How to Set Up Tailscale VPN for Secure Remote Access

What You Need to Know Before You Start

Tailscale turns the messy problem of secure remote access into something you can solve in under 30 minutes. Built on WireGuard, it creates a private mesh network across all your devices – no port forwarding, no static IPs, no manual certificate management. Every device you add gets a stable private IP address on what Tailscale calls your “tailnet,” and traffic between devices is encrypted end-to-end without routing through a central server.

The free tier covers up to 100 devices and 3 users, which is more than enough for personal use and small teams. Tailscale runs on Windows, macOS, Linux, iOS, Android, and even Raspberry Pi. For this guide, you will configure a basic tailnet connecting two machines – a home server and a remote laptop – and test authenticated access between them. Once that core setup works, everything else (exit nodes, subnet routing, access control lists) follows the same pattern.

Before starting, confirm you have admin access on both machines. On Linux, you will need sudo privileges. On Windows and macOS, you need an account with administrator rights. You also need an identity provider to log in – Tailscale supports Google, Microsoft, GitHub, and Apple accounts, plus custom OIDC providers on paid plans.

Server room with networking equipment representing private VPN infrastructure — Photo by panumas nikhomkhai / Pexels

Step 1: Create Your Tailscale Account

Go to tailscale.com and click “Get started.” Choose your identity provider – Google and GitHub are the fastest options since most people already have those sessions active in their browser. Tailscale does not store your password; it delegates authentication entirely to the provider you select.

Once logged in, you land in the admin console at login.tailscale.com/admin. This is where you manage devices, users, and access control rules. Bookmark it now. You will be back here repeatedly as you expand your network.

Step 2: Install Tailscale on Your First Device

On Windows or macOS, download the installer from tailscale.com/download. Run it, sign in with the same identity provider you used during account creation, and Tailscale will handle the rest. A tray icon appears in the system menu, showing your device’s Tailscale IP address (always in the 100.x.x.x range).

On Ubuntu or Debian Linux, run the following in your terminal:

Add the Tailscale package repository: curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
Add the repo to your sources list: curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
Install the package: sudo apt-get update && sudo apt-get install tailscale
Authenticate the device: sudo tailscale up

The tailscale up command outputs a URL. Open it in a browser, log in, and approve the device. After approval, run tailscale ip -4 to confirm your assigned 100.x.x.x address. That address is now permanent for this device as long as it remains in your tailnet.

On Raspberry Pi running Raspberry Pi OS, the process is identical to Debian above. Tailscale works cleanly on ARM hardware with no extra configuration needed.

Step 3: Install Tailscale on Your Second Device

Repeat Step 2 on every other machine you want on the network. Each device you authenticate shows up automatically in your admin console under “Machines.” Two devices connected to the same tailnet can reach each other directly using their 100.x.x.x addresses – no configuration on your router, no firewall rules, no VPN server to maintain.

Test basic connectivity immediately after the second device connects. From either machine, run ping [other-device-tailscale-ip]. If packets return, your encrypted tunnel is working. If they do not, check that Tailscale is running on both devices (the tray icon on Windows/macOS should show “Connected,” and on Linux tailscale status should show both machines as “active”).

Person working remotely on a laptop with a secure network connection — Photo by Atlantic Ambience / Pexels

Step 4: Enable MagicDNS for Hostname Access

Typing 100.x.x.x addresses is workable but inconvenient. Tailscale’s MagicDNS feature lets you reach devices by name instead. In the admin console, go to DNS in the left sidebar and toggle on “MagicDNS.” Once enabled, every device on your tailnet is reachable by its machine name – so instead of ssh user@100.101.102.103, you can run ssh user@my-home-server.

MagicDNS names follow the pattern machinename.tailnet-name.ts.net, but you can also use just the short hostname within your tailnet. The DNS resolution happens through Tailscale’s own resolver and does not touch your ISP’s DNS or leak query data externally.

Step 5: Set Up an Exit Node (Optional but Recommended)

An exit node routes all your internet traffic through a specific device on your tailnet – useful when you are on an untrusted network like a hotel Wi-Fi and want all traffic encrypted and exiting from your home connection.

To configure a device as an exit node, run this on the machine that will serve as the exit point:

sudo tailscale up –advertise-exit-node

Then go to the admin console, find that device under Machines, click the three-dot menu, and select “Edit route settings.” Enable the exit node option there. On the client device that will use the exit node, open Tailscale settings, select “Use exit node,” and pick the machine you just configured. All traffic from that client now routes through your home server before hitting the internet.

Step 6: Configure Access Control Lists

By default, every device on your tailnet can reach every other device. For personal use, that is fine. For small teams or shared setups, you want tighter rules. Tailscale uses a JSON-based ACL system managed in the admin console under “Access controls.”

A basic rule that restricts a specific tag to SSH access only looks like this:

Define a tag: “tagOwners”: { “tag:server”: [“autogroup:admin”] }
Write an ACL rule: { “action”: “accept”, “src”: [“autogroup:member”], “dst”: [“tag:server:22”] }

Tags are applied to devices in the Machines list. The ACL editor in the admin console validates your JSON before saving, so syntax errors get caught before they affect live traffic. Start simple – get basic device-to-device access working before layering in tag-based restrictions.

Step 7: Test and Verify Your Setup

Run tailscale status on any device to see all connected machines, their IPs, and whether they are currently reachable. To check the path your traffic is taking, run tailscale ping [device-name] – this shows whether the connection is direct (peer-to-peer) or relayed through a DERP server. Direct connections are faster; DERP relay means NAT traversal did not fully succeed, which can happen on very restrictive networks but still works correctly.

For SSH access specifically, connect with ssh user@machinename using the MagicDNS hostname. If you want an extra layer of security beyond your SSH keys, Tailscale supports SSH session recording and user-level SSH authorization through its Tailscale SSH feature, which you enable with sudo tailscale up –ssh and manage through ACLs.

Digital security concept representing encrypted VPN access and network protection — Photo by Tima Miroshnichenko / Pexels

Key Takeaways

Tailscale’s real advantage over traditional VPN setups is that the hard parts – key exchange, certificate rotation, NