Homelab: Secure Remote Access

Physical tunnel found exploring the Ligurian coast! Now let’s implement the virtual one…

Remote Access: Two Different Philosophies Link to heading

Remote access transforms local homelab services (Immich, Navidrome, Proxmox) into globally accessible infrastructure. There are two fundamental philosophies with opposing trade-offs between ease of use and security control:

1. Direct exposure: Services publicly accessible via domains (like traditional websites)
2. Virtual private network: Remote devices “enter” the home network through encrypted tunnels

The choice depends on your personal threat model: priority between universal convenience vs total access control.

Remote Access Solutions Link to heading

1. Direct Exposure with Nginx Reverse Proxy Link to heading

Homelab services are exposed directly to the Internet behind an Nginx reverse proxy that handles SSL, authentication, and routing.

How It Works Link to heading

Internet → Router (Port 80/443) → Nginx Proxy Manager → Internal Services

Required setup:

• Static public IP (necessary)
• Registered domain (e.g., claudio-homelab.com)
• Router port forwarding: 80→192.168.1.100:80, 443→192.168.1.100:443
• Nginx Proxy Manager container for SSL certificate management

Advantages Link to heading

• Optimal performance: No VPN or tunneling overhead
• Universal compatibility: Works with any browser/device
• Complete control: Granular configuration of every aspect
• Low costs: Only domain (~€10/year) + optional static IP (ISPs often charge separately)
• Client simplicity: Direct browser access, no additional software

Disadvantages Link to heading

• Exposed attack surface: Services are directly reachable by anyone on the Internet, including malicious bots and automated scanners
• Continuous bombardment: Logs full of access attempts, brute force and vulnerability scans 24/7, you could block access from outside Italy/Europe but you’re never safe
• Total security responsibility: Hardening, monitoring, security updates and patch management completely user’s responsibility
• Infrastructure requirements: Static public IP, advanced firewall configuration, DNS and SSL certificate management
• Intensive maintenance: Continuous log monitoring, fail2ban configuration, certificate renewal, system updates
• Required technical skills: Advanced system administration and cybersecurity competencies for secure configuration

When to Choose Nginx Reverse Proxy Link to heading

Ideal use case: Expert users with static IP who prioritize performance and have advanced security competencies.

Direct exposure is particularly useful when:

• Personal website hosting: Making this blog or portfolio accessible without requiring special visitor configurations
• Family sharing: Allowing access to Navidrome or photo galleries for relatives and friends without adding them to VPN
• Public services: Exposing tools or applications that must be accessible from uncontrolled devices
• Critical performance: Minimal latency for streaming or gaming
• Limited budget: Only domain and static IP costs

2. Tailscale - Managed Mesh VPN Link to heading

Tailscale creates an encrypted mesh network that connects all devices as if they were on the same LAN, without manual configuration.

How It Works Link to heading

Remote Device ←→ Tailscale Cloud ←→ Homelab
         |                    |                |
    (Client app)         (Coordination)   (Subnet router)

Architecture:

• Dedicated LXC container in homelab functions as “subnet router”
• Tailscale servers manage coordination and authentication
• Devices connect directly peer-to-peer when possible
• End-to-end encrypted traffic with WireGuard

Advantages Link to heading

• Zero configuration: Setup in minutes, works even behind CGNAT
• Multi-platform: Native clients for Windows, macOS, Linux, iOS, Android
• Automatic NAT traversal: Direct connections even behind complex firewalls
• Magic DNS: Service access via friendly names instead of IPs (http://immich:2283)
• Enterprise reliability: 99.9%+ uptime, globally distributed infrastructure
• Zero maintenance: Automatic updates, transparent key management

Disadvantages Link to heading

• Third-party dependency: Connection control and coordination managed by Tailscale Inc.
• Privacy concerns: Connection metadata (times, IPs, devices) are logged on Tailscale servers
• Free tier limitations: Maximum 3 users and 100 devices per free account
• Information acquired: Tailscale knows when and where you connect, which devices you use, network structure
• Vendor lock-in: Migration to alternatives requires complete reconfiguration

When to Choose Tailscale Link to heading

Ideal scenario: Personal homelabs prioritizing simplicity and time-to-value, with acceptable commercial privacy requirements.

