Tailscale might be known for remote access with TLS baked in, but it can be so much more. The software-defined networking system the developers have built enables easy management and hardware-agnostic networking that's secure, scalable, and superb.
I've been using it more and more in my home lab to keep experiments off my home network, enabling me to concentrate on what's in my containers rather than on the connectivity between them. But adding a few extensions and tools to the mix, created by the community, made managing my container stacks so much easier.
I started using networking sidecars for my Docker containers, and they've been a game-changer
Object-oriented orchestration is out of this world
Tailscale's biggest strength is the community
There's a ton of cool projects built around this amazing tool
While the main app is incredible on its own, the Tailscale Community Projects pages make Tailscale even better. You could replace MagicDNS with your own DNS stack built on CoreDNS if you have specific needs, visualize your traffic flows across your tailnets, view ACL rules in a visual map, and more.
But these aren't the extensions and tools that I'm most excited about, because I've found a way to manage my home lab container stack that requires little intervention and brings big rewards.
Tailscale, with a couple of extensions was just what my home lab needed
Secure remote access for my container stack with minimal setup
The first community project I want to focus on is ScaleTail. This repository has dozens of examples of setting up Tailscale as a sidecar with Docker containers, so that they're instantly ingested into your tailnet. That makes those services secure by design, as they can only be accessed by devices on your tailnet. It also means networking is handled without needing firewall rules, port forwards, a domain name with associated DNS records, or other annoyances.
I've got AdGuard Home running on my tailnet for DNS-level blocking, but I have two instances synced with AdGuardHome Sync, and all three tools are connected via Tailscale. Jellyfin is connected, so anyone on my tailnet can access it wherever they are, as is Immich for image storage.
I also have some containers that are accessed via Traefik, with Tailscale being used in network_mode: service:tailscale mode, which secures the dashboard and routing of the Traefik instance via my tailnet. Note that it doesn't put individual services onto the tailnet, as the sidecars do, which lets me learn about how Traefik works while keeping those services behind Tailscale ACLs. Some of these have additional identity management baked in, and I like that I can secure them all from one point, so nobody else on the tailnet can see them.
Utilizing existing services for notifications
One of the things I like to do, wherever possible, is reuse existing tools for monitoring purposes. After all, I'm already running Home Assistant 24/7 on my home server and on my cellphones, so why not use that for notifications if my tailnet devices have issues? The Tailscale integration for Home Assistant doesn't provide connectivity to my tailnet, but what it does bring to the table is more useful.
It adds sensors for monitoring my tailnet, and every node, device, and service attached to it. If you can see where I'm going with this, you know how powerful that functionality is. Once my containers are attached to my tailnet with sidecars, they're all available to use for HA automations or notifications if those containers go down.
And because the Tailscale API is polled every minute, HA notifications often reach me before I realize something has gone wrong with a container. Then I can check LoggiFly's notifications stack, which will tell me exactly what's wrong with the container, aside from it being dropped off the tailnet.
But I can go further than that, and use these new sensors to automate backup schedules based on whether those containers are running, or turn off my host device when I'm not likely to be using it. Home Assistant is a powerful platform for automation, and I've got plans to expand things to include actionable notifications, so I could tap a button on the notification to restart the misbehaving container, or open Portainer in my browser to take care of it manually.
5 ways I'm using Tailscale for more than just remote access
Tailscale is far more powerful than a simple remote access tool
Tailscale is more than a remote access tool
I started out using Tailscale as a remote overlay network because that's its main selling point. But it's so much more than that, and having a software-defined network that works wherever the hardware I've approved is plugged in is nothing short of magical, after a lifetime of struggling with manually-defined networks and subpar VPNs.
Now I use it to set up separate networks for my home lab experiments so that they can talk to each other but not to the rest of my network, without having to mess with firewall and VLAN rules. I also like that it doesn't require constant upkeep once the machines or services are added, and I can limit their access to the network and the wider internet with a few clicks in the admin panel. It gets even better when you add some of the excellent add-ons, extensions, and tools that the community has designed to work with Tailscale, and you should check out if anything works for your setup.