If you’ve ever wanted to reach your home network while traveling — whether it’s your NAS, a self-hosted service, or just a safe connection to trust over public Wi-Fi — you’ve probably considered a VPN. The traditional approach involves dynamic DNS, port forwarding, and managing your own certificates. It works, but it’s a headache, and exposing SSH or other services directly to the internet is a genuine security risk. Automated scanners find open ports within minutes.
Tailscale offers a cleaner path. Built on top of WireGuard — one of the most well-audited and efficient VPN protocols available — Tailscale creates an encrypted peer-to-peer mesh network called a “tailnet” between your devices. No ports need to be opened on your router, no firewall rules to manage, and no public-facing attack surface to worry about.
In this guide, we’ll turn a Raspberry Pi into a secure gateway to your home network. Once it’s set up, you’ll be able to access local devices and route your internet traffic through your home connection from anywhere in the world.
Copy All Commands from this Gist
Which Raspberry Pi Should You Use?
Almost any Raspberry Pi can run Tailscale, but your experience will vary depending on the hardware:
- Raspberry Pi 5 / 4 (Recommended): Dedicated gigabit Ethernet, a fast CPU, and plenty of RAM make these the right choice if you’re routing high-bandwidth traffic or serving multiple clients simultaneously.
- Raspberry Pi 3 Model B+ / B: Handles SSH and moderate web traffic just fine. A solid choice if you already have one.
- Raspberry Pi Zero 2 W / Zero W: Can work, but the Wi-Fi-only connectivity introduces latency and limits throughput. Fine for light use; not ideal for an always-on gateway.
Why Tailscale Makes Sense from a Security Standpoint
Tailscale isn’t just convenient — it’s well-architected from a security perspective. A few things worth understanding before you set it up:
- Zero exposed ports. Tailscale uses STUN and ICE techniques to establish direct encrypted connections between devices. Your router’s firewall stays completely closed to the outside world.
- End-to-end encryption via WireGuard. All traffic is encrypted between endpoints. Tailscale’s own control servers handle coordination, but they can’t decrypt your data.
- Identity-based authentication. Devices join your tailnet by authenticating through your existing identity provider — Google, GitHub, or Microsoft. Multi-factor authentication comes along for free.
- Granular access control. Tailscale’s ACLs let you define exactly which devices can talk to which. If a device gets compromised, it can’t freely reach everything else on your network.
Step 1: Install Tailscale on the Raspberry Pi
Start by making sure your Raspberry Pi is fully up to date. Connect via a local SSH session or directly, then run:
sudo apt-get update && sudo apt-get upgrade -y
Next, download and run the official Tailscale install script. It automatically detects your OS (Raspberry Pi OS is Debian-based) and sets up the package repository:
curl -fsSL https://tailscale.com/install.sh | sh
Once the installation finishes, bring Tailscale up:
sudo tailscale up
The terminal will display a login URL. Open it in a browser, authenticate with your account, and authorize the Raspberry Pi to join your tailnet. That’s it — your Pi is now connected.
Step 2: Verify the Connection
With Tailscale running, your Raspberry Pi gets a stable private IP address in the 100.64.0.0/10 range — Tailscale’s default CGNAT subnet. This address is consistent across reboots and doesn’t change even if your home IP does.
To find your Pi’s Tailscale IP:
tailscale ip -4
From any other device on your tailnet (with Tailscale installed), you can now SSH in securely:
ssh pi@<your-tailscale-ip>
If you’re running a newer version of Raspberry Pi OS, the default pi user no longer exists by default — substitute whatever username you configured during setup.
Make sure Tailscale starts automatically on boot:
sudo systemctl enable --now tailscaled
You can verify it comes back up correctly with a quick reboot:
sudo reboot
Step 3: Turn the Pi into a Subnet Router
By default, Tailscale connects you directly to your Raspberry Pi. A subnet router goes a step further — it advertises your entire home LAN to your tailnet, so you can reach any device on that network (your NAS, smart home hub, a network printer) without needing Tailscale installed on each one.
Enable IP Forwarding
The Linux kernel needs IP forwarding turned on to route traffic between interfaces. Create a dedicated sysctl configuration file for this:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
Find Your Local Subnet
Check your active network interface to identify your home subnet:
ip -4 addr show
You’re looking for a range like 192.168.1.0/24 or 10.0.0.0/24 on your eth0 or wlan0 interface.
Advertise the Route
Tell Tailscale to make your home subnet accessible across your tailnet. Replace the IP range below with your actual subnet:
sudo tailscale up --advertise-routes=192.168.1.0/24
Approve the Route in the Admin Console
Advertising a route doesn’t activate it automatically — Tailscale requires you to explicitly authorize it as a security measure.
