Tailscale Remote Access for the Homelab

By LK Wood IV · 2026-06-13 · ~12 min read · St. Louis County, MO

The traditional homelab remote access setup — port forwarding, DynDNS, OpenVPN with certificate management, firewall rules — takes an afternoon to set up correctly and another afternoon to debug when something breaks. Tailscale does the same thing in 20 minutes, handles NAT traversal automatically, and gives you a web UI to manage devices instead of config files scattered across three machines.

This guide sets up Tailscale on a Proxmox host with subnet routing — one node on your LAN that routes Tailscale traffic to every other device on your network, including things that can’t run Tailscale themselves.

What Tailscale is (and isn’t)

Tailscale is a mesh VPN built on WireGuard. Each device you install it on gets a stable IP address in the 100.x.x.x range (the Tailscale IP space, also called a tailnet). Devices in your tailnet can talk to each other directly, peer-to-peer, regardless of what NAT layers are between them.

What it is not: a traditional VPN that routes all your traffic through a central server. By default, only traffic to other tailnet devices goes through Tailscale. Your normal internet traffic goes direct. You can enable exit nodes if you want full traffic routing, but that’s optional.

For homelab use, the workflow is:

  1. Install Tailscale on your Proxmox host (or a dedicated LXC/VM)
  2. Enable subnet routing to advertise your home LAN
  3. Install Tailscale on your laptop/phone
  4. Access every device on your home network from anywhere

No port forwarding. No exposed ports. No certificate drama.

Step 1: Install Tailscale on your Proxmox host

SSH into your Proxmox host and run:

curl -fsSL https://tailscale.com/install.sh | sh

This installs the Tailscale daemon and CLI. After install:

tailscale up

You’ll get a URL — open it in a browser, log in with your Tailscale account (Google, GitHub, or Microsoft SSO, or email), and authorize the device. After authorization, run:

tailscale status

You should see your Proxmox host listed with a 100.x.x.x IP. At this point, the host is in your tailnet and you can reach it from any other Tailscale device. But only the Proxmox host itself — not your NAS, your router’s admin page, or any other device on your LAN.

Step 2: Enable subnet routing

Subnet routing lets this one Tailscale node advertise your entire home LAN to the tailnet. Every other device on your LAN becomes reachable without installing Tailscale on each one.

First, enable IP forwarding on the Proxmox host:

echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

Then re-run tailscale up with the subnet flag. Replace 192.168.1.0/24 with your actual home LAN range:

tailscale up --advertise-routes=192.168.1.0/24

Check your home LAN range if you’re unsure:

ip route show | grep -v tailscale

Look for a line like 192.168.1.0/24 dev vmbr0 — that’s your LAN range.

Approve the subnet in the Tailscale admin console. Subnet routes require explicit approval before they become active.

  1. Open login.tailscale.com/admin → Machines
  2. Click your Proxmox host → Edit route settings
  3. Enable the 192.168.1.0/24 subnet

After approval, any Tailscale device with subnet route acceptance enabled can reach devices on 192.168.1.0/24 through your Proxmox host.

On client devices. On macOS and iOS, subnet routes are accepted automatically. On Linux clients, run:

tailscale up --accept-routes

On Windows, route acceptance is in the Tailscale system tray menu.

Test it: from your phone (on cellular, not WiFi), try pinging a device on your home LAN by its local IP:

ping 192.168.1.1

If the router responds, subnet routing is working.

Step 3: Enable MagicDNS and resolve local names

MagicDNS lets you reach devices by hostname instead of IP. Enable it in the Tailscale admin console → DNS → Enable MagicDNS.

After enabling, devices in your tailnet are reachable by hostname.your-tailnet-name.ts.net. Your Proxmox host becomes something like proxmox.coral-raccoon.ts.net.

Add your local DNS to Tailscale. If you’re running Pi-hole or a local resolver (common with a homelab), you can push its IP to all Tailscale clients as a nameserver:

  1. Tailscale admin → DNS → Add nameserver
  2. Enter your Pi-hole’s Tailscale IP (100.x.x.x) or LAN IP
  3. Enable “Override local DNS” if you want all DNS going through Pi-hole even when away from home

Now you can SSH to proxmox or open the Proxmox web UI at https://proxmox:8006 from anywhere on your tailnet — without remembering IPs or fighting DNS.

