I have been using Tailscale for nearly a year now. It handles my Time Machine backups, stream content from my media server, SSH from my iPhone to my MacBook and connects my new gaming PC to my Minecraft server.

Using Tailscale as virtual Network and Transport Layers

I first configured a Minecraft server for some friends. It ran on an old Lenovo laptop with an Intel Core-2-Duo thing, I used a Dynamic DNS (DDNS) service that was supported by my TP-Link router so my friends could connect to it despite the shifting IP, I pinned the laptop's static internal IP and port forwarded from my family's budget TP-Link router. It was pretty jank, but it worked well enough and we had lots of good times on that setup.

Now, what are some of the problems here?

1. I was exposing my home public IP to the internet via the DDNS service
2. I had no way to implement access control into my Minecraft server (I meant the server, not the game, I could still white/black list players)
3. Network configuration with the TP-Link was click-ops, unintuitive and my configuration is wholely undocumented

And now with Tailscale

I am now hosting my Minecraft server as a container on my Network Attached Storage device which is connected via Tailscale.

{
  "action": "accept",
  "src":    ["tag:clients-nas-minecraft"],
  "dst":    ["nas:2560"]
}

And that is it, it is THAT simple, my clients can just access it via nas.my-ts-namespace.ts.net:2560. I placed my Minecraft server and all client devices onto the same Tailscale network, created a tag that allows devices to access it and wrote a destination rule that allows all Minecraft clients to connect to the server. No port forwarding, static IP or DDNS needed.

Why does this work?

Tailscale uses WireGuard, Layer 3 of the OSI (Network layer). Translation: WireGuard takes care of Network-related responsibilities like IP addresses, routing tables and everything above within the virtual network. TailScale then exposes a software-defined mesh network, allowing you to control which devices are allowed to control communications between devices at layer 3 and 4 (with IP and ports).

This means, to make devices connect to my Minecraft server, I just need to define a tag (tag:clients-nas-minecraft), assign that tag to the appropriate client devices and explicitly define a rule to allow that tag to access my Minecraft server at the correct port.

This prevents me from exposing any devices publicly, I can implement access control at a device level, or easily swap out the server if I want to host it on another machine and easily turn off any access when I want to pause or terminate this service.

Replacing static IPs with Domain names

You might have noticed earlier, that URL for my Minecraft server is not an IP address, but a domain name. Yes, every single device on your Tailscale network has its own unique 4th-level domain name. Rather than memorizing a bunch of IP addresses, you just need to remember the Tailscale hostname for the specific machine you want to connect to and type that in.

This feature is called MagicDNS and here is a quick overview of how they work (or just RTFM). Each user is given a randomly generated third-level domain ending in ts.net. And then each device would be the fourth level domain on top of that. So if your randomly generated tailnet name is envious-wallaby, everything within your tailnet would end with envious-wallaby.ts.net and a sample machine would be named prawn-server.envious-wallaby.ts.net.

And you could use the URL in place of your IP for all sorts of services. Here are just some that I use:

• SSH from my iPhone into my Mac? - just use
  admin-thor@air-book.envious-wallaby.ts.net
• Time Machine MacOS backups? - just point to SMB at
  smb://prawn-server.envious-wallaby.ts.net
• Stream content via Jellyfin to Infuse? - Just drop this as the URL
  prawn-server.envious-wallaby.ts.net:4200

Rapid fire round of other Tailscale Features

Subnet routers help you tap into devices that cannot install tailscale (think printers, coffee makers etc). I got it working but I do not have a use case for it.

Update in March 2025: Found a usecase for subnet routers. Some iOS applications are affected by the App Transport Security feature and they only work over HTTPS and local network IP ranges (idk why only my manga and music clients are affected, but not the others). I am using the subnet router feature to work around it. By pointing to my NAS's local IP, I am accessing my home network from my phone, over Tailscale via my NAS and routing into my NAS, thus using a "local" 192.168.x.x IP to access the my manga server over OPDS and whatever protocol Navidrome uses.

Exit nodes helpd me to route all of your traffic through another node. It works well when I use a node with good upload speeds and high bandwidth, a little slow over a home connection.

Node sharing allows me to share just one machine to another tailnet. It works as advertised.

Other features I want to try soon

Tailscale SSH lets us use our existing tailscale identity provider to do SSH. It also supports session recording. Might try it someday.

Tailscale funnels allow us to expose a single service to the internet publically.

Tailscale TUI from Neuralink is an interactive CLI made with charmbracelet. It is not an official Tailscale client and yes, it is from that Neuralink.

Fin

Whether you are starting a small homelab or want connectivity between your devices but you are too into Linux for Apple's Magic, Tailscale is a good place to start. Define your entire connectivity via software, and then slowly try out their other features.