Mesh VPN setup and access policies for homelab.
Tailscale is a secure mesh VPN built on WireGuard that lets devices connect directly without port forwarding. I use a Raspberry Pi as an always-on Tailscale gateway so I can securely access my homelab server from outside the network.
The Pi advertises my LAN subnet, so when I’m remote I reach services like Jellyfin using their LAN IP (e.g., 192.168.1.50:8096) through the tailnet—no public exposure needed.
Raspberry Pi OS Lite (Debian-based) recommended. Give the Pi a static LAN IP and have access to the Tailscale admin console.
sudo apt update && sudo apt install -y curl
curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaled
sudo systemctl status tailscaled --no-pager
# Opens a browser to sign in; apply a device tag if desired
sudo tailscale up --ssh --advertise-tags=tag:infra
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Forwarding lets the Pi route traffic from the tailnet into your LAN.
# Replace the subnet to match your network
sudo tailscale up --accept-routes --ssh --advertise-routes=192.168.1.0/24 --advertise-tags=tag:infra
# In the Tailscale admin console → Machines → (Pi): Enable advertised routes
Approving routes allows your remote devices to reach LAN-only servers securely.
# On the Pi
tailscale status
tailscale ip -4
# From a remote client on the tailnet
tailscale status
ping 192.168.1.50 # replace with your server's LAN IP
curl http://192.168.1.50:8096 # Jellyfin example
If pings or curls fail, confirm route approval and local firewall/forwarding.
sudo tailscale up --advertise-exit-node
Select the Pi as an exit node on your client if you want your Internet traffic to egress from home.