Unlock Secure Remote LANs with Tailscale and WireGuard

Tailscale is a virtual networking tool built on WireGuard that lets machines running the Tailscale service appear on the same LAN, whether they are PCs at home, office, or cloud servers.

Tailscale official website

Tailscale documentation

1. Tool Overview

Tailscale provides a solution for scenarios without public IPs or where exposing public IPs would invite scanning and attacks. Its advantages include:

No registration or login required; ready to use out of the box

No firewall configuration needed

No additional setup

High security and privacy

Automatic key rotation

WireGuard®‑based encryption

Peer‑to‑peer connections

End‑to‑end access logs

Fine‑grained access control

Device sharing for specific Tailscale users

ACLs to restrict device access

Low latency and unlimited speed

Bandwidth limited only by the uplink of each device

2. Installation and Usage

After clicking "Get Started" on the official site, you can sign in with Google, Microsoft, or other supported accounts; personal email accounts require a paid plan.

# linux$ curl -fsSL https://tailscale.com/install.sh | sh

# docker installation example
docker run -d --name=tailscaled \
  -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun \
  --network=host --privileged fastandfearless/tailscale tailscaled
# show login URL and authorize
docker exec tailscaled tailscale up
# get Tailscale IP address
ip addr show tailscale0
# check device status
docker exec tailscaled tailscale status

# local compilation on macOS
brew install go
go install tailscale.com/cmd/tailscale{,d}@main
sudo $HOME/go/bin/tailscaled install-system-daemon
sudo tailscaled uninstall-system-daemon
sudo $HOME/go/bin/tailscaled up
tailscale status

After logging in, each device receives a Tailscale IP for intra‑LAN access.

3. Use Cases

Typical scenarios include:

Accessing internal services (e.g., mounting a NAS via WebDAV)

Remote desktop access to PCs or servers (using RDP instead of TeamViewer for better stability)

Setting up a Linux gateway with Subnet Routes to expose devices that cannot run Tailscale directly (e.g., printers)

Creating an HTTP/SOCKS proxy by running a Tailscale node abroad together with a cow proxy server

# install cow proxy
curl -L git.io/cow | bash
# configure
cat /home/escape/.cow/rc
listen = http://100.100.100.100:17777

# systemd service for cow
[Unit]
Description=cow service
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=1
User=escape
ExecStart=/usr/local/bin/cow -c /home/escape/.cow/rc

[Install]
WantedBy=multi-user.target

For self‑hosted relays, the derper service (written in Go) can be deployed, obtaining Let's Encrypt TLS certificates automatically. Note that domestic servers may need domain备案 and cannot use Let's Encrypt directly.

# install derper
go install tailscale.com/cmd/derper@main
# start derper
sudo derper -c=/root/derper.conf -hostname=example.com -a=:443 -stun

# systemd service for derper
[Unit]
Description=derper service
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=1
User=root
ExecStart=/home/escape/.go/bin/derper -c=/root/derper.conf -hostname=example.com -a=:443 -stun

[Install]
WantedBy=multi-user.target

4. Tailscale Commands

Common commands:

# list nodes and IPs
tailscale status
# show assigned IP
tailscale ip

5. References

TailScale实现远端访问整段局域网

近期折腾tailscale的一些心得

Tailscale：基于WireGuard异地组建虚拟局域网

2022年正确的内外网穿透、内网翻墙、高速翻墙

Tailscale WireGuard协议安全加密隧道内网建站教程