How I Use Tailscale for Everything
May 2026 5 min read
I didn't plan to become a Tailscale person. I was trying to access my VPS without exposing SSH to the internet, and someone mentioned it in a forum. I installed it, got it working in about ten minutes, and then spent the next few weeks finding new things to run through it.
Here's the actual setup I use and why each piece is there.
The core idea
Tailscale builds a WireGuard mesh between your devices. Every device on your tailnet gets a stable IP (in the 100.x.x.x range) that works regardless of where it is — home network, mobile data, different country. Once two devices are on the tailnet, they can talk to each other as if they're on the same LAN. No port forwarding, no dynamic DNS, no open ports on your VPS.
That last part is the thing that made me keep using it. My VPS has no inbound ports open except 80 and 443 for web traffic. SSH runs on the tailnet only.
SSH without the paranoia
Before Tailscale, I had SSH on a non-standard port, fail2ban running, key-only auth, the works. It was fine but I always had that low-level awareness that the port was there, getting scanned.
Now SSH only listens on the Tailscale interface. If you're not on my tailnet, the port doesn't exist as far as you're concerned. I still use key auth, but the exposure is basically zero.
# /etc/ssh/sshd_config
ListenAddress 100.x.x.x # your tailscale IPSimple. Probably the highest security-to-effort ratio of anything I've done.
AdGuard Home on the tailnet
I run AdGuard Home on the same VPS. DNS traffic from all my devices goes through it — ad blocking, tracker blocking, and scheduled domain blocks for social media during exam prep.
The setup: AdGuard Home listens on the VPS's Tailscale IP. Each device sets that IP as its DNS server. That's it. No complicated split-DNS, no public DNS resolver exposed to the world. It only serves devices that are on the tailnet.
The scheduled blocking is what made this worth building. I have rules that block Twitter, YouTube, and Instagram from 9am to 6pm on weekdays. Cold Turkey handles the browser side on desktop, but DNS blocking catches everything else — apps, background refresh, whatever tries to slip through.
# AdGuard Home — custom filtering schedule
# Block social media 09:00-18:00 weekdays
||twitter.com^
||x.com^
||youtube.com^
||instagram.com^Does it work? Mostly. The gap is when I'm off the tailnet — mobile data without VPN bypasses it entirely. I'm still figuring out a clean solution for that.
Dev tunnels for client demos
When I'm building something locally and need to share it with a client, I used to reach for ngrok. Now I use tailscale serve or just SSH port-forwarding from my dev machine to the VPS, then proxy through Caddy.
It's more setup than ngrok but I control the URL, there's no rate limiting, and the traffic stays on the tailnet until it exits through my VPS. For a quick demo it's overkill. For something running for a few days while a client reviews it, it's better.
Subnet routing for local resources
On my home network I have a few things that don't run Tailscale themselves — a NAS, an old Raspberry Pi, a printer that I occasionally need to reach remotely. I have one machine on the network set up as a subnet router. It advertises the local subnet to the tailnet, so anything on that machine's network is reachable from anywhere.
tailscale up --advertise-routes=192.168.1.0/24Then approve the route in the admin console and you're done. Tailscale handles the routing.
What I don't use
Exit nodes — I've tried routing all traffic through my VPS but the latency is noticeable and it's not what Tailscale is optimized for. For actual VPN-style traffic shaping I'd use something else.
MagicDNS is useful but I've had a few weird resolution issues on certain Android builds so I keep it off and use IPs directly.
The honest summary
Tailscale is one of those tools that quietly removes an entire category of network problems. I don't think about port forwarding anymore. I don't think about whether my home IP changed. I don't think about whether my SSH port is being brute-forced.
The free tier handles everything I described. I've never hit a limit.