Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

i gave up on port forwarding and i feel fine

After years of UPnP, manual port forwards and dynamic DNS to reach my homelab, I switched to Tailscale and deleted nearly all of it, with a few notes on what that actually changed.

John Mylchreest
John Mylchreest
2020-01-12 · 4 min read

Network cables and a small switch on a desk

For the longest time, "reach my homelab from outside" meant a small pile of fragile things stacked on top of each other. A dynamic DNS client updating an A record whenever my ISP felt like rotating my address. A couple of port forwards on the router. A VPN endpoint listening on the internet that I had to keep patched because it was, by definition, exposed. It worked, in the sense that it usually worked, which is the most you can say about anything held together by UPnP and hope.

I had heard about Tailscale for a while and finally set it up properly over the holidays. The short version: I deleted almost all of the above and have not missed any of it.

what actually changed

The mental model is the part that took a moment to land. Tailscale builds a flat WireGuard mesh between your devices, identity-based rather than address-based. My laptop and my homelab boxes are on the same private network now regardless of which café or hotel wifi the laptop happens to be sitting behind. There is no port forward because there is no inbound connection to forward, both ends dial out to coordinate and then talk directly.

tailscale up
# laptop and homelab now reachable by name, anywhere
ssh nas    # resolves over the tailnet, no public DNS, no open port

The thing I underestimated was how much of my old setup existed purely to paper over not having this. The dynamic DNS was there because my address changed. The port forwards were there to let traffic in. The exposed VPN endpoint was there to be the one door I trusted. Tailscale removes the premise: there is no public address to track, no door to leave open, nothing inbound to expose. WireGuard does the encryption, and the coordination layer handles the NAT traversal that I used to do by hand and badly.

Patch panels and structured cabling in a small rack

the honest caveats

It is not magic, and pretending otherwise does no one any favours. You are now trusting a coordination service to broker connections, so it becomes a dependency, the control plane has to be up for new connections to be set up (existing ones keep flowing). For a homelab that I reach a few times a day, that trade is overwhelmingly worth it. For something with a strict no-third-parties requirement you would run plain WireGuard yourself and do the key management by hand, which is exactly the toil Tailscale exists to remove.

The other caveat is that it is so frictionless it makes you lazy about segmentation. Everything on one flat tailnet is convenient right up until it is not, so I have started using its ACLs to keep the laptop from reaching things it has no business reaching. Tailscale gives you that for free; the discipline to use it is on you.

But the core feeling, a fortnight in, is relief. A whole category of brittle network plumbing is just gone. My router config is shorter. Nothing of mine listens on the public internet anymore. And I reach my homelab by name from anywhere without thinking about it, which is all I ever actually wanted.