For about a decade my homelab was reachable from outside via a small museum of port forwards on the router, plus an OpenVPN server I'd set up once, configured carefully, and then refused to touch in case it broke. It worked. It also gave me a low-grade anxiety every time I thought about it, which is its own kind of cost. Last weekend I deleted all of it and replaced it with Tailscale, and the thing I keep wanting to tell people is how little I miss any of it.
what i was actually doing before
The setup had grown the way these always do, one forward at a time. Port 443 to the reverse proxy. A high port to the NAS web UI because I was too lazy to put it behind the proxy. A forward to an SSH box so I could get a foot in the door from anywhere. And the OpenVPN server for everything else, on a config I genuinely did not remember the details of.
Each of those forwards was a small hole in the firewall that I had to remember existed. Every one was a thing on the public internet getting scanned and probed every minute of every day. The SSH forward in particular meant my logs were a continuous wall of failed login attempts from the whole world, which fail2ban kept a lid on but which I never loved. And the dynamic DNS that pointed a name at my changing home IP was one more moving part that would occasionally lag and leave me locked out for an hour.
None of it was wrong, exactly. It was just a lot of small exposed surfaces, each one a thing I'd configured once and was now afraid to look at too closely.
what tailscale actually is
Tailscale is a mesh VPN built on WireGuard. That sentence undersells it, so let me unpack the part that made me sit up. WireGuard is the modern VPN protocol: small, fast, in the Linux kernel, and a genuine pleasure compared to the OpenVPN config I was scared of. But WireGuard on its own makes you do all the tedious bits yourself, the key exchange, the IP allocation, the endpoint discovery, the keeping-it-all-in-sync as machines come and go.
Tailscale's trick is to do exactly that tedious part and nothing more. It handles authentication through an identity provider you already have, distributes the keys, gives every machine a stable address on a private network, and crucially negotiates direct connections between your devices through NAT without you forwarding a single port. The data plane is still just WireGuard going device to device. Tailscale is the coordination layer, the thing that knows where everything is and introduces your machines to each other.
The bit that genuinely surprised me is the NAT traversal. Two machines, both behind home routers, both with no port forwards at all, establish a direct encrypted connection. It does this with the same hole-punching techniques video calls use, and a relay as a fallback for the awkward cases. From my point of view I installed it on a machine, logged in, and that machine simply appeared on the network with its own address, reachable from my laptop wherever my laptop happened to be.
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
That's the entire setup per machine. Two commands and an SSO login in the browser. The first time I did it I assumed I'd missed a step.
what changed, concretely
Every port forward on the router is gone. The firewall is closed. There is nothing of mine being scanned on the public internet any more, and the SSH brute-force wall in my logs has simply stopped, because the SSH box isn't reachable from the public internet at all now, only from the tailnet.
The NAS, the reverse proxy, the various services: they're all reachable by their tailnet address from any device I've enrolled, and from nowhere else. My laptop, my phone, a couple of servers, all on one flat private network regardless of which café or which country they're physically sitting in. The OpenVPN server is decommissioned. The dynamic DNS entry is deleted, because I no longer care what my home IP is; nothing points at it.
A couple of features earned their place quickly. MagicDNS means I refer to machines by name rather than memorising addresses, so ssh nas just works from anywhere. ACLs let me say, in a small JSON policy, that my phone can reach the media server but not the management interfaces, which is a level of control I never bothered with when the answer was "edit iptables and hope". And tagging machines rather than naming individuals means I can write a rule once and have it apply to a whole class of box.
the honest caveats
It is not entirely without trade-offs, and I'd be lying to pretend otherwise. The coordination server is Tailscale's, not mine, which means there's a company in the trust path that knows the shape of my network even though it can't see the traffic. For most people that's a perfectly reasonable trade. If it bothers you, Headscale is an open-source re-implementation of the coordination server you can self-host, and I'll probably get round to it eventually, in the same way I get round to most things, which is to say slowly and only once it irritates me enough.
There's also the quiet dependency: if Tailscale's control plane is down when a device needs to establish a new connection, you feel it. Existing connections keep flowing, but it's one more thing that can have a bad day. I've decided I can live with that, given what it replaced.
The summary is the same one I keep arriving at with good tools: it removed a category of problem rather than improving my handling of it. I'm not better at managing port forwards now. I just don't have any. The firewall is shut, the logs are quiet, and the OpenVPN config I was frightened of is in the bin. That's a good weekend's work.