- Log in to the Tailscale Admin Console.
- Find your Raspberry Pi in the machine list.
- Click the three dots (…) next to it and select Edit route settings.
- Under Subnet routes, check the box for your subnet and click Save.
Tailscale handles Source NAT (SNAT) automatically, so you don’t need to touch iptables or set up masquerading manually.
Step 4: Set Up an Exit Node
A subnet router gives you access to your home network. An exit node goes one step further — it routes all of your device’s internet traffic through the Raspberry Pi. This is particularly useful when you’re on untrusted public Wi-Fi, like at a coffee shop or hotel. Your traffic is encrypted back to your home connection, shielding it from local eavesdropping and man-in-the-middle attacks.
Advertise the Exit Node
Run this on the Raspberry Pi:
sudo tailscale up --advertise-exit-node
If you want the Pi to act as both a subnet router and an exit node at the same time, combine the flags:
sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node
Approve It in the Admin Console
- Open the Tailscale Admin Console.
- Locate your Raspberry Pi, click the three dots (…), and select Edit route settings.
- Under Exit node, check the authorization box and click Save.
Step 5: Harden the Setup
Your Raspberry Pi is now a gateway to your home network. That makes it worth a few minutes of hardening.
Use Tailscale SSH
Instead of managing SSH keys yourself or relying on traditional key-based auth, you can let Tailscale handle it. Tailscale SSH ties authentication to your Tailscale identity and ACLs, and it eliminates the need to expose port 22 anywhere.
Enable it by restarting Tailscale with the --ssh flag:
sudo tailscale up --ssh
Once enabled, you can SSH into your Pi from any authorized tailnet device without touching key configuration.
Configure UFW
If you’re running UFW (Uncomplicated Firewall) on the Pi, it will block traffic forwarding by default. You need to explicitly allow Tailscale’s traffic through:
Allow the WireGuard UDP port Tailscale uses:
sudo ufw allow 41641/udp
Allow traffic routing between the Tailscale interface and your local network interface:
sudo ufw route allow in on tailscale0 out on eth0
sudo ufw route allow in on eth0 out on tailscale0
Allow inbound SSH specifically from your tailnet:
sudo ufw allow in on tailscale0 to any port 22 proto tcp
Apply the changes:
sudo ufw reload
Lock Down Your Tailscale Account
A few account-level settings worth enabling:
- MFA on your identity provider — hardware security keys (FIDO2/WebAuthn) provide the strongest protection, but any second factor is better than none.
- Tailnet Lock — a feature that prevents unauthorized nodes from being added to your network even if Tailscale’s control plane were compromised. Nodes must be signed by one of your trusted signing keys.
- Key expiry — set short expiry windows on high-risk devices so stale credentials don’t linger if a device is lost or compromised.
Troubleshooting
Check Connection Status
If something isn’t connecting, start here:
tailscale status
To verify direct peer connectivity to a specific device:
tailscale ping <client-tailscale-ip>
Check IP Forwarding
If subnet routing or exit node traffic isn’t passing through, confirm IP forwarding is actually active:
cat /proc/sys/net/ipv4/ip_forward
A return value of 1 means it’s on. If you see 0, revisit your sysctl configuration.
Inspect the Logs
For unexpected Tailscale daemon behavior:
sudo journalctl -u tailscaled -n 50 --no-pager
Restart or Re-authenticate
When something’s in a weird state, a clean restart often sorts it out:
sudo systemctl restart tailscaled
To force a full re-authentication:
sudo tailscale down
sudo tailscale up --force-reauth
Connecting Your Other Devices
With your Raspberry Pi configured, all you need is the Tailscale client on your other devices.
- Windows / macOS: Download the installer from tailscale.com/download, run it, and sign in with the same account.
- Linux: Run
curl -fsSL https://tailscale.com/install.sh | sh, thensudo tailscale up. - Android / iOS: Install Tailscale from the Google Play Store or Apple App Store, authenticate, and flip the toggle to connect.
Using the Exit Node
Once your device is connected to the tailnet, switching internet traffic through the Raspberry Pi takes just a few taps:
- Mobile apps: Open Tailscale, tap the exit node selector, and choose your Raspberry Pi.
- Desktop (Windows / macOS): Click the Tailscale icon in the system tray or menu bar, go to Exit Nodes, and select the Pi.
- Linux CLI: Run
sudo tailscale set --exit-node=<your-pi-tailscale-ip>.
From that point, all your internet traffic flows through your home connection — encrypted end-to-end, no matter what network you’re sitting on.
