps the best way I can sell you on Tailscale is to enumerate why it’s useful to me.

Always-Available Pi-Hole & Swiftbar Widget

I really love Swiftbar, a small utility that lets you add things to your Mac’s menu bar. I use it for a couple of status widgets:

• Is my garage door at home open or closed?
• What is the current count of ATP members

I know neither of these is necessary, but they make me happy.

In the case of the garage door widget, it works by querying a Raspberry Pi in the house that reads a sensor on the door. The Pi will respond with whether or not the door is open. This works great in the house, but when I travel, I can’t access my Raspberry Pi. Well, I couldn’t, anyway. With Tailscale I can. Always. No matter what network my MacBook Pro is on.

Instead of having Swiftbar query 196.168.1.254, I have it query garagepi.smiley-tiger.ts.net. So no matter how my laptop is connected to the Internet, as long as I can get on my Tailnet, it will always show the status of my garage door.

All of the above is also applicable to my pi-hole, which I can now access always, from anywhere. Browsing the web with ads being suppressed via my pi-hole makes for a far more pleasurable browsing experience. Thanks to Tailscale, I can do so even when I’m out and about on my iPhone using cellular. Further, what’s great about using Tailscale to access my pi-hole is that all the web traffic is downloaded over my local connection to the Internet — it’s only the ad blocking (read: DNS queries) that are happening via my Tailnet.

Synology ↔ Synology Backup

I actually have two Synology devices — one that lives in my office and, frankly, is arguably the most important device I own. The other lives at my parents’ house, and serves almost exclusively as a backup destination for the main Synology.

In order to back up from one to the other, I needed to expose a port on my parents’ router/firewall, so my Synology could send data to the remote Synology. This is… fine… but certainly not what I’d prefer. There is no particular need for that device to be exposed to the Internet directly.

Enter Tailscale.

Now that I have both Synologies on my Tailnet, they can simply talk to each other through Tailscale. I’ve removed the port forward on my parents’ router, and the only way to get to my remote Synology is to either be in their house, or be on my Tailnet.

Remote Diagnostics

My dad is a very competent technologist… but he’s also getting older. As the world continues to run at warp speed, it’s understandably harder and harder for him to keep up. Occasionally, he runs into issues he needs my help with.

Though my parents only live about 45 minutes away, that’s not a trek I enjoy making under duress, in order to fix a computing-related issue my dad may be having. Often times, all I need to do is be able to see what he sees, or at worst, briefly control his computer.

At first, it seems obvious that the answer is to add my Dad’s MacBook Air to my Tailnet. While that would work, that’s not what I’d prefer — I shouldn’t need him to run software on the off-chance I need to help him.

Thanks to a combination of Tailscale and “subnet routers”, I can help him without any additional software installations on his part.

One of Tailscale’s advantages is that it is really good at incremental deployment — you can add a node here and there as you see fit. In order to assist in that process, Tailscale has a concept called “subnet routers”, which are bridges between your Tailnet and a network that is not in Tailscale.

I have my remote Synology — the one at my parents’ house — set up as a subnet router. This allows me to jump onto my parents’ network, and connect to any of their devices as though I was in their house.

Thus, I can use screen sharing to log into my Dad’s laptop and help him, when he needs it — with permission of course. No driving nor software installation required.

Selective Internet Egress

What with everything going SSL these days, you could make a strong argument that using public WiFi isn’t as dangerous as it once was. However, I’m paranoid, and I like to protect myself.

When I’m using public WiFi, I vastly prefer to actually enter the broader Internet from a known point — typically my house. This way, the venue where I’m sitting doesn’t get to know what I’m up to. Leaving aside data theft, just the possibility of someone following my footsteps across the Internet makes me very uncomfy indeed.

In addition to subnet routers, Tailscale also has the concept of “exit nodes”. In short, when one of your devices uses an exit node, they will use that as their point of egress onto the Internet.

Whenever I’m out and about, I choose to use one of the devices in my house as my exit node. Generally speaking, that device is actually my Apple TV — yes, really — which is almost certainly sitting otherwise idle. I’ve installed the Tailscale app on my Apple TV to allow for precisely this.

Thanks to using my Apple TV as an exit node, I appear to be inside my house to anything on the broader Internet.

Interestingly, if I ever wanted to appear to be in a different geographic region, I could stand up a tiny/cheap server in another region at Linode, and add that server to my Tailnet as an additional exit node. 👀

Tailscale SSH

Now available broadly, Tailscale SSH allows for quick-and-easy login to servers on your Tailnet, without having to futz about with passing keys around. Like all things Tailscale, it appears to work by way of magic.

For any Linux-based device on your Tailnet, you can opt that device into Tailscale SSH, which means you can instantly log into that device. And thanks to Tailscale favoring direct connections whenever possible, the experience should also be as fast and low-latency as possible.

But Wait, There’s More

I haven’t even spoken about funnels nor Taildrops, both of which have saved my bacon at least once. Seriously; there’s so much here.

Perhaps the coolest thing about Tailscale is that for individual users, in most contexts, it’s absolutely free. I’ve used everything described above, and I haven’t paid Tailscale a cent. Tailscale also has a ton of other features that I’m not using yet — such as sharing devices between Tailnets. There’s so much to unpack here; I’ve only glanced off the outer atmosphere.

Tailscale gets my highest recommendation.