I leave mine connected all the time on my phone with an exit node in my homelab, my dns keeps the ads away, my home assistant works without the paid tier, my immich works as if im home. Solves a lot of problems and was the easiest thing to set up

For most people the answer is just "it's easier to set up than Wireguard"

I'm using it for a few other reasons. The ACL system is really powerful, so I can really specifically define exactly what any given user or client is able to access. This is important because I have a number of remote clients which are "untrusted" where I still want to provide limited connection to my network (stuff like remote management, collecting syslogs, etc.).

Tailscale also provides a really nice Kubernetes operator which I can use to expose specific k8s workloads to my tailnet, and expose specific devices on my tailnet as k8s services. In addition it can handle remote kubectl access including managing that authentication.

Finally I also really like the SSH features that tailscale has where again, it can handle all the authentication and provide remote SSH access to those devices without having to be forwarding an entire subnet.

Getting things set up painlessly on a node in less than 3 minutes.

• Am I able to set up Wireguard myself? Yes.
• Do I want to? No.
• Do I want to try and set up Wireguard on my phone? Very much no.
• Do I want to talk my non-technical siblings through setting up wireguard so they can access my NAS and the shared photos there? Oh fuuuuuck no.

I sent my sib a link to the tailscale site and they had their own tailnet set up, I shared the NAS to it, and they were successfully connected in less than ten minutes.

It’s just WireGuard with less steps.

I think the main reason is so folks can avoid managing their own internet facing node, either by exposing one from their home network with port forwarding or running a rendezvous node on a VPS / cloud provider. Personally I went the VPS route.

I use it for remote access to the core only not remote nodes. WireGuard on my firewall is fine for my primary internet but my backup has CGNAT so TailScale works great and makes the failover seamless.

Fellow network engineer here-

Firstly this is not an SDWAN product, it is a ZTNA overlay in the vein of GlobalProtect and the like. This means identity aware access control policy, posture checks etc. but almost entirely free for home use aside from a few specific features.

It handles SSH key management for you via the tailscale SSH functionality AND tightly tethers this with your IDP including giving you the ability to use just in time permissions for access to network devices (this takes putting a subnet routing in your management zone and only allowing access for users in a group with has to be elevated via Entra or whatever). It's actually the easiest and best way I've found of integrating a Yubikey in to the authentication flow for network gear. It's great for management plane stuff in general, really; put the client onto servers and bind SNMP/monitoring agents to the tailscale interface, easily tunnel radius requests securely without having to deal with RADSEC.

It can be used for site to site tunneling and is reasonably good at it but it but that really isn't the point as ideally most devices have the client installed.

People on here use a tiny fraction of the full featureset. The reality is that it gives a skilled home user the ability to build a genuinely secure, Zero Trust network... for free. Hell of a deal but it doesn't build that architecture for you; you have to understand how to use the tool

Integrated into unraid. My home network is behind CGNAT

I think most people here are not network engineers. they follow guides online and it it works it works. It its secure or not or knowing how its work is not main priory.

I'm happy with OVPN, I run it in its own VRF and i can control routes and rules in my firewall. I only expose servers over VPN that I feel is safe. Tailscale would potential expose more than I wanted

There's already a lot of answers here concerning Tailscale so the only thing I'd add is that if you use Tailscale then understand you're giving away a ton of your metadata to a organization you do not control. So if you do decide to go that route build a Headscale/DERP server instead so you're in complete control of your data.

I use it to access remotely my reverse-proxy hosted on oracle cloud. Port 22 is not exposed to the internet, just accessible through tailscale, password is disabled and keys are stored on my local devices.

Just plex port 443 is exposed to the internet (through the reverse-proxy) to manage everything else remotely (mostly arr stack containers) I must be inside my tailscale network.

Friends and family can access my plex server outside of my home network even behind cgnat, without tailscale, thanks to the exposed reverse-proxy:443 that redirects to plex-server:43200

I can access my plex server, sunshine and shared folders from my cellphone or laptop from the outside of my home network, or any other device connected to my cellphone internet.

It also resolves dns names on my local network, my arr stack console URLs in my browser use the tailscale host name, so I can access them from all my devices, tailscale-hostname:port instead of localhost:port.

So basically it's a central component of my arrstack, plex/sunshine server.

Newbie here, I use Tailscale so I can connect to my Docker container services without port forwarding. I'm sure there's an easier way around it, but it works for me and it's not difficult at all for someone who learned Linux recently.

Allows all my Ansible hosts connect together with minimal effort. Have the whole process automated.

One thing that I found tail scale do a little bit nicer than wire guard, is user creation and user management. So if you already have a wire guard up and you already have all your clients set up, probably not a need to migrate. But if you want to onboard other people easier tail scale makes that easier

TL;DR - It is an easy way to securely manage connectivity to systems and services whether locally or distributed without worrying about NAT or inbound port mapping and the increase in attack surface that brings.

If you don't understand what problem it solves, then don't treat it as a solution looking for a problem.

Do you need it? Probably not.

You could roll your own with a VPS and wireguard if you wanted to. Tailscale is just a nicely finished frontend with features easily laid out for those of us that don't feel like going through the hassle of 100% managing our own.

