Skip to content

03 — Tailscale (Remote Access VPN)

Tailscale provides encrypted private networking — your devices reach the Z2 over an encrypted tunnel without exposing it to the public internet.

Current configuration

  • Tailnet name: elk-kanyu.ts.net
  • Z2 hostname on tailnet: z2mini.elk-kanyu.ts.net (or just z2mini)
  • Plan: Free Personal
  • Tailscale SSH: enabled (uses tailnet identity, no password)
  • Operator: gabriel (sudo tailscale set --operator=gabriel) — so tailscale serve / tailscale set etc. work without sudo
  • DNS — global resolvers: 1.1.1.1 and 8.8.8.8, with "Override local DNS" ON in the admin panel. Tailnet devices forward all non-MagicDNS queries to these instead of whatever network they're on — needed so devices reliably resolve *.z2mini.gabrielgabrie.com (the student-housing router's DNS chokes on it: stale negative cache from before the Cloudflare migration, and/or it strips 100.64.0.0/10 CGNAT answers as "DNS rebinding").
  • HTTPS certificates (the Tailscale feature): enabled in the admin panel, but no longer used — the Z2's web services get their certs from Let's Encrypt via Caddy + the Cloudflare DNS-01 challenge (17-caddy.md), not from tailscale cert / tailscale serve. The two old tailscale serve listeners (:443 Radicale, :8443 Vaultwarden) were retired when Caddy took over.

Admin panel: https://login.tailscale.com/admin

Installing Tailscale on the Z2 (fresh install)

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --ssh

A URL will print. Open it in any browser, sign in with your Tailscale account. The Z2 is now on your tailnet.

The --ssh flag enables Tailscale SSH (incoming connections authenticated via tailnet identity).

Verify it's running:

sudo systemctl status tailscaled
tailscale status

Installing Tailscale on a new device

Device How
Windows Download from https://tailscale.com/download → install → sign in
iPhone App Store → "Tailscale" → install → sign in → approve VPN config
macOS Mac App Store or https://tailscale.com/download

Sign in with the same Tailscale account on all devices.

Common commands

# Check Tailscale status (all peers, current state)
tailscale status

# Get this machine's Tailscale IP
tailscale ip -4

# Disconnect (not usually needed)
sudo tailscale down

# Reconnect
sudo tailscale up --ssh

# Reauthenticate (e.g., after long idle)
sudo tailscale up --ssh --force-reauth

How HTTPS works now

Web services on the Z2 are fronted by Caddy at https://<service>.z2mini.gabrielgabrie.com (custom domain, DNS via Cloudflare), with auto-renewing Let's Encrypt certs that Caddy obtains via the ACME DNS-01 challenge through the Cloudflare API. This works even though the box has no public inbound (HTTP-01 / TLS-ALPN-01 would need port 80/443 reachable from Let's Encrypt; DNS-01 doesn't). Full details: 17-caddy.md.

We do not use Tailscale's own cert features (tailscale cert, tailscale serve) anymore. If you ever need a one-off cert for the tailnet hostname itself, sudo tailscale cert z2mini.elk-kanyu.ts.net still works (creates .crt/.key in the cwd) — but for normal service exposure, add a Caddyfile block instead (see 17-caddy.md → Adding a new service).

Troubleshooting

Tailscale not connecting after reboot:

sudo systemctl status tailscaled
sudo systemctl restart tailscaled

Devices can't see each other:

  • Check both devices are signed into the same account
  • Verify both are "Connected" in their Tailscale apps
  • Try tailscale status from each side — both should appear in the list

SSH suddenly stops working:

If you disabled --ssh accidentally, fall back to password SSH (still works on port 22 over Tailscale):

ssh gabriel@<tailscale-ip>

To re-enable Tailscale SSH:

sudo tailscale up --ssh

What NOT to do

  • ❌ Don't expose ports on your router for SSH/Samba — that defeats the security model. Tailscale is your access mechanism.
  • ❌ Don't share Tailscale credentials with family/others. To give others access, use Tailscale's device sharing feature — they create their own accounts and you share specific machines with them.
  • ❌ Don't rename the tailnet (elk-kanyu) — the rename is one-way per the Tailscale docs and breaks any HTTPS certs you've issued.

Future considerations

  • Headscale (self-hosted Tailscale alternative) was discussed and rejected for now. Free Tailscale is sufficient. If you ever want full independence, it's a viable migration path because the clients are the same.
  • Subnet routing: not currently configured. If you ever wanted devices on the Z2's local network to be reachable via Tailscale (without installing Tailscale on each), you could set up the Z2 as a subnet router. Not needed yet.