Tailscale: Access Your Self-Hosted Services from Anywhere¶

If you run self-hosted services at home — dashboards, media servers, AI tools, whatever — you've probably hit the wall of "how do I get to this stuff when I'm not on my home network?" Tailscale is the cleanest answer I've found. It creates a private encrypted mesh network (they call it a tailnet) between all your devices, so your home server's services are reachable from your phone, laptop, or tablet anywhere in the world without opening a single port or touching your router. No dynamic DNS juggling, no exposing anything to the public internet. Just works.

The Short Answer¶

# Install Tailscale (Linux)
curl -fsSL https://tailscale.com/install.sh | sh

# Authenticate
sudo tailscale up

# Check your tailnet status and find your device hostnames
tailscale status

On Windows, download the installer from tailscale.com. On macOS, install from the App Store or tailscale.com/download/mac. Sign in with the same account on every device and they'll all see each other automatically.

Background¶

Tailscale is built on WireGuard, which is a modern, fast, and actually-auditable VPN protocol. What Tailscale adds on top is the coordination layer — key exchange, device authentication, NAT traversal, and MagicDNS — so you get WireGuard's performance without having to set up the key infrastructure yourself.

The way it handles NAT traversal is what makes it genuinely useful. Traffic goes peer-to-peer when possible (fastest), and falls back to Tailscale's DERP relay servers when your network conditions don't allow direct connections (like restrictive cellular networks). Either way the tunnel is encrypted and your data doesn't live on Tailscale's servers.

MagicDNS is the part that makes it actually pleasant to use day-to-day. Instead of remembering that your home server is at 100.64.x.x, you just use servername or servername.tail-xxxxx.ts.net and it resolves automatically on every device connected to your tailnet.

Steps¶

1. Install Tailscale on Every Device¶

Linux server:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

macOS (terminal):

curl -fsSL https://tailscale.com/install.sh | sh

Or install from the Mac App Store and launch it from the menu bar.

Windows: Download and run the installer from tailscale.com. It installs as a system service and a tray icon.

iOS / iPadOS / Android: Install from the respective app store, sign in, done.

2. Authenticate All Devices to the Same Account¶

Each device you add will open a browser window asking you to authenticate. Use the same Tailscale account (or the same Tailscale organization if you're using Teams/Business) on every device. Once authenticated, the device joins your tailnet and gets a 100.x.x.x Tailscale IP.

If a device doesn't prompt automatically:

sudo tailscale up --authkey YOUR_AUTH_KEY

Auth keys can be generated in the Tailscale admin console at login.tailscale.com > Settings > Keys. Useful for headless servers.

3. Enable MagicDNS¶

In the Tailscale admin console (login.tailscale.com), go to DNS and enable MagicDNS. This gives every device on your tailnet a stable hostname — usually machinename (short form) or machinename.tail-xxxxx.ts.net (full form).

Find your server's hostname:

tailscale status

The full MagicDNS name is more reliable across different network conditions. Use it in bookmarks and config files.

4. Verify Services Are Reachable Over the Tailnet¶

By default, Docker containers bind to all interfaces (0.0.0.0), which means they're already reachable over Tailscale once it's running. Verify this:

docker ps --format "table {{.Names}}\t{{.Ports}}"

You want to see 0.0.0.0:PORT->PORT/tcp. If you see 127.0.0.1:PORT instead, the service is bound to localhost only and won't be reachable over Tailscale. Fix it by removing the 127.0.0.1: prefix from the port mapping in your docker run command or compose file:

# Bad — localhost only
ports:
  - "127.0.0.1:3000:8080"

# Good — reachable over tailnet
ports:
  - "3000:8080"

5. Fix Ollama (or Any Service That Binds to Localhost by Default)¶

Some services default to 127.0.0.1 and need an explicit override. Ollama on Windows is the main one I've hit:

Windows — set environment variable: - Open System Properties > Advanced > Environment Variables - Add System variable: OLLAMA_HOST = 0.0.0.0 - Restart the Ollama service (Task Manager > find Ollama > End Task, then relaunch)

Linux — override via systemd:

sudo systemctl edit ollama

Add:

[Service]
Environment="OLLAMA_HOST=0.0.0.0"

sudo systemctl restart ollama

Verify it's listening correctly:

curl http://localhost:11434/api/tags

6. Check Windows Firewall (Windows Servers Only)¶

Tailscale marks its virtual adapter as a private network, so Windows Firewall usually allows it by default. If services are unreachable from client devices after setup, add inbound rules for the relevant ports on the Tailscale network adapter:

# Example: allow Open WebUI through Windows Firewall
New-NetFirewallRule -DisplayName "Open WebUI (Tailscale)" -Direction Inbound -Protocol TCP -LocalPort 3000 -Action Allow

Check existing rules in: Windows Defender Firewall > Advanced Settings > Inbound Rules.

7. Set Up Browser Bookmarks on Client Devices¶

Create a bookmark folder for your self-hosted services using the full MagicDNS hostnames. Short names are convenient but less reliable across different network conditions.

Service	URL
Open WebUI	`http://yourserver.tail-xxxxx.ts.net:3000`
AnythingLLM	`http://yourserver.tail-xxxxx.ts.net:3001`
SearXNG	`http://yourserver.tail-xxxxx.ts.net:8080`
Jellyfin	`http://yourserver.tail-xxxxx.ts.net:8096`

Replace yourserver.tail-xxxxx.ts.net with your actual MagicDNS hostname from tailscale status.

8. Keep the Server Available¶

Remote access is only useful if the server is awake and Tailscale is running.

Disable sleep on the server (Windows): - Settings > System > Power & Sleep > Sleep > Never (when plugged in) - Screen can still turn off — only sleep matters

Verify Tailscale auto-starts (Windows PowerShell):

Get-Service -Name Tailscale
# Status should show: Running

Verify Tailscale auto-starts (Linux):

sudo systemctl is-enabled tailscaled
# Should return: enabled

Gotchas & Notes¶

Ollama and other non-Docker services often bind to localhost by default. Docker containers are usually fine since they bind to 0.0.0.0 out of the box. But native services need explicit configuration. Check with ss -tlnp | grep PORT on Linux or netstat -an | findstr PORT on Windows.
Use the full .ts.net hostname in config files and bookmarks, not the short name. Short names work great on the same network but can fail in certain DNS resolution scenarios, especially on cellular or restrictive WiFi. The full hostname always resolves.
iOS aggressively kills background apps including Tailscale. If you're losing connection on your iPhone or iPad on cellular, open Tailscale, tap Stay Connected, and in iOS Settings > Tailscale > enable Background App Refresh.
New devices need approval in the admin console. When you add a device, check login.tailscale.com > Machines and approve it if it's sitting in a pending state. This only happens once per device.
Tailscale IPs are in the 100.x.x.x range — that's the Carrier-Grade NAT block (RFC 6598), not your home LAN. Don't confuse them. Your LAN is still 192.168.x.x or 10.x.x.x.
If MagicDNS isn't resolving, confirm it's enabled in the admin console, then try the full .ts.net hostname. Last resort fallback: use the 100.x.x.x Tailscale IP directly.
For headless Linux servers, use an auth key for initial setup so you don't need a browser. Generate one in the admin console under Settings > Keys > Generate auth key.