Tailscale is particularly suitable for:

• Personal photo access: Immich remains completely private, accessible only from your authenticated devices
• Server management: Proxmox accessible only from trusted devices without public exposure
• Family services: Navidrome sharing limited to family members (≤3 people free)
• Zero-touch deployment: Instant configuration on new devices without technical competencies
• CGNAT connections: Works perfectly behind complex firewalls and limiting ISPs
• Zero maintenance: Ideal for those preferring to focus on homelab services vs infrastructure

3. Headscale - Self-Hosted Tailscale Link to heading

Headscale is an open-source implementation of the Tailscale control server, developed by Juan Font, former Tailscale employee. It replicates main functionalities allowing use of official Tailscale clients with a coordination server completely under your control.

How It Works Link to heading

Remote Device ←→ Headscale Server (Self-hosted) ←→ Homelab
         |                         |                      |
   (Tailscale Client)        (Private Coordination)  (Subnet router)

Architecture:

• Self-hosted Headscale server (VPS or dedicated container)
• Official Tailscale clients used for connections
• Completely private coordination and key management
• Same Tailscale user experience with total control

Advantages Link to heading

• Complete privacy: No data on third-party servers, private coordination
• Total control: Autonomous management of users, devices, policies
• Contained costs: Only coordination server hosting (€36-60/year for entry-level VPS)
• Client compatibility: Uses original Tailscale apps
• Scalability: No artificial limits on users or devices
• Audit trail: Complete activity logs under direct control

Disadvantages Link to heading

• Setup complexity: Requires public server and DNS configuration
• Server maintenance: Updates, backups, monitoring at user’s expense
• Limited documentation: Smaller community compared to Tailscale
• Single point of failure: Headscale server down = no access
• Learning curve: Requires server management competencies
• Functional limitations: Missing Exit Nodes, Funnel sharing, web admin interface (CLI only)

Official Support and Compatibility Link to heading

Client compatibility: Headscale officially supports original Tailscale clients on all platforms (Windows, macOS, Linux, iOS, Android). No alternative apps or special configurations required - completely transparent to end users.

Development: The project has indirect support from Tailscale Inc. which maintains protocol compatibility and has never hindered development. Juan Font worked on Headscale while being a Tailscale employee, ensuring deep architectural knowledge.

When to Choose Headscale Link to heading

Ideal scenario: Privacy-conscious users with technical competencies who want total control without vendor lock-in.

Headscale is the best choice when:

• Privacy and data control are priorities: No metadata shared with third parties
• Teams >3 people: Avoids growing Tailscale costs ($216+/year vs €36-60/year VPS)
• Server management competencies: Experience with Docker, VPS and CLI management
• Complete audit trail: Need for detailed logs under direct control
• Vendor independence: Total control over infrastructure and updates
• Sustainable VPS budget: €36-60/year becomes acceptable vs alternatives

The Choice for Our Homelab: Tailscale Link to heading

After evaluating all options, the choice falls on Tailscale for the homelab’s initial setup, based on a pragmatic analysis of competencies, needs, and learning objectives.

Why Tailscale Now Link to heading

• Focus on homelab services instead of infrastructure management
• Personal access to Immich and Navidrome (1-2 users maximum)
• Contained budget without recurring VPS costs (necessary for headscale)
• Immediate reliability without maintenance overhead

Privacy: Realism vs Paranoia Link to heading

What we share with Tailscale:

• Connection metadata (timestamp, duration, IP endpoints)
• Device list and network configurations
• Authentication logs and subnet routes

What remains private:

• All traffic content (photos, music, passwords)
• Internal communications between homelab services
• End-to-end encrypted application data

Risk assessment: For personal homelab, privacy risk is minimal compared to operational benefits. Critical data (personal photos, configurations) remains completely private and encrypted.

Future Migration Strategy Link to heading

Given the nature of homelab services (personal access to Immich, Navidrome, Proxmox), I’m unlikely to need more than 3 users in the future. The Tailscale free tier should remain sufficient long-term.

