Forem

The Software's Journey profile image Willem van Heemstra
Willem van Heemstra for The Software's Journey

Posted on

Satellite Tailscale โ€” Ep.1

#tailscale #networking #vpn #security

๐Ÿ›ฐ๏ธ Satellite Tailscale โ€” Episode 1: Your Personal Satellite Network

"Come with me if you want to connect."
โ€” Arnold Schwarzenegger, The Terminator (had he been a network engineer)

๐Ÿ“ก Houston, We Have a Problem

Picture this. You are sitting in your favourite coffeeshop. The flat white is perfect. The wi-fi is terrifying. You have your iPad Mini in hand, and somewhere back home, your Mac Mini M4 Pro is sitting quietly on your desk โ€” doing nothing, like a loyal dog waiting for its owner.

You want to access that Mac Mini. You want to open a terminal. You want to browse its files. You want to be there, without physically being there.

What do you do?

Option A: You set up port forwarding on your home router, expose ports to the public internet, publish your IP address to the world, and pray that no one is scanning for open ports. (Spoiler: they are. They always are. They never stop.)

Option B: You install Tailscale.

One of these options takes four minutes. The other takes four hours and leaves you with a mild sense of existential dread and a router config file that looks like it was written by the Terminator during a coffee withdrawal episode.

We are going with Option B.

๐ŸŒ The Satellite Metaphor

Throughout this series, we will think of Tailscale through the lens of satellites connecting hemispheres.

Your devices โ€” your iPad Mini, your Mac Mini, maybe a Raspberry Pi in the basement โ€” are like ground stations. They are scattered across different physical locations. Some are in coffeeshops. Some are in home offices. Some are in server racks in a data centre in Amsterdam.

Tailscale is the orbital relay system that connects them all. It does not require you to poke holes in firewalls, maintain a VPN server, or understand the dark arts of iptables. It creates an encrypted, private mesh network between your devices โ€” a tailnet โ€” that behaves as if all your machines are on the same local network, no matter where on Earth they physically are.

Your iPad Mini in the coffeeshop and your Mac Mini M4 at home are now in the same hemisphere. Digitally speaking.

Arnold would call this "a masterpiece of infiltration." We call it Tuesday.

๐Ÿ“‹ SIPOC โ€” The Mission at a Glance

Before we fire up the rockets, let us do what all serious engineers do: draw a SIPOC table. If you are not familiar, SIPOC stands for Suppliers, Inputs, Process, Outputs, Customers. It is the satellite view of the process โ€” before you zoom in on the details.

Suppliers Inputs Process Outputs Customers
Tailscale Inc. Your devices (iPad Mini, Mac Mini, etc.) Install Tailscale โ†’ Sign in โ†’ Done A secure private mesh network (tailnet) You, sitting in a coffeeshop with a flat white
WireGuardยฎ protocol Your Tailscale account Devices authenticate with the coordination server Encrypted point-to-point tunnels Your future self, who never has to expose port 22 again
Your identity provider (Google, GitHub, etc.) Network conditions (NAT, firewalls, etc.) Tailscale handles NAT traversal automatically MagicDNS names for every device Your colleagues, your family, your home server
Your ISP A spare 15 minutes Tailscale assigns each device a stable IP Access to all your devices, from anywhere Anyone you invite to your tailnet

๐Ÿ“Œ Note: The "spare 15 minutes" is the most expensive input in the table. Guard it well.

๐Ÿš€ What This Series Covers

Over the next several episodes, we will build your personal satellite network from the ground up:

  • Episode 1 (this one): The big picture โ€” what Tailscale is and why it feels like magic
  • Episode 2: Launching your first satellite โ€” installing Tailscale on your first device
  • Episode 3: The mobile ground station โ€” Tailscale on your iPad Mini
  • Episode 4: Home base โ€” Tailscale on your Mac Mini M4 Pro
  • Episode 5: Mission Control โ€” MagicDNS and ACLs
  • Episode 6: Beaming commands โ€” Tailscale SSH
  • Episode 7: Full remote desktop โ€” Tailscale + RustDesk across hemispheres โญ
  • Episode 8: Orbital maneuvers โ€” Exit Nodes and Subnet Routing

By the end, you will have a fully connected personal network that would make even the Terminator whistle appreciatively. (He does not whistle. But if he did, this is when.)

๐Ÿค– How Tailscale Actually Works (The Short Version)

Tailscale is built on WireGuardยฎ, a modern, blazing-fast VPN protocol that lives in the Linux kernel. WireGuard is the engine. Tailscale is the car, the GPS, the heated seats, and the person who pre-loads your favourite playlist before the journey.

The magic happens in three parts:

  1. The coordination server (run by Tailscale) โ€” handles authentication and key exchange. It never sees your traffic, only the metadata needed to connect devices.
  2. The WireGuard tunnel (runs on your device) โ€” encrypts all traffic between devices using industry-standard cryptography.
  3. DERP relay servers (Tailscale's Designated Encrypted Relay for Packets) โ€” used as fallback when direct peer-to-peer connection is not possible. Think of these as the geostationary satellites that relay your signal when two ground stations cannot see each other directly.

"It's not a tumor!" โ€” Arnold Schwarzenegger, Kindergarten Cop.
Also: "It's not a traditional VPN!" โ€” Any Tailscale engineer, in any conversation, ever.

And it really is not. There is no central gateway all your traffic passes through. Traffic goes directly between your devices, peer to peer, encrypted end-to-end. The coordination server is the matchmaker, not the chaperone.

โ˜• A Word About the Coffeeshop

You might be thinking: "But the coffeeshop wi-fi uses NAT. My Mac Mini is behind my home router, which also uses NAT. How does peer-to-peer work through two layers of NAT?"

Great question. This is where Tailscale earns its salary.

It uses a technique called NAT traversal โ€” specifically, a combination of STUN, ICE, and its own relay infrastructure โ€” to punch through NAT layers and establish direct connections. In most cases, your iPad Mini and your Mac Mini will connect directly to each other, with no relay in the middle, even when both are behind NAT.

In the rare case where direct connection is not possible (think: extremely restrictive corporate firewalls), Tailscale falls back to a DERP relay. Your data is still encrypted. Tailscale cannot read it. It just gets bounced via a relay satellite instead of going direct.

Either way: you get connected. The coffeeshop wi-fi does not win.

๐Ÿ›ธ What's Next

In Episode 2, we launch the first satellite: we install Tailscale on your first device, create an account, and watch in mild amazement as everything Just Worksโ„ข.

Grab another flat white. The mission begins.

"I'll be back."
โ€” Arnold Schwarzenegger, The Terminator.
Also: Tailscale, reconnecting after a brief network interruption.

๐Ÿ“ก Satellite Tailscale is a series about building your personal mesh network using Tailscale โ€” from a coffeeshop iPad Mini to a home Mac Mini M4 Pro, and everything in between.

Top comments (0)