Tailscale + Raspberry Pi: HomeLab Gateway

Build Your Own HomeLab Gateway: Tailscale + Raspberry Pi

Your home network is a goldmine of services—Pi-hole blocking ads, Home Assistant controlling your lights, Jellyfin streaming your media library. But the moment you step outside your front door, it all vanishes behind your router's firewall.

What if you could access everything securely from anywhere, without exposing a single port to the internet?

Enter Tailscale on a Raspberry Pi—your personal gateway to a self-hosted, privacy-first HomeLab that follows you everywhere.

---

Why This Combo Works So Well

The Raspberry Pi Advantage

The Raspberry Pi 5 is the perfect HomeLab foundation:

Spec	Why It Matters
Quad-core Cortex-A76 @ 2.4GHz	Handles multiple containers without breaking a sweat
Up to 16GB RAM	Room for Ollama, databases, and more
PCIe 2.0 support	Attach NVMe SSDs for real storage performance
Gigabit Ethernet	Full-speed network throughput
4-5W idle power	Runs 24/7 for pennies per month

The Tailscale Magic

Tailscale is a mesh VPN built on WireGuard that eliminates the nightmare of traditional VPN setup:

• Zero port forwarding — Works behind NAT, firewalls, even carrier-grade NAT
• Zero configuration — No IP addresses to memorize, no certificates to manage
• Device-to-device encryption — Traffic never touches Tailscale's servers
• Free tier — Connect up to 100 devices (more than enough for most HomeLabs)

Together, they create a secure tunnel to your entire home infrastructure from any device, anywhere in the world.

---

The HomeLab Stack

Here's what we're building—a complete self-hosted ecosystem accessible from anywhere:

┌─────────────────────────────────────────────────────┐
│                   Your Phone/Laptop                  │
│                  (Tailscale Client)                  │
└──────────────────────────┬──────────────────────────┘
                           │ Encrypted Tunnel
                           ▼
┌─────────────────────────────────────────────────────┐
│              Raspberry Pi 5 (Gateway)                │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  │
│  │   Pi-hole   │  │  Portainer  │  │  Tailscale  │  │
│  │  (Ad Block) │  │ (Container) │  │ (Subnet     │  │
│  │             │  │             │  │  Router)    │  │
│  └─────────────┘  └─────────────┘  └─────────────┘  │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  │
│  │    Home     │  │   Ollama    │  │   Uptime    │  │
│  │  Assistant  │  │  (Local AI) │  │    Kuma     │  │
│  └─────────────┘  └─────────────┘  └─────────────┘  │
└─────────────────────────────────────────────────────┘

---

Setting Up Tailscale on Your Pi

Prerequisites

• Raspberry Pi (3, 4, or 5) running Raspberry Pi OS
• Stable internet connection (Ethernet recommended)
• A free Tailscale account

Installation

SSH into your Pi and run:

# Update your system
sudo apt update && sudo apt upgrade -y

# Install Tailscale with one command
curl -fsSL https://tailscale.com/install.sh | sh

# Start Tailscale
sudo tailscale up

You'll get a URL to authenticate in your browser. Log in with Google, GitHub, or Microsoft, and your Pi joins your private network instantly.

Verify it's working:

tailscale status

You should see your Pi listed with a 100.x.x.x Tailscale IP address.

---

Configuring the Gateway Features

1. Enable Subnet Router (Access Your Whole Network)

This lets you reach every device on your home network through Tailscale—not just the Pi:

# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

# Advertise your local subnet (adjust for your network)
sudo tailscale up --advertise-routes=192.168.1.0/24

Then approve the route in the Tailscale admin console:

1. Find your Pi in the Machines list
2. Click the ... menu → Edit route settings
3. Enable your advertised subnet

Now any Tailscale device can reach 192.168.1.x addresses directly.

2. Enable Exit Node (Route All Traffic Through Home)

Want to browse the web from a coffee shop as if you're at home? Make your Pi an exit node:

sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node

Approve the exit node in the admin console the same way you approved routes.

On your phone or laptop, select your Pi as the exit node in Tailscale settings. All your traffic now flows through your home connection.

3. Disable Key Expiry (Set It and Forget It)

By default, Tailscale keys expire after 180 days. For a headless HomeLab server, disable this:

1. Go to Tailscale admin console
2. Find your Pi → click ... → Disable key expiry

Your Pi stays connected permanently without re-authentication.

---

Building the HomeLab Services

With Tailscale running, let's add the services that make a HomeLab useful.

Pi-hole: Network-Wide Ad Blocking

curl -sSL https://install.pi-hole.net | bash

Configure your router to use the Pi's IP as its DNS server, or set Tailscale's DNS settings to use your Pi-hole. Ads disappear across all your devices—even remotely.

Portainer: Container Management Made Visual

# Install Docker
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER

# Install Portainer
docker volume create portainer_data
docker run -d -p 9443:9443 --name portainer \
  --restart=always \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v portainer_data:/data \
  portainer/portainer-ce:latest

Access Portainer at https://[your-pi-tailscale-ip]:9443 from anywhere.

Home Assistant: Smart Home Control

docker run -d --name homeassistant \
  --restart=unless-stopped \
  -v /home/pi/homeassistant:/config \
  -v /etc/localtime:/etc/localtime:ro \
  --network=host \
  ghcr.io/home-assistant/home-assistant:stable

Control your lights, thermostat, and automations from anywhere in the world.

Uptime Kuma: Service Monitoring

docker run -d --name uptime-kuma \
  --restart=always \
  -p 3001:3001 \
  -v uptime-kuma:/app/data \
  louislam/uptime-kuma:1

Get alerts when any of your self-hosted services go down.

---

Real-World Use Cases

Working From Anywhere

• SSH into your home development server
• Access your NAS files as if you're on the couch
• Print to your home printer from a hotel room

Travel Security

• Use your home connection as an exit node on sketchy hotel WiFi
• Pi-hole blocks ads even when you're abroad
• Access geo-restricted content from "home"

Family Tech Support

• Mail a Pi to your parents' house
• Join their network remotely to fix issues
• Set up Pi-hole to protect them from malicious ads

Self-Hosted Everything

• Jellyfin for media streaming without Plex's cloud dependency
• Vaultwarden for self-hosted password management
• Nextcloud for your own private cloud storage

---

Security Considerations

This setup is inherently secure, but here are additional hardening steps:

1. Keep everything updated: sudo apt update && sudo apt upgrade -y
2. Use Tailscale ACLs: Restrict which devices can access which services
3. Enable MFA on your Tailscale account
4. Monitor access via Uptime Kuma and Tailscale's audit logs
5. Disable password SSH: Use Tailscale SSH or key-based auth only

---

The Bottom Line

For under $100 in hardware and $0/month in software costs, you get:

• A secure VPN that works everywhere
• Network-wide ad blocking
• Complete smart home control
• Your own private AI server
• Service monitoring and alerts
• Access to every device on your home network

All running on a device that sips 5 watts of power.

The best part? Once it's set up, it just works. No subscriptions. No cloud dependencies. No data leaving your control.

Your home network, everywhere you go.

---

Resources

• Official Tailscale Download for Raspberry Pi
• Tailscale Pi-hole Integration Guide
• FreeCodeCamp Home VPN Tutorial
• Pi My Life Up Tailscale Guide
• GitHub Exit Node Setup Guide