However, migration to Headscale remains possible if needs change: same clients, similar configuration, total data control. The initial choice is therefore zero-risk - we’ll see if and when an upgrade becomes necessary.

Tailscale Setup: Practical Configuration Link to heading

Tailscale configuration is surprisingly simple and intuitive. The entire procedure takes less than 5 minutes and immediately provides secure access to all homelab services. The user experience was designed to be zero-friction, finally making remote access accessible even to non-technical users.

Tailscale Container Setup Link to heading

Step 1: CT Container Creation

I create a dedicated LXC container called tailscale-router with minimal resources: 512MB RAM and 1 CPU core are sufficient for managing VPN routing of a family homelab. The container functions as a “subnet router” allowing all Tailscale devices to access the home network 192.168.1.x without additional configurations.

Step 2: TUN Device Configuration (from Proxmox host)

LXC containers don’t have direct access to virtual network devices necessary for VPN. This configuration allows the container to use the /dev/net/tun device to create Tailscale tunnels.

# Modify container configuration for VPN support
nano /etc/pve/lxc/104.conf

# Add lines:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

# Restart container to apply changes
pct reboot 104

Step 3: Tailscale Installation

# Enter container
pct enter 104

# Update system
apt update && apt upgrade -y

# Tailscale installation (official installer)
curl -fsSL https://tailscale.com/install.sh | sh

# Enable service
systemctl enable --now tailscaled

# Verify installation
tailscale version

Step 4: IP Forwarding Configuration

# From tailscale-router container
# Enable IP forwarding for subnet routing
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.d/99-tailscale.conf

# Apply configuration
sysctl -p /etc/sysctl.d/99-tailscale.conf

# Verify configuration
cat /proc/sys/net/ipv4/ip_forward
# Expected output: 1

Step 5: Tailscale Account Registration

1. Register on tailscale.com with identity provider (Google, Microsoft, GitHub)
2. The “tailnet” name will be automatically assigned (e.g., tail12345.ts.net)

Step 6: Container Connection

# From tailscale-router container
# Connect device to Tailscale network with subnet routing
tailscale up --advertise-routes=192.168.1.0/24 --accept-routes

# Output will show authentication URL:
# To authenticate, visit: https://login.tailscale.com/a/xxxxx

Step 7: Browser Authentication

1. Copy URL from previous command output
2. Paste in browser and complete authentication
3. Device will appear as tailscale-router in Admin Console

Enabling Subnet Routes Link to heading

Via Tailscale Admin Console:

1. Open login.tailscale.com/admin/machines
2. Find tailscale-router device in list
3. Three dots menu → Edit route settings
4. Subnet routes → 192.168.1.0/24 → Approve
5. Save

Configuration Verification Link to heading

# From tailscale-router container
# Verify status and connectivity
tailscale status

# Expected output:
# 100.x.x.x   tailscale-router    claudio@     linux   -
# 192.168.1.0/24 advertised

# Connectivity test
tailscale ping google.com
# Should show latency through Tailscale

Access Testing and Monitoring Link to heading

# From any Tailscale device - Test service connectivity
http://192.168.1.204:2283  # Immich
http://192.168.1.206:4533  # Navidrome
https://192.168.1.111:8006 # Proxmox

Conclusions: Remote Access Conquered Link to heading

With Tailscale configured, the homelab transforms from local experiment to daily-usable infrastructure. Secure remote access represents the final piece making self-hosted services truly practical and competitive with cloud alternatives.

Result achieved: Immich, Navidrome, and Proxmox are now accessible from any device, anywhere, with the same security and privacy as a local connection. Configuration requires zero maintenance and automatic scaling.

Future path: The Tailscale choice doesn’t preclude future evolution toward Headscale or hybrid solutions. The important thing is having built the foundation for an independent and controlled personal services ecosystem.

Resources and Further Reading Link to heading

• Tailscale Official Documentation - Complete official documentation
• Headscale GitHub Repository - Open-source implementation
• WireGuard Protocol - Underlying cryptographic protocol
• Is Tailscale the safest way to access your home network remotely? - XDA Developers security analysis
• La VPN Open Source che buca le reti (letteralmente) - Technical video by morrolinux on Tailscale