Tailscale Gives You Remote Access to Your LAN from Anywhere

Originally published at: https://tidbits.com/2025/02/24/tailscale-gives-you-remote-access-to-your-lan-from-anywhere/

Since Apple sunsetted macOS’s remote network connector, Back to My Mac, I have looked for a system that would provide full access to devices on my home LAN when I was outside the network (see “Apple Abandoning Back to My Mac in Mojave,” 25 August 2018). I found it in Tailscale, a corporate-grade virtual networking system with a free tier that is as easy to use as clicking a button.

Tailscale’s apps link each device on which they are installed into a virtual LAN (VLAN) that uses secure virtual private network (VPN) connections to bring your machines together. That VLAN lets each of your devices reach all the others but, by default, blocks all inbound traffic from other parties. In my testing, Tailscale’s technology, built on top of the open-source WireGuard project, is seamless and solid.

You access your Tailscale VLAN like just another VPN connection, such as you might use to keep your unencrypted traffic and the domains you’re surfing secret from other café users or ad-targeting snoops. But instead of having the other end of the connection exit at a data center somewhere on the Internet or within a corporate intranet, the other end drops you into a private, cloud-based VLAN.

Although Tailscale is a corporate-oriented product, I’m covering it here in TidBITS because it solves a problem for regular home and small business users, has understandable technology, and offers affordable pricing, including a free plan. Tailscale hits all three notes:

• It circumvents the problems of accessing private networks with non-routable IP addresses set up by home gateways.
• Installation and operation are more or less a single click, with the bonus of superbly well-written documentation.
• Tailscale offers a remarkably generous free plan for personal use: up to 3 users who can connect up to 100 devices each.

Let me dig into why and how you, as a roaming user with resources at home or the office, can use Tailscale to your advantage.

Why You Need Tailscale

Network Address Translation, or NAT, is one of the greatest and worst inventions in the history of the Internet. Available on a gateway, like a home router, NAT allows a set of addresses in one network segment to pass through and be transformed (translated) into one or more addresses in another network.

That’s pretty vague, but most of us deal with a specific use case for NAT every day. On a home or small office network, the ISP typically assigns one publicly routable IP address on the Internet side of the connection. The ISP provides that single address either to a broadband modem with gateway features or a device under our control, like a Wi-Fi gateway.

In order to share that single public IP address among all the devices on the LAN, the gateway uses the DHCP automatic address assigning system to hand out a private network address drawn from one of several reserved sets of IP addresses that are never assigned to public machines. These include addresses that start with 192.168 and 10.0 (like 192.168.0.100 and 10.0.1.1).

When a device within the LAN wants to request a Web page, for instance, its browser sends the query to the LAN’s router, built into the gateway. The request first passes through the NAT software, which creates an entry in an internal table that maps the request from the private address on that device to a public address. When the response comes in, the NAT routes the data back to the correct privately addressed device. NAT is a traffic cop.

This network address translation happens millions of times each day on your network—and maybe far more. It’s transparent, and it just works.

But what if you want to reach your LAN when you’re outside your home or office? Typically, that means you must “punch through the NAT” by mapping a particular service, like screen sharing, from a fixed private address on the LAN to the service’s port on your network’s public address. You do this by using an administrative interface on your gateway to set up DHCP reservation and port forwarding. DHCP reservation ensures that a device on the LAN always retains the same private address instead of receiving one dynamically from a pool; port forwarding creates a static path so a request to a particular service on the publicly routable IP address on the router is sent to that private address.

This whole setup is often fragile. It also typically means you can only reach a single instance of each type of service. For example, if you want remote screen access to two or more computers on your LAN, you have to do extra work to make sure each connection has a distinct port on the public address, requiring more configuration and reducing resiliency.

