For the most part I try to keep my tech solutions in the open source realm. It’s not that I don’t want to spend money on any of it (I do contribute financially to certain projects), but the fear of vendor lock-in coupled with company’s pivoting away from my needs keeps me… on edge. Over the years, I’ve tried to make VPN solutions like the built-in services on OPNsense work. But no matter how many times attempts with guides like the Road Warrior Setups for WireGuard or SSL VPN, they never worked.

Technically my laptop would connect but… no traffic came back. And I really prefer to have 2 way communications with my networking…

So I finally caved and gave Tailscale a try. The fact that it’s WireGuard underneath made the idea of just signing up for a 3rd party orchestrator seem silly. Why couldn’t I get this to work on my own?!?! But I had been failing for years and the trick with Tailscale is… it… just… works! And not only does it just work, but it opened my eyes to even more possibilites for how to handle remote access:

  • All systems can be part of a secure network. Rather than focusing on just connecting to my house from my laptop, the client now sits on multiple systems at home and all of my cloud servers. I have greater confidence when working on any of these devices.
  • The mobile client works great! Yes, I can reboot a server from my phone or play around with some docker setup while on a tablet. Much handier than expected.
  • There’s no need to expose secure services! I spent a lot of time trying to figure out how to beef up security for home server tools so that I could access them over the Internet - trying to add OAuth & MFA to Traefik, etc. That’s not necessary when I can pull up the admin page over Tailscale directly from my phone.
  • My Pi-hole can now be used while on the road. I can take advantage of exit nodes to send traffic through a home (or cloud) server, instead of using a separate VPN and also block ads in the process.

There’s still some kinks to work out. Figuring out the best way to handle DNS so that sites can be properly accessed both on and off the tailnet is still a work in progress. Switching to my own authn provider and maybe letting family use it as well is a future topic. And until I feel confident that an alternative such as headscale is worth the switch, I’m happy to have a working solution.