Between their FOSS nature, better privacy, and superior security, there are plenty of reasons to love self-hosted services. These days, it’s possible to find local apps for practically every task – be it online collaboration, smart home organization, office work, or media management. In fact, I’ve been using containerized applications for my everyday tasks ever since I built my home lab, and I have no intention of going back to privacy-intrusive cloud platforms – at least, for the most part.

Truth be told, there’s one utility that technically relies on external, third-party servers instead of private hardware. But it’s so deeply intertwined with my home lab that I refuse to get rid of it. The app I’m talking about is Tailscale, a mesh VPN service that’s my preferred method for remotely accessing my servers from external networks.

CGNAT makes port-forwarding a nightmare

So, I can't rely on self-hosted VPNs

Port-forwarding is something you’ll encounter when trying to expose services to anything outside a LAN, and using it in tandem with a locally-hosted VPN server provides a safe method for accessing sensitive devices like NAS and server rigs over remote connections.

Considering that I often tinker with weird services, running my own VPN should sound like a piece of cake, right? Unfortunately, my ISP locks my network behind CGNAT. For the lucky folks who never had to deal with this malady, CGNAT or Carrier-Grade NAT is a technology used by ISPs to supply the same public IP address to a bunch of users. As such, it’s impossible for the ISP router to identify any inbound connections specifically for my LAN. This leaves port-forwarding, and by extension, locally-hosted VPNs, out of the picture.

Free VPS providers have their own drawbacks

A slightly more complex workaround to my port-forwarding conundrum involves using a Virtual Private Server. Essentially, I could lease a VPS from a cloud provider, arm it with WireGuard, and use it to create a private tunnel to my home network – one that I can access remotely from any device.

Unfortunately, I’ve got a couple of issues with this setup. Cloud providers do offer cheaper plans for their VPS platforms, but my broke self refuses to spend extra money on paid subscriptions. Technically, there are free platforms out there as well, which offer a lightweight VPS without charging any monetary fees. However, none of the platforms I’ve tried so far delivers the same no-strings-attached experience as Tailscale.

Some try to get my address and mobile number at the end of the registration process, while others go so far as requiring me to enter a credit card number just to get the free plan. Heck, some of the popular options aren’t even available in my region.

Tailscale is the antidote to my remote access woes

It works with every server platform in my arsenal

Although Tailscale (not to be confused with Headscale) leverages the company’s relay nodes to establish connections between my nodes, it’s different from any workaround I’ve tried so far. The registration process just requires an email account, and doesn’t constantly pester me to add my contact information or credit card details.

Speaking of pricing, Tailscale also has premium subscriptions like other third-party services. The difference is that the average home labber wouldn’t really need them. The free version supports up to 100 devices and 3 users, which is more than enough when you just want to use VMs, containers, and virtualization platforms remotely, and you get the essential access control options inside the Tailscale control plane without shelling out money to the company.

In fact, despite hooking my workstation nodes (including a high-availability cluster), NAS rigs (with a remote storage server), and daily driver PC, MacBook, and smartphone up to Tailscale, I’ve yet to meet even a fraction of the max device capacity for the free plan. Better yet, Tailscale is extremely easy to configure and works with every system in my home lab – regardless of how obscure its underlying distro may be.

Tailscale Lock makes my setup even more secure

If you’re as privacy and security-conscious as I am, you may have realized the biggest loophole of a typical Tailscale setup. A hacker could technically gain access to my login credentials, place their own node in my Tailnet, and use it to remotely access my home lab. Worse, since the platform relies on company servers to establish connections between my nodes, the malicious actor could easily bypass security on the server or siphon my account info from the company’s database.

Luckily, Tailscale has a couple of security provisions to avoid a problem of this caliber. Multi-factor authentication works as a solid deterrent, while hardened access rules ensure no hacker can use compromised server nodes in my home lab to tamper with the rest of the devices. But the real game changer is Tailscale Lock. Rather than allowing any system with my credentials to add itself to my Tailnet, Tailscale Lock allows only trusted nodes to approve new devices.