Brian and I have both been using Tailscale for quite a while now. Maybe eight or nine months? We chatted about what we’ve been doing with Tailscale last month on The Butter, What?! Show. I figured that might be a good reason to write about how things have been going for us so far, and what Tailscale is doing for us.

I suppose I should tell you what Tailscale is. Tailscale is a zero-configuration mesh VPN.

Many people seem to think that a VPN is something that lets you access the Internet without your ISP or anyone in the coffee shop seeing what you’re up to. This is definitely one use for a particular Virtual Private Network configuration, but this isn’t what Tailscale is made for.

Tailscale lets you create your own personal private network. Once you install the Tailscale client on a device and log in, that device can securely connect to every other device you’ve installed Tailscale on. Since it is a mesh network, every device connects directly to every other device.

You can be sitting in a hotel in Japan streaming video directly off your NAS at home in Texas while editing config files on your nginx web server in Austrailia.

You can build your own cloud, but you can keep it private

Anyone want to bet on whether I can summarize eight years’ worth of changing infrastructure into one or two simple paragraphs? Maybe three paragraphs?

In 2013, I started hosting my own Seafile service in a VM on a colocated server. Seafile is open-source, Dropbox-style sync software and cloud storage. All my data is encrypted locally before being synchronized.

In 2018, my colocated server hardware started to fail. I was tired of having to immediately patch Seafile, Nginx, or the host operating system every time there was a security issue, so I wound up paying for managed Seafile hosting.

In 2020, I was getting really close to filling up my Seafile server, and my host doesn’t offer a bigger plan. Not only that, but I’ve been choosing not to sync my video footage, because it is just too voluminous–probably three or four terabytes and growing fast! To sync all my data to Dropbox or Google Drive would cost me something like $400 per year, and that doesn’t take into account how quickly my storage is filling up.

I have pretty much come full circle, and I am hosting my own Seafile server again. I bought a Raspberry Pi and a 14 TB USB drive. I loaded up Seafile and Tailscale, firewalled off everything except Tailscale, and I dropped the hardware off at Brian’s house.

The whole setup cost less than $300. I have about four terabytes synced up so far. We were able to cancel mine and my wife’s Seafile hosting, so we’re saving about $90 per year. I also didn’t have to figure out how to pay Dropbox for 4 TB of storage, and I’m pretty sure that would have cost me more than $300 just for the first year.

I’m really excited that everything is hidden behind Tailscale. I don’t have to worry that Seafile and nginx are sitting out there exposed to the Internet. I don’t have to worry about dropping everything I’m doing to patch security holes. I can take my time and relax.

Brian runs Tailscale on his Trade Wars 2002 server

Brian has been hosting a Trade Wars 2002 server on a Windows VM in the cloud for the last three years. I don’t want to shame him here, but I’m pretty sure that for most of that time he had the RDP port wide open to the Internet for his administration purposes.

He knew that was a bad idea, but solving the problem the right way was too much of a hassle for his little game server. At least, I imagine it would have required some tedious work. I’m not a Windows guy, so what do I know?

One of the first machines Brian installed Tailscale on was his TW2002 server. That made it easy to stop exposing that scary port to the entire Internet while still being able to manage his server remotely with ease.

Tailscale lets you share machines with other Tailscale users

I have a virtual machine on my homelab server that keeps an eye on the Git repositories where the Butter, What?! and The Create/Invent Podcast blog posts live. When there’s new content ready to go, this machine pulls down the changes, then runs Jekyll to build and publish the updates.

The machine is also running a handful of Jekyll preview processes. Brian was worried about messing up his ancient Ruby stack that keeps his aging Octopress install running, so I just shared the machine with him via Tailscale and duplicated a few lines of code to run an extra preview process. Easy-peasy!

I’m sharing my Seafile server with my Create/Invent Podcast co-host so we can back up and share the various video files we generate in the production of each episode. We wind up chewing up about 25 gigabytes per podcast.

Sharing a machine is as easy as clicking a share button on Tailscale’s admin page. You’ll be given a link to share with the recipient. If they’re already a Tailscale user, they’ll be able to access the machine within seconds of clicking the link. If they’re new to Tailscale, I believe they’ll be directed to the download page.

Tailscale is easy to set up and use

You don’t have to know anything about networking. You don’t need to set up any firewall rules. You don’t need to install Wireguard or OpenVPN on your router. You just need to create a Tailscale account and install the Tailscale client on at least two devices.

Tailscale will automatically assign IP addresses to each machine’s VPN interface.

When I shared my Seafile server with Jeremy Cook, he was able to install Tailscale, install Seafile, connect to my Seafile server, and start syncing in less than 15 minutes. I thought that was quite impressive!

You can do more complicated things if you know what you’re doing

Brian has [Tailscale installed on his home’s OpenWRT router][bmc-ts], and he has Tailscale configured to relay his home subnet. That means every device in his home is accessible to his Tailscale network even if those devices don’t have the Tailscale client. Heck, he can even access devices that aren’t capable of running Tailscale!

I’ve done the same thing with my little GL.Inet Mango travel router that I carry in my laptop bag. When I boot him up, he automatically connects to Tailscale and routes his local subnet to my Tailscale network.

That means I can leave that WiFi router behind and access any devices that are connected to it, and I can potentially access any devices on the local network I plugged the router into.

I could leave that router behind at my father’s house if I needed to troubleshoot his printer. I could leave it behind at a customer’s site to monitor for network issues.

There’s a Tailscale add-on for Home Assistant!

The Home Assistant app for Android is awesome. It sends all sorts of useful data up to Home Assistant for tracking. My home automation knows how much battery is remaining on my phone, whether it is charging or not, where my phone thinks it is, and if my phone thinks that I am asleep.

The app lets you give it two different URLs for accessing your Home Assistant server. One URL is used when you are connected to your home WiFi, and the other is used in any other situation. I imagine the expectation is that you’d punch a hole in your firewall and forward a port to your Home Assistant server.

Tailscale simplified this quite a bit. I only had to put one URL into the app, and I don’t have to worry about anyone hacking into my home automation through a forwarded port on my firewall.

Brian tells me the iPhone app also works well.

Are you guys running Tailscale anywhere else?

Brian and I are both using Tailscale in a few other places. I’ve installed Tailscale on just about every device I can whether I really needed to or not. We are both able to monitor and control our 3D printers remotely using Octoprint.

I’m running Tailscale on the CNC.js machine that controls my Shapeoko CNC, even though it would be a horrible idea to CNC anything remotely!

Conclusion

We might be going a little overboard. The idea here isn’t to run Tailscale on every single device. The ultimate goal would be to run Tailscale on all the important devices, and the services on those devices should only be accessible via Tailscale.

My smart bulbs and fancy doorbell are appliances that I probably shouldn’t trust. I don’t want them on my Tailscale network. I don’t need my PlayStation and Nintendo Switch connected to Tailscale. It would be best if these devices had no way to connect to my NAS, right?

At any rate, I’m happy with what Tailscale has done for us, and I’m happy with how things are progressing. What do you think? Are you using Tailscale, ZeroTier, or Innernet? Is your peer-to-peer mesh VPN helping you out? Or are you looking to get started with something like Tailscale? Let us know in the comments, or stop by the Butter, What?! Discord server to chat with us about it!