Step 4: Running Tailscale in an LXC (optional)

If you’d rather not install Tailscale directly on the Proxmox host (to keep the host clean), run it in a dedicated LXC container configured as the subnet router.

Create a Debian 12 LXC in Proxmox. In the LXC options, enable:

  • Features → TUN device — required for Tailscale’s WireGuard tunnel

Then inside the LXC:

apt update && apt install -y curl
curl -fsSL https://tailscale.com/install.sh | sh

Enable IP forwarding inside the container:

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

Then:

tailscale up --advertise-routes=192.168.1.0/24

Approve the subnet in the admin console as before. The LXC acts as the Tailscale gateway for the whole network while keeping the Proxmox host itself clean.

Step 5: SSH key setup for seamless access

Once Tailscale is running, you can SSH into your Proxmox host via its Tailscale IP. To make this keyless:

# On your laptop — generate a key if you don't have one
ssh-keygen -t ed25519 -C "homelab-access"

# Copy to Proxmox host
ssh-copy-id root@100.x.x.x  # use Proxmox's Tailscale IP

Add an entry to ~/.ssh/config on your laptop:

Host proxmox
  HostName 100.x.x.x
  User root
  IdentityFile ~/.ssh/id_ed25519

Now ssh proxmox from anywhere connects through Tailscale. Works on cellular, works through hotel WiFi, works through CGNAT — no port forwarding, no exposed SSH port on the internet.

Tailscale ACLs: limiting access

By default, every device in your tailnet can reach every other device. For a personal homelab this is fine. If you’re sharing the tailnet (letting a family member access the Plex server but not the Proxmox UI), use ACLs.

In the Tailscale admin console → Access Controls:

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:homelab"],
      "dst": ["*:*"]
    },
    {
      "action": "accept",
      "src": ["tag:family"],
      "dst": ["100.x.x.x:32400"]
    }
  ],
  "tagOwners": {
    "tag:homelab": ["autogroup:owner"],
    "tag:family":  ["autogroup:owner"]
  }
}

This allows your homelab-tagged devices full access, while family-tagged devices can only reach port 32400 (Plex). Tailscale ACLs use a JSON5 format documented at tailscale.com/kb/1018/acls.

Troubleshooting

Connection goes through a relay (DERP). Run tailscale status and look for relay in the connection type. This usually means direct peer connection failed due to both sides being behind strict NAT. Check if your home router has UPnP or if you can open UDP 41641 on the external interface — that helps Tailscale establish direct connections.

Subnet routes not working. Confirm you:

  1. Ran tailscale up --advertise-routes=... with the right CIDR
  2. Approved the route in the admin console
  3. On the client, ran tailscale up --accept-routes

Can’t reach a specific device on the subnet. Make sure the device’s default gateway is your home router, not a Proxmox bridge. Devices need to send return traffic back through the router, which routes it to the Proxmox subnet router.

Tailscale service down after Proxmox update. Proxmox updates occasionally reset package configurations. Check systemctl status tailscaled and journalctl -u tailscaled if Tailscale stops working after an update.

What about Headscale?

Headscale is a self-hosted, open-source implementation of the Tailscale control plane. You run your own coordination server instead of using Tailscale’s cloud service. This gives you full data sovereignty and no dependency on Tailscale’s infrastructure.

The tradeoff: setup is more involved, you manage the server yourself, and some Tailscale features (MagicDNS, the mobile app) have partial or no Headscale support. For a personal homelab where the free Tailscale tier covers you and you trust Tailscale’s service terms, the cloud version is simpler. For a privacy-critical deployment, Headscale is worth the effort.

Persistent setup with systemctl

Make sure Tailscale starts at boot:

systemctl enable --now tailscaled

This is set by default during install, but verify it if you’re on a minimal install. Without this, Tailscale stops on reboot and your remote access disappears.

Accessing your homelab remotely is step one. Protecting it with a UPS is step two — Tailscale can’t help you if the power cuts out while you’re away. The Power & Cost Calculator shows what running a always-on Tailscale gateway node costs per year. Prefer to run your own coordinator with no cloud dependency? The WireGuard self-hosted VPN guide covers setting up a WireGuard server in a Proxmox LXC as a direct Tailscale alternative.