Opening up access from the router also allows every device on the Internet to attempt to connect to, block access to, or attack your device unless you know precisely what remote networks you might connect from and restrict connections to those. (That’s seldom the case.) For many years, it has been simple for attackers to scan for commonly available services across all public IP addresses. Even if no malicious attack can compromise your Mac or other device, you might accidentally leave a file server unprotected by a password or have files that only require guest access. It’s unwise to let everyone know which of your network doors have handles they can rattle.

Opening access through the router also doesn’t account for the dreaded “double NAT.” I have this particular problem with my network. It occurs when your ISP gives you a broadband modem that doesn’t meet your needs or lacks configuration options you require. So, you install your own gateway that connects to the ISP’s device. The ISP’s device uses DHCP and NAT to assign your gateway device a private address, which your gateway then uses DHCP and NAT to assign different private addresses within its double-nested network.

What if you could bypass all that by ensuring your devices can be reached as desired across the public Internet without reconfiguring your gateway or making them available to anyone?

Back to My Mac offered that feature, though it was stymied by double NATs and supported only a limited subset of Apple-provided services. Tailscale provides a more robust and generalized solution that addresses many use cases.

How Tailscale Works

Tailscale works by creating a VLAN using VPN connections. A VPN typically involves client software on your device connecting to a VPN server elsewhere on the Internet. After performing a series of handshakes to prove you have the right secrets, an encrypted session opens over which, at a low level, all the Internet traffic from and to your computer passes. For commercially available subscription-based VPNs, it’s good enough that the traffic exits from a data center somewhere that’s not local to you; for corporate VPNs, the VPN server sits inside the corporate intranet, making your device an extension of that protected network.

Tailscale works more like the latter but doesn’t require a corporate intranet. The company facilitates routing but has no access to the data passing over your virtual network, hosts minimal amounts of information, and ensures the secret (private) encryption keys remain on your device endpoints. Tailscale explains that instead of creating a hub-and-spoke system, where there’s a centralized hub through which all data passes, it makes a mesh system in which each device can create a secure connection with every other device.

To avoid too much overhead with this approach, Tailscale has only one centralized component: a zero-knowledge key repository that lets your devices contact a single point to exchange the encryption keys necessary to communicate with each other. The keys are generated on your devices and stored securely, so Tailscale doesn’t know what the keys are. Your data—however encrypted—doesn’t pass through this specialized control channel.

What that amounts to is that, after installing Tailscale apps on your devices and connecting them to your account, each device is visible to all the others and no one else.

I tried Tailscale on a recent trip and enjoyed excellent performance with screen sharing (via the macOS Screen Sharing app) and Finder-based SMB file sharing. Across many sessions, it was just as easy as being on the same network and only slightly slower—I was on a roughly 300 Mbps symmetrical Internet connection, and my home network has gigabit Internet.

Tailscale doesn’t support Apple’s Bonjour network discovery protocol, which relies on a broadcast form of DNS sent over a local network. For rather technical reasons, broadcast network messages don’t work through this kind of setup. That means you can’t do simple network discovery to connect to your LAN-based resources.

However, Tailscale provides an alternative. First, every device on your Tailscale LAN has a publicly routable IP address that’s set and fixed for the duration of its registration in your account. Even though nobody but you or other users in your account can reach those IP addresses, they remain static and unique over time. Second, Tailscale also assigns each device a hostname, which you can customize and combine with a subdomain on Tailscale’s ts.net domain. You can connect from any of your devices using the static IP address or the fully qualified hostname; I’ll explain how to find that information below.

Tailscale also supports another kind of device setup. Third-party software can embed Tailscale as a component to share just a single service. I use the Channels DVR Server to record over-the-air TV programming from an Ethernet-connected TV tuner. Within the DVR Server’s advanced settings is an option to enable Tailscale, which creates a DVR Server-specific “device” on your Tailscale network. I was able to use Channels client software while away to connect to my home network’s server and grant access to my older kid in college so he could watch programs we record at home. (Notably, Jeopardy!; we have a family interest in the show.)

