For years my homelab was held together by port forwards. Want to reach Home Assistant from my phone? Forward a port. Want to SSH into the box in the cupboard from work? Forward a port, and pray the dynamic DNS had caught up with my ISP's latest whim about my IP address. Every new service meant another hole in the router and another line in a mental risk register I was not maintaining honestly. I've ripped the whole lot out and replaced it with Tailscale, and I should have done it ages ago.
What was actually wrong
The port-forwarding model has a fundamental shape problem: it exposes services to the entire internet so that one person, me, can reach them. The internet is a hostile place and the moment you forward a port, the scanners find it. My SSH logs were a steady drizzle of bots trying root with rubbish passwords, all day, every day. You can mitigate that with keys-only auth and fail2ban and a non-standard port, and I did, but you're still fundamentally publishing a door to four billion people to make a convenience for one.
The alternatives weren't much better. I'd tried running a traditional VPN server, OpenVPN and later a hand-rolled WireGuard setup. WireGuard itself is brilliant, fast and simple, but the operational bit is the pain. You're managing a config file per device, copying public keys around by hand, picking IP addresses, and the moment you want device A to talk to device B as well as both talking to the server, you're hand-editing AllowedIPs on multiple machines and getting it subtly wrong.
What Tailscale actually is
Tailscale is WireGuard with the painful bits automated away. Underneath it's the same fast WireGuard tunnels. On top it adds a coordination server that handles all the key exchange and the bookkeeping, so you never touch a config file. You install it, you log in with an identity you already have, and the device joins your private network. Every device gets a stable IP in the 100.x range that never changes, regardless of what your ISP is doing to your public address that week.
The clever part is that it's a mesh, not a hub. Devices connect directly to each other where they can, peer to peer, rather than routing everything through a central server. And it does NAT traversal, the dark art of getting two machines behind home routers to talk directly, which is the thing that historically made this stuff so miserable. When a direct connection genuinely can't be made, it falls back to relaying through Tailscale's servers, encrypted end to end so they can't see your traffic, and you don't notice the difference except in latency.
What it looks like now
Every device I own is on the tailnet: the homelab boxes, my laptop, my phone, even a tiny ARM board doing sensor duty. They can all reach each other by name. SSH to the cupboard box is just ssh server01, from anywhere, with no forwarded port and no dynamic DNS in the path at all. Home Assistant is reachable from my phone on the train because my phone is on the same flat network as the server, not because I've published it to the world.
For the handful of things that genuinely need to be public, like the one web service I actually want strangers to reach, those stay on a proper reverse proxy with real certificates, exactly as before. The point isn't that Tailscale replaces public-facing infrastructure. The point is that everything that was only ever exposed for my own convenience no longer needs to be exposed at all.
The subnet router trick
The feature that sealed it: a subnet router. You don't have to install Tailscale on every single device. I've got smart plugs and a NAS and various things that will never run a Tailscale client. So I let one Linux box on that LAN advertise the whole subnet:
# on the gateway box, enable forwarding and advertise the LAN
echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
sudo tailscale up --advertise-routes=192.168.1.0/24
Approve the route in the admin console and now every device on the tailnet can reach everything on my home LAN through that one box, including the dumb devices that have no idea any of this is happening. It's a clean way to bridge the old hardware into the new model.
The honest caveats
It's not all free. The coordination server is run by Tailscale, a company, and your devices authenticate through it, so you are trusting a third party to sit at the centre of your network's control plane, even though they can't see your actual traffic. For a homelab I'm comfortable with that, and if I ever stop being comfortable there's Headscale, an open-source implementation of the coordination server you can self-host. The free tier limits are generous enough that I haven't bumped into them. And there's a small philosophical itch about depending on a SaaS for something as fundamental as reaching my own machines.
But weighed against the maintenance burden I just deleted, it's not close. I removed every port forward from the router. I deleted the dynamic DNS cron job. I stopped reading SSH brute-force logs because there's nothing left to brute force. The homelab does everything it did before and the attack surface facing the open internet went from "several services and a VPN endpoint" to "one reverse proxy I actually meant to expose". That's a strictly better network for an afternoon's work.