I consider my dashboards, monitoring agents, and notification services an essential part of my home lab management stack, but if I had to pick one app I’d never ditch, it has to be Tailscale. Leaving the irony of using a service that relies on external servers aside, Tailscale is by far the easiest way to access my home lab from remote networks, and it’s the reason I was able to get a 3-2-1 backup workflow up and running for my NAS and PBS rigs.
So, when I heard Tailscale was changing its pricing policy, alarm bells started echoing through my head. After all, I’ve seen useful apps devolve into an enshittified mess of paywalled features more times than I can count, and most of these changes were brought forth by changes in the pricing tiers. Fortunately, my worries soon turned into joy when I read through the official documentation, as the talented folks at Tailscale have added even more features to the free tier with the new pricing update.
A third-party service lies at the heart of my self-hosted stack
Tailscale is the only third-party tool I refuse to part with
Tailscale now supports up to six users on the free plan
That’s fantastic for sharing your self-hosted arsenal with folks on external networks
If you’re out of the loop, Tailscale used to support a maximum of three users per tailnet on the free license. That’s not really a problem when you’ve got half your family living in the same house as I do. But when it comes to allowing friends and users on remote networks to access your self-hosted stack, the three-member limit was a bit of an issue, as you could only expose your tailnet to two other users besides your own admin account. Technically, shared accounts could serve as a workaround, but you’ll have to contend with the privacy issue of such a setup, especially when you want a bunch of people accessing the same set of services.
However, the pricing update upped the max user limit to a total of six accounts per tailnet. That way, you can have five other accounts accessing your tailnet, which is a decent number if you're need to let multiple households access your FOSS application stack. It’s not a lot by any means, but five additional users are more than enough when you're looking to share your home lab stack with close friends and family.
Just remember to modify your ACL rules
After all, other people are the biggest security vulnerability in a home lab
Although my home lab experiments tend to be the biggest culprit behind broken services, there’s a huge difference between the controlled chaos caused by botched projects and the random errors other people can cause if they were to gain access to my server nodes. Not only that, letting external users get close to my management tools is a terrible idea from a security standpoint, as they may unknowingly expose my network stack to malicious entities prancing around on the Internet.
On Tailscale, it’s possible to grant member roles to other users, so they don’t modify the tailnet settings. But I recommend fine-tuning the ACL rules as well. I’ve set up different tags for the virtual guests and machines I want to share with other users, but kept a deny-by-default scheme for ACL rules. Then, I manually added the systems I want these users to access in the ACLs, which admittedly took a while to configure properly. I’ve also disabled SSH access for all accounts besides my own to further secure my systems.
Tailscale Funnel is the most useful and underrated Tailscale feature
End-to-end encrypted p2p VPNs on demand are amazing
The device limit has also been upped a whole notch
So, you don’t need to stick to subnet routers (but they’re still pretty useful)
Besides the new max user limit, Tailscale’s free plan has removed the 100 device cap, meaning you can add unlimited systems, virtual machines, containers, and everything in between to your tailnet. That’s a huge development, as you can add individual server nodes and even VMs that you want to share with other users to your tailnet, and tweak the ACL rules to let them access only those systems.
Although I never managed to hit close to the max device limit, the 100 system cap was one of the reasons I’d set up a subnet router on my home network. But even with the limit removed, I’d still keep it on my server, partly because a single subnet router makes my device list more organized, and also because I don’t want to configure Tailscale on every virtual guest on my LAN. However, I’ve modified my subnet router to only accept connections from my account, so the other members of my tailnet don’t go around poking their heads into my virtualization platforms or admin platforms.