Setting Up Tailscale
Audiences: Replicator
This tutorial walks through establishing a Tailscale mesh network as the foundation for your homelab infrastructure.
Why Tailscale?
Tailscale solves several problems at once:
- Secure connectivity - WireGuard-encrypted traffic between all devices
- No port forwarding - Devices connect directly through NATs and firewalls
- MagicDNS - Human-readable names like
server.tailnet.ts.net - ACLs - Fine-grained access control between devices
For BlumeOps context, see Tailscale Reference.
Step 1: Create Your Tailnet
- Sign up at tailscale.com
- Choose your identity provider (Google, Microsoft, GitHub, etc.)
- Note your tailnet name (e.g.,
yourname.ts.net)
Step 2: Install on Your Devices
macOS
# Option A: GUI app (recommended for desktop Macs)
brew install --cask tailscale
# Then launch Tailscale from Applications and follow the UI
# Option B: Headless CLI (servers/VMs)
brew install tailscale
brew services start tailscale
tailscale upLinux
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upOther Platforms
See Tailscale Downloads for iOS, Android, Windows, etc.
Step 3: Verify Connectivity
After installing on two devices:
tailscale status
# Shows all connected devices
ping <other-device>.yourname.ts.net
# Should work immediatelyStep 4: Configure ACLs
Default Tailscale allows all-to-all connectivity. For a homelab, you’ll want restrictions.
You can edit ACLs directly in the Tailscale admin console, or manage them as code with tailscale policy (see tailscale policy --help). Here’s an example policy to start from:
{
"groups": {
"group:admin": ["your-email@example.com"]
},
"tagOwners": {
"tag:homelab": ["group:admin"]
},
"acls": [
// Admins can access everything
{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
// Homelab servers can reach NAS
{"action": "accept", "src": ["tag:homelab"], "dst": ["tag:nas:*"]}
]
}If editing as code, save this as policy.hujson and apply it with tailscale policy set policy.hujson.
BlumeOps manages ACLs via Pulumi — see Tailscale Reference for the actual configuration.
Step 5: Enable MagicDNS
In the Tailscale admin console:
- Go to DNS settings
- Enable MagicDNS
- Optionally add a search domain
Now ssh server works instead of ssh 100.x.y.z.
Step 6: Tag Your Devices
Tags enable role-based access control:
# On your server
sudo tailscale up --advertise-tags=tag:homelabTags must be defined in ACLs before use.
Tip: If you plan to use subnet routing or Tailscale ProxyGroup Ingress, clients must also run
tailscale up --accept-routes(or enable “Accept Routes” in the GUI). Without this, advertised routes are invisible to the client.
What You Now Have
- Encrypted mesh network between all your devices
- DNS names for each device
- Foundation for exposing services securely
Next Steps
With networking established:
- Set Up Core Services - Install Forgejo and optionally a container registry
- Bootstrap Kubernetes - Your cluster will join the tailnet via the Tailscale Operator
BlumeOps Specifics
BlumeOps’ Tailscale configuration includes:
- Multiple device tags (
homelab,nas,registry,k8s-operator) - Group-based access for family members
- SSH access rules with authentication requirements
See Tailscale Reference for full details.
Troubleshooting
| Problem | Solution |
|---|---|
| Device won’t connect | Check firewall allows UDP 41641 |
| Can’t reach other devices | Verify ACLs don’t block traffic |
| DNS not resolving | Enable MagicDNS in admin console |
| Tags not applying | Ensure tags defined in ACL policy |