Setting Up Tailscale
Audiences: Replicator
This tutorial walks through establishing a Tailscale mesh network as the foundation for your homelab infrastructure.
Why Tailscale?
Tailscale solves several problems at once:
- Secure connectivity - WireGuard-encrypted traffic between all devices
- No port forwarding - Devices connect directly through NATs and firewalls
- MagicDNS - Human-readable names like
server.tailnet.ts.net - ACLs - Fine-grained access control between devices
For BlumeOps context, see Tailscale Reference.
Step 1: Create Your Tailnet
- Sign up at tailscale.com
- Choose your identity provider (Google, Microsoft, GitHub, etc.)
- Note your tailnet name (e.g.,
yourname.ts.net)
Step 2: Install on Your Devices
macOS
brew install tailscale
sudo tailscaled &
tailscale upLinux
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upOther Platforms
See Tailscale Downloads for iOS, Android, Windows, etc.
Step 3: Verify Connectivity
After installing on two devices:
tailscale status
# Shows all connected devices
ping <other-device>.yourname.ts.net
# Should work immediatelyStep 4: Configure ACLs
Default Tailscale allows all-to-all connectivity. For a homelab, you’ll want restrictions.
Create policy.hujson (or use the web admin):
{
"groups": {
"group:admin": ["your-email@example.com"]
},
"tagOwners": {
"tag:homelab": ["group:admin"]
},
"acls": [
// Admins can access everything
{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
// Homelab servers can reach NAS
{"action": "accept", "src": ["tag:homelab"], "dst": ["tag:nas:*"]}
]
}BlumeOps manages ACLs via Pulumi - see Tailscale Reference for the actual configuration.
Step 5: Enable MagicDNS
In the Tailscale admin console:
- Go to DNS settings
- Enable MagicDNS
- Optionally add a search domain
Now ssh server works instead of ssh 100.x.y.z.
Step 6: Tag Your Devices
Tags enable role-based access control:
# On your server
sudo tailscale up --advertise-tags=tag:homelabTags must be defined in ACLs before use.
What You Now Have
- Encrypted mesh network between all your devices
- DNS names for each device
- Foundation for exposing services securely
Next Steps
With networking established:
- Set Up Core Services - Install Forgejo and optionally a container registry
- Bootstrap Kubernetes - Your cluster will join the tailnet
BlumeOps Specifics
BlumeOps’ Tailscale configuration includes:
- Multiple device tags (
homelab,nas,registry,k8s-api) - Group-based access for family members
- SSH access rules with authentication requirements
See Tailscale Reference for full details.
Troubleshooting
| Problem | Solution |
|---|---|
| Device won’t connect | Check firewall allows UDP 41641 |
| Can’t reach other devices | Verify ACLs don’t block traffic |
| DNS not resolving | Enable MagicDNS in admin console |
| Tags not applying | Ensure tags defined in ACL policy |