Shubham Ranpise

Back

Setting Up VPN

Configure a zero‑trust VPN using Tailscale to securely access your homelab without exposing services to the internet.

To access the home lab securely from anywhere without exposing services to the public internet, I am using Tailscale, a zero‑trust VPN built on WireGuard.

In the previous phase, the server was hardened and locked down (including a default‑deny with UFW). This means remote access must now be explicitly allowed and strongly authenticated. Tailscale provides a secure way to do that without weakening the security posture.

Traditional VPN setups often require port forwarding or exposing services publicly. Tailscale avoids this entirely by creating a private, encrypted network between trusted devices ideal for a security‑focused homelab.

Why I Chose Tailscale#

  • No port forwarding required
  • Works behind NAT / ISP restrictions
  • End‑to‑end encrypted connections (WireGuard)
  • Device‑level authentication
  • Very low maintenance overhead
  • Suitable for real‑world security operations

Install Tailscale on Your Devices#

Install Tailscale on:

  • Raspberry Pi (lab server)
  • Laptop / Desktop
  • Mobile device (optional but recommended)

Download from the official website:

https://tailscale.com/download/linux

Use the same account on all devices so they join the same private network (called a tailnet).

Install Tailscale on Raspberry Pi#

Run the official installation script:

curl -fsSL https://tailscale.com/install.sh | sh
bash

This installs the Tailscale service and CLI tools.

Start Tailscale and Authenticate#

Bring the VPN interface up:

sudo tailscale up
bash

The command will output a login URL.

  1. Open the URL in your browser
  2. Sign in or create a Tailscale account
  3. Authorize the device

Once approved, your Raspberry Pi becomes part of your private VPN network.

Manage Devices (Admin Console)#

All connected machines can be managed from the web dashboard:

https://login.tailscale.com/admin/machines

From here you can:

  • View connected devices
  • Rename machines
  • Remove access
  • Approve routing changes
  • Monitor connection status
  • And many more

Optional: Share Your Entire Local Network#

Tailscale can expose your home LAN to other VPN devices by advertising routes.

sudo tailscale set --advertise-routes=192.168.1.0/24
bash

Approve the route in the admin dashboard.

Important: Firewall Integration#

In the previous setup, UFW was configured with a default deny policy, blocking all incoming connections except some trsuted Lan IPs.

Tailscale traffic enters via a virtual interface, so we must explicitly allow only the required access.

First, identify your device’s Tailscale IPs from your Tailscale admin dashboard:

Then whitelist SSH access only from trusted tailnet devices:

sudo ufw allow from <tailscale-ip> to any port 22 proto tcp
bash

Example:

sudo ufw allow from 100.101.X.X to any port 22 proto tcp
bash

Repeat for each trusted device when needed.

Access Your Pi Remotely#

After authentication, your Pi will receive a private Tailscale IP address (typically 100.x.x.x).

Check it with:

tailscale ip -4
bash

You can now SSH from any authorized device:

ssh [email protected]
bash

With this setup, the homelab remains private, remotely accessible, strongly authenticated, and aligned with the hardened baseline configuration.

Contents