How to Set Up Tailscale

To get into the nitty-gritty, here’s how you set up Tailscale for yourself:

1. Register an account. Tailscale doesn’t maintain its own login accounts, so you’ll need to use SSO (Single Sign On) through a third party, including “Sign up with Apple.”
2. Install apps. Tailscale has apps for every major mobile and desktop platform, plus some streaming operating systems, including tvOS!
   
3. Configure host names. Tailscale uses the Bonjour/sharing name on your Apple devices and similar network names from other hardware to uniquely name equipment on what it calls your “Tailnet.” You can change a name on the Machines tab on your Web dashboard. I recommend making them descriptive but short to help with recognition.
4. Change the subdomain. Tailscale automatically creates a random name for your Tailnet ending in .ts.net. You can go to the DNS tab in your account, click Rename Tailnet, and have it generate hilarious combinations of words that are more memorable and easier to type.
   
5. Find your device names for use for remote connections or to share. You can find the fully qualified hostnames and IP addresses for all devices in your Tailnet in several places: the Machines tab in your Web dashboard, the Tailscale menu in macOS, and the Tailscale app in iOS/iPadOS. In all of these locations, you can tap, choose, or hover to get a menu that shows you all the various forms of a device’s names, then tap or click to copy one.
   
6. Invite others. If you’re creating shared resources, you can have three people, including yourself, in the free Personal plan or six in the $5-per-month Personal Plus plan.

Tailscale has a clear explanation of what it considers personal use by citing examples: “These use cases include playing games with friends, or securely connecting to anything from a DigitalOcean droplet to a Raspberry Pi, home security camera, or even a Steam Deck.” Business plans start at $6 per month for “monthly active users”: you’re charged only if a given account interacts on the Tailnet during that month.

There’s beauty in simplicity that hides complexity—the opposite of the ugly interfaces and complex configurations we often find for tools we need for ourselves or our work. Tailscale has a remarkable knack for making the difficult proposition it’s attempting seem straightforward across its websites, products, and writing. For us, as users, it is.

Glenn Fleishman is the author of the upcoming Take Control of Apple Screen and File Sharing, a guide to help Apple users share and mirror screens for their own and other people’s devices and share and access files from file servers and cloud-based storage. The book is due out in late February from Take Control Books.

Excellent post.

One suggestion: if you have installed TailScale on a computer that is remote to you, and that you do not often go to, open the admin console. which will open a browser window showing you all of the machines in your TailNet. Click/tap the three-dot menu to the right of that machine and then click/tap “disable key expiry” so you won’t be surprised one day with a remote machine that’s gone off-line because the default five-month expiration date has passed. (As I learned from experience.)

This sounds an awful lot like LogMeIn Hamachi. Is it?

It’s sort-of the same, but quite different.

TailScale has a very good post explaining some of the differences: Tailscale vs. Hamachi: A Modern VPN Replacement for Gaming and Collaboration

Anything that is free has me asking “What is their business model?”. Is it the business accounts and the free personal accounts are teasers? Or do they have some other long term plan?

They’re mostly a business service. They went from 5,000 paying business customers in March 2024 to 10,000 in January of this year. They’re a rare Canadian tech startup!

Because the company doesn’t transit data, only run a control plane, it’s a pretty thin layer of resources required for these free, personal accounts. They’re using open-source software, which also reduces some aspects of development costs.

Is this cross-platform? Is it better than Splashtop (which is a bit cheaper but I know it works well)

I’ve been using TailScale for several months and find it very useful. I previously used my Ubiquiti Alien’s Teleport software that worked similarly to TailScale, but the former is more cumbersome to set up. Tailscale works on my iMac, iPhone and iPad and allows me to watch shows only available in the U.S. on DirectTV while I’m in Australia. Like Teleport, it’s free for personal use.

Many platforms and architectures. You can even run it on a robot vacuum.

Indeed! Every platform! From the article:

Install apps. Tailscale has apps for every major mobile and desktop platform, plus some streaming operating systems, including tvOS!