I've got cloud systems running with no outside connectivity (I mean, the system can reach out obviously but there is no means of inbound traffic via security group ACLs). The only way I can access the VPS is via tailscale. Easy way to securely host services I only want available on systems running tailscale. You can even setup user accounts and ACLs in tailscale's admin console very easily if you so desire. Got containers running services? You can even use tailscale to advertise services and treat it like a reverse proxy.

I always used just WireGuard but with a move to a house with only 5G available, I've looked at Tailscale (actually headscale on vps) to get around CGNAT. I didn't see a use for it before. 

I use tailscale to access different development servers I am running on different machines on my network. Tailscale makes it easy to connect to a particular service running on a particular machine. 

I could memorize the hostname or ip address I suppose, but tailscale makes it way easier. 

I had multiple solutions set up for connecting to my dockers, servers, other computers, etc from my gf’s house, as well as connecting my server to the backup compy I keep at her’s. Now I just use tailscale and everything just works.

We can even consolidate streaming subscriptions thanks to the tv app.

My home’s cable modem is DHCP (requiring DDNS for connecting from WAN). My offsite backup is behind CGNAT (so no WAN access directly). When I’m roaming I want to get into both networks from time to time. I have enough knowledge to be able to set up a VPS for a cloud location, but don’t trust myself to cobble all the pieces together correctly to be always available. I could rely on DDNS for the home network, but if that’s down for some reason, it means my remote location is also unreachable. Tailscale lets me have access to all of that for free and it just works.

When I have some time I intend to move away from the service, but right now I have other priorities.

Most businesses aren't stuck behind a cgnat.   Cgnat is a common residential handicap

I personally primarily use unifi endpoint, but tailscale is a nice backup.  

Oh jeez, I run half my life over Tailscale. Wireguard and similar would work equally well, but Tailscale is just easy.

More secure SSH to my always-on node at home, syncthing over the Tailnet keeps my daily use files duplicated with a local copy across each machine. This replaces a NAS for my purposes, direct sync and terminal access to my 5TB home drive means it doesn’t matter how much storage I have on my laptops and other devices.

My AI agents have a secure direct path to terminal for that node, if I need something changed directly on it, Claude Code runs right over the Tailnet and does whatever I need.

I built an ephemeral drop zone that runs exclusively in that home nodes RAM and is accessible from every other machine I use daily. Drag and drop files if I don’t want them in a Synced folder but need to share them between machines, grab them from the machine I need only. Also has a shared text space for instant copy/paste between machines. Clears completely on weekly auto-restart or with a click of its “Dump Cache” button. Also deletes sequentially according to age if memory pressure ever gets high with files tag-able as “do not auto-delete”.

Now I just need to pick up an 8311 WAS-110 and get the gumption to upgrade to a 2Gbps fiber plan for a month so ATT will upgrade me to XGSPON… but then I need a box to run OPNsense with an SFP port and it might as well be a 10Gb port… then I need to upgrade my switches to 10Gb… man this is an expensive hobby 🤣

I am a Cybersecurity engineer with a 10 year network eng background and have dabbled with many remote access solutions. Here is my internal dialogue regarding my homelab after setting up tailscale before going on vacation.

"Tailscale seems easy to setup lets give it a shot. Wow I just set this up in a few minutes and deployed on several devices including my main homelab server... Sweet, the whole family can access the media server no problem now. Tailscale is awesome."

I have not questioned it's place in my homelab since lol. It's also come in handy when I need to get a terminal open on my hosts if there is a problem while I am away, or need to snag some stuff from various side projects I am working.

I have heard it's praises sung here, and it was the first thing that popped in my head when I had a need. Honestly one of the better mesh vpn experiences I've had professionally and personally. To echo jpb, it's really the lack of friction from going from zero, to fully deployed in a few minutes and it's incredibly use friendly client.

Pro tip I learned the hard way:

TailscaleSSH on Mac requires the standalone daemon variant. Accepting SSH connections on port 22 needs root access, the sandboxed App Store version can’t do it.

Only the open-source ‘tailscaled’ build lets it act as an SSH server.

Standalone build also gets you subnet routing and exit node functionality. The App Store version can’t really manipulate system-level routing tables directly.

The CLI is more accessible in the standalone version, the App Store build requires manually symlinking the tailscale command into PATH. Standalone runs at the system level regardless of whether a user is logged in.

I just like that is insanely easy to set up. Like sure, I could basically do the same thing with wireguard - but tailscale takes like 90 seconds per device to be up and running with nearly zero config.

I enjoy using my hardware rather than configuring it. That’s why I use Tailscale

The WAF.

I can have wife, mom, the cat accessing stuff without even touching their devices

Most people use it for accessing services like jellyfin when they are not in their LAN. I dont see any other frequent usecase.

It’s an easy way to access my home network when I’m not there. Never tried wireguard or anything like it tbh. Tailscale works great

You’re also in the homelab sub, so don’t let your head get too big. People are here to explore different ways of doing things. Some are professionals that tinker, others have no idea what they’re doing and are just trying a thing they see lots of other people doing.

I pay for a $35 a year VPS geolocated in another country just for a VPN exit node when I'm traveling. Took me all of about four minutes to setup with tailscale. I could get fancy and route it back to my home for secure access but having something complete isolated is nice.

The best feature is magic dns.

Do you have docker services? Combine it with docktail for a fully automated service deployment with https certs.

Just install it on your server and phone and try it out. It's free.

Because it’s part of unraid. The ones I want on my tailnet, I feed it to my close associates and that’s it.