Why I Regret Not Using Tailscale From the Start ("Click Here, Get Started in 5 Minutes!" Isn't Necessarily BS.)
Right, let’s be honest. We’ve all been there: staring glassy-eyed at the home router admin page at 2 a.m., trying to coax sense from a port forwarding rule while the hotel Wi-Fi wheezes like a pensioner with bronchitis. All I wanted was to stream Shrek 2 from my homelab in Georgia (Listen; it’s a great movie, I won’t accept anyone’s judgment). What I got was a three-act tragedy in NAT traversal.
Then I found Tailscale. The regret was palpable. It was like realizing you’ve been paying for cable in 2025. This is going to read like an insane sponsored post or some of that ridiculous gurellia content marketing I’ve helped clients pay pennies for to get brand awareness but I swear I’ve accidentally become one of those converts.
The False Confidence of Port Forwards
My homelab is a lovingly unstable cathedral of open-source chaos. Proxmox hums along, VMs and LXCs are stacked like Tupperware, Docker containers are buzzing, and Traefik heroically reverse-proxies everything from Jellyfin to Open WebUI. It’s all held together with YAML, hope, and the occasional sacrificial reboot. A lot of reboots. Before implementing my Traefik proxy and Tailscale on backhaul, I was… let’s say “committed” to pretty generous port forwarding. Jellyfin? Open up 8096. FileBrowser? Sure, port 80. What could possibly go wrong? Every new service was another firewall exception and another way to ruin my weekend. I had diagrams. I had spreadsheets. I had anxiety. I still have at least one of those things.
The low point was trying to give a mate a peek at my local LLM setup. I wanted to impress him with Ollama and Open WebUI running on a LXC with GPU passthrough. Instead, I built a WireGuard tunnel in the LXC, forwarded the necessary port, routed traffic manually, and still ended up with a network stack that collapsed like a flan in a cupboard because I’m terrible at managing Wireguard. The demo worked fine, but it was one of those things that was entirely too much work to get to a half-decent solution for what is essentially an everyday problem. As a PM I see issues like that in the day-to-day and think “here’s where we apply a solutions-oriented fix to save us cost at scale”. At home? I think “eh… I’ve got free time! I’ll spend 3 hours messing with this, because why not?”
But you keep stacking those band-aids on the gaping wounds and it starts looking less like a functional systems stack and more like a patchwork quilt made from the refuse bin. I’d spent more time architecting the workaround than it would have taken to just fix the problem properly, and the WAF (Wife Approval Factor) was sharply tanking. That’s our main customer success metric around the house. Getting client buy-in is how we keep the lights on around here and afford fancy new monitors and cool hardware.
Enter Tailscale: The Mesh That Works Like Witchcraft
I finally gave in. I’d seen Tailscale mentioned on Reddit and Hacker News but had ignored it. “Real homelabbers write their own network overlays,” I told myself, like a fool.
The installation was frankly offensive in its simplicity:
curl -fsSL https://tailscale.com/install.sh | sh
Then tailscale up. Done.
Within minutes, everything—Proxmox, my LXCs, Docker containers—was on a magical mesh network that just worked. No NAT. No port forwards. Just devices talking to each other like reasonable adults. The moment of clarity came when I needed to SSH into an LXC not even directly reachable from its Proxmox host. I just used the Tailscale IP. No fiddling with virtual bridges. No tears. No shouting at iptables.
You have to then take it to the second order. Traefik is an incredible reverse proxy, but as I was using it it was just kinda an afterthought since my systems moved around so much (virtually, that is) and committing to a deployment pattern was a pain in the ass. Now? Every system has its own Tailscale hostname distributed throughout the tailnet by Tailscale’s DNS and the cdm2-proxy LXC can forward traffic along to cdm2-jellyfin or cdm2-authentication living in an Oracle Cloud Infrastructure VM somewhere in Virginia that runs my Pocket-ID instance. Everything on the Tailnet uses cdm2-adguard as its DNS, which lives in an AWS EC2 VM in Ohio, and if the “location” of a service or VM changes it doesn’t matter. Spin up the same docker-compose it had before, and ensure it’s got the same Tailscale hostname and it’ll be back online in seconds wherever it ‘comes online’. It’s kinda genius.
Don’t even get me started on exit nodes. They completely obliviate my need for hacky custom VPN solutions to ensure my traffic isn’t snooped on when using sketchy public WiFi. It’s just ridiculous how easy this all became overnight.
The Immich Incident (Not a Tom Clancy Novel)
No tech rollout is complete without a reality check from my wife’s iPhone. Immich’s client (and server, frankly) have always been temperamental on iOS. Sometimes it worked; sometimes I got the dreaded “Honey, it’s broken again” message.
Post-Tailscale? I installed the app, logged her in via SSO, and sent her on her way. Silence. Then a text: “It’s working now. Did you do something?” “Yes. Magic.”
That was it. No more Wireguard client hackery, no more DNS fiddling, no more pretending I knew how to make Apple’s networking stack behave. Just peace.
Lessons from the Mesh
What did I learn? That cleverness is no substitute for sanity. Just because you can do something manually doesn’t mean you should. And maybe, just maybe, the free tool with the “get started in 5 minutes” banner isn’t lying. The marketer in me is stunned. The PM in me is amazed. The skeptic in me is really, really upset because he’s running out of excuses to believe the world is broken.
Tailscale isn’t just a VPN. It’s an overlay network that makes your devices behave like they’re in the same room, even if one is in a rack, another is a Raspberry Pi taped behind a couch, and the third is your wife’s phone on LTE in a Target parking lot.
My only regret is not starting sooner. That, and thinking I could outwit decades of networking protocols with nothing but bravado, iptables, lots of futzing with ip addr show and netmanager and a ton of Google searches. Next up is using ACLs to tighten things down and experimenting with subnet routers. And, if I’m honest, finding new ways to justify this whole homelab endeavor to myself… more than I already have, of course.
But hey, at least now my phone can ping my fridge over Tailscale from the cruise ship. God help us all.
So I went out of my way to NOT link to Tailscale in this article even though it’s clearly what the whole post is about specifically BECAUSE I don’t want to be this mushy and also be a traffic vector for them. If you want to check them out you can Google it and everyone who is anyone in the tech world these days knows exactly what Tailscale is about. But I thought this would be a nice way to set a level. What we’re doing here isn’t necessarilly anything groundbreaking: it’s taking stuff that needed cleaner, simpler, “it just works” solutions and applying it as needed. No more forcing the square peg in the round hole and saying “it’s working, back away slowly and don’t touch it”.
At least that’s my new mantra. Let’s see how it goes.