It’s not a screen-sharing system like Splashtop. It’s a VLAN so you can use something like Screen Sharing via the VLAN. Imagine that all your devices are connected to each other no matter where they are, so anything you can do on your local network, you can do wherever you are.

I know the MacOS/iOS app called Screens that referenced Tailscale. It is a screen sharing app that can work in concert with Tailscale I would assume.

Thank you! I started to read the webpage and got pulled away. I think I’ll check it out, remote access can sure come in handy some days. No robot vacs for me though ;)

Yes, using it with Screens is how I use TailScale for almost everything. I also use it to monitor uptime of remote devices, and to back up and sync files between locations.

@glennf
What an excellent writeup! I’ve been using Tailscale for several months, but your article taught me a couple of things I didn’t know. Thanks!!

I’ve found that one of the best ‘features’ is the tvOS application. The TailScale client can be downloaded from the App Store and installed on an Apple TV, where it just sits in the background happily running 7x24. Even when the ATV is ‘sleeping’, it will still respond to incoming connections from one’s Tailnet, and provide access to the local LAN environment. The tvOS client really reduces the barrier to deployment.

Thank you!

I honestly am not sure how the Apple TV fits into the picture! I just installed the client—you can’t access your Apple TV remotely, can you? But the Apple TV can access remote stuff? How are you using it?

Does Screens rely on Tailscale behind the scenes?

Screens has a special way to aggregate all of your local/remote devices in the TailNet with support for TailScale built in. Edovia has a good write-up:

This is relatively recent - before this I had to manually add my host by their TailNet IP address to the Screens client. Now as long as your device is connected to TailScale, Screens finds all of the configured hosts, plus it also shows an icon showing whether you can connect or not.

Glenn - no you can’t access the Apple TV remotely. But you can access anything that’s on the LAN the ATV is connected to. One of my use cases is to access my security cameras when I’m out and about. The cams all live on an isolated IOT subnet, separate from my main LAN. Further, the cams are blocked (using a firewall rule) from connecting to the internet. I don’t want them ‘phoning home’ and potentially sharing personal private information (or videos) with nosy developers in far-away places… If/when I want to check in on things at home, I activate the TS client on my iPhone, and then view the cameras through my Tailnet.

Second use case: accessing my home automation server when I’m away. I use Indigodomo, a very nice HA application running on an old Mac mini in my basement.

Third use case: accessing my Synology NAS (and its video surveillance app) remotely.

Prior to Tailscale, I used to use OpenVPN, terminating on a vpn server running in an ASUS router. But I found OpenVPN to be pretty brittle, with ongoing challenges configuring the two ends of the VPN (iPhone, iPad, and macOS clients in combination with the Asus server), keeping them up to date, etc. I often found the vpn tunnel wouldn’t come up, for reasons I could never figure out. I spent a fair bit of time with one such issue a year or so ago, and finally diagnosed the reason for the vpn blockage was a misconfiguration of an interworking server deep in the bowels of Rogers data network.

A final use case, which is why I find the ATV TS client is so appealing, is deployment of an ATV at a family member’s home for remote support. Family member is not terribly technical, and would have a tough time configuring the VPN server in their router. The tvOS Tailscale app is quite easy to configure and make part of my Tailnet. I can then remotely connect to his LAN from wherever I may be, log in to his router for troubleshooting network issues, do screen sharing, etc. The TS client on the distant ATV can also be used as an exit node - handy for when one might want to appear to be located in another country.

Doug,
Thank you so much for posting this. I’m also a Screens user, but I’m still on V4. Although a bit old, it’s been working OK for me, and I’ve not been motivated to upgrade to V5 (which now requires a pricey subscription, or a steep $150 one-time purchase). I didn’t know they had rolled TailScale support into V5. I’ll now go check it out, and perhaps revisit my decision to stick with V4.

Holy cow, I didn’t understand that at all! I thought it was all device specific. You need to have the IP addresses of each of your resources?