Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

i finally gave up on port forwarding

Replacing a fragile pile of port forwards and dynamic DNS with Tailscale, and why the mesh approach is simply less to worry about.

John Mylchreest
John Mylchreest
2022-12-30 · 3 min read

Network cables plugged into a switch

For years, getting to my home services from outside the house meant the same fragile arrangement: a port forward on the router, dynamic DNS pointing at a residential IP that changed whenever it felt like it, and a quiet hope that nobody was scanning that port too hard. It mostly worked. "Mostly" is doing a lot of work in that sentence.

I have moved the lot to Tailscale and I am annoyed it took me this long.

What I was actually defending against

The problem with port forwarding is not that it is hard to set up. It is that every forward is a door you have opened to the entire internet, and you are now responsible for whatever is listening behind it forever. Patch it, watch it, and pray the next CVE in that service does not land while you are on holiday.

The dynamic DNS half was its own small misery. The IP changes, the updater misses it, and suddenly you cannot reach anything until you notice and poke it back to life. Usually you notice at the least convenient possible moment.

Rows of equipment in a datacentre aisle

The mesh just works

Tailscale builds a WireGuard mesh between your devices. Each machine gets a stable address on your private network, and they find each other regardless of which café wifi or hotel network you happen to be on. There is no public port to forward, nothing exposed to the open internet, and nothing that cares what my home IP did overnight.

Installation was genuinely a few minutes per device:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Authenticate in the browser, the device appears in the list, done. The laptop, the homelab box, my phone, all on one flat private network. I reach the services by their stable name from anywhere, and the connection is direct WireGuard between the two devices wherever it can manage it.

The part I keep coming back to is what I no longer have to think about. No forwarded ports to audit. No dynamic DNS to babysit. No public attack surface that I half-remember opening in 2019. The honest pitch for Tailscale is not that it is clever, though the NAT traversal genuinely is. It is that it is less to worry about, and at home, less to worry about is the whole point.