Low Orbit Flux Logo 2 F

Tailscale Setup

Tailscale is a mesh VPN built on WireGuard. Instead of running your own VPN server, you install the Tailscale client on each device and they connect directly to each other in a peer-to-peer mesh. Tailscale handles NAT traversal, key rotation, and device authentication through their coordination server — you don’t manage any of that yourself.

The result is that connecting two devices on different networks takes about two minutes and requires no server setup, no open ports, and no static IP. The free tier supports up to 100 devices across 3 users, which covers most personal and home lab use cases.

Each device on your Tailscale network gets a stable IP in the 100.x.x.x range (called a tailnet IP) that stays the same regardless of where the device is or what network it’s on.

Install Tailscale

On Ubuntu/Debian:


curl -fsSL https://tailscale.com/install.sh | sh

This adds the Tailscale apt repository and installs the package. To add it manually instead:


sudo apt update
sudo apt install -y apt-transport-https
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
sudo apt update
sudo apt install -y tailscale

On Arch Linux:


sudo pacman -S tailscale

Start and authenticate

Enable and start the Tailscale daemon:


sudo systemctl enable --now tailscaled

Authenticate the device. This prints a URL — open it in a browser and log in with your Tailscale account (Google, Microsoft, GitHub, or email):


sudo tailscale up

Once authenticated, the device appears in your Tailscale admin console at login.tailscale.com/admin/machines and is assigned a tailnet IP.

Check status


tailscale status

This lists all devices in your tailnet, their IP addresses, and whether they’re online.


tailscale ip -4

Shows the tailnet IP of the current machine.

Connect to another device

Once two devices are on the same tailnet, they can communicate directly using their tailnet IPs or Tailscale hostnames:


ping 100.x.x.x          # by tailnet IP
ping hostname.tailnet   # by MagicDNS hostname (if enabled)
ssh user@100.x.x.x      # SSH works immediately

No firewall rules, port forwarding, or VPN configuration needed.

Subnet routing

Subnet routing lets other devices on your tailnet reach a local network they’re not physically on — useful for accessing home lab devices that don’t have Tailscale installed.

On the machine that’s physically on the subnet you want to expose (e.g. your home server on 192.168.1.0/24), advertise the subnet:


sudo tailscale up --advertise-routes=192.168.1.0/24

Enable IP forwarding first if it isn’t already:


echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Then go to the Tailscale admin console, find the machine, and approve the advertised route. After approval, other tailnet devices can reach 192.168.1.x addresses through that machine.

Exit nodes

An exit node routes all internet traffic from other tailnet devices through itself — similar to a traditional VPN’s full-tunnel mode.

On the machine you want to use as an exit node:


sudo tailscale up --advertise-exit-node

Approve it in the admin console, then on the client device:


sudo tailscale up --exit-node=100.x.x.x

Replace 100.x.x.x with the tailnet IP of the exit node. To stop using an exit node:


sudo tailscale up --exit-node=

Key expiry

By default, Tailscale devices need to re-authenticate every 180 days. For servers and always-on devices where you don’t want this, disable key expiry in the admin console (Machines → select device → Disable key expiry).

For headless Linux servers that can’t open a browser for re-auth, generate an auth key in the admin console (Settings → Keys → Generate auth key) and use it:


sudo tailscale up --authkey=tskey-auth-XXXXXXXX

Useful commands


tailscale status                    # list all tailnet devices
tailscale ip -4                     # show this device's tailnet IP
tailscale ping 100.x.x.x           # test connectivity to a peer
tailscale netcheck                  # diagnose NAT and relay usage
sudo tailscale up --reset           # clear all flags and re-authenticate
sudo tailscale down                 # disconnect from tailnet
sudo systemctl restart tailscaled
sudo journalctl -u tailscaled -f    # live logs

Removing a device

Devices can be removed from the admin console at login.tailscale.com/admin/machines. To also unregister locally:


sudo tailscale logout