BestHub
Sign in
Operations 11 min read

How Tailscale Turns WireGuard Into a Seamless Virtual LAN for Remote Work

This guide explains how Tailscale, built on WireGuard, creates a secure virtual LAN across devices, outlines its key features, installation methods on various platforms, command‑line usage, subnet routing, and advanced setups like custom relays for remote access and development.

Open Source Linux
Open Source Linux
Open Source Linux
How Tailscale Turns WireGuard Into a Seamless Virtual LAN for Remote Work

Tool Overview

Tailscale

is a virtual networking tool based on WireGuard that places machines running the Tailscale service into the same logical LAN, whether they are PCs at home, office, or cloud servers.

Key Features

No public IP required

No firewall configuration needed

No additional setup

High security and privacy

Automatic key rotation

Built on WireGuard® encryption

Peer‑to‑peer connections

Audit logs for end‑to‑end access

Fine‑grained access control

Low latency and unlimited speed, limited only by the uplink bandwidth

Typical Use Cases

File transfer via built‑in taildrop (cross‑platform)

Remote development by connecting a laptop to a powerful desktop or server

Service proxy using TLS connections between nodes

Getting Started

After clicking Get Started on the Tailscale website, you can log in with Google, Microsoft, or other supported accounts. Installation varies by platform:

Linux:

# linux$ curl -fsSL https://tailscale.com/install.sh | sh

Docker:

# docker run -d --name=tailscaled \
    -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun \
    --network=host --privileged fastandfearless/tailscale tailscaled

macOS: install via Homebrew after using a non‑China Apple ID

Android: install from Google Play (requires VPN access)

Command‑Line Usage

# tailscale status
# tailscale ip

These commands show the assigned Tailscale IP and the status of all nodes.

Subnet Routing and Advanced Configuration

To expose an entire internal network, enable IP forwarding on a Linux gateway and advertise routes:

# echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
# echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
# sudo sysctl -p /etc/sysctl.conf

Then run:

# sudo tailscale up --advertise-routes=20.13.3.0/24

Enable the routing feature in the Tailscale admin console.

Custom Relay (Derper) Setup

For more relay nodes, you can deploy derper written in Go. Example configuration:

# go install tailscale.com/cmd/derper@main
# sudo derper -c=/root/derper.conf -hostname=example.com -a=:443 -stun

Create a systemd service for automatic start:

[Unit]
Description=derper service
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/home/escape/.go/bin/derper -c=/root/derper.conf -hostname=example.com -a=:443 -stun

[Install]
WantedBy=multi-user.target

Note that Let’s Encrypt certificates require a publicly accessible domain and may fail on servers located in mainland China.

Additional Commands

List all nodes and their IPs: tailscale status Show only the local Tailscale IP:

tailscale ip

References

Official Tailscale website

Tailscale documentation

Various community tutorials on remote access and subnet routing

VPNwireguardTailscaleSubnet RoutingVirtual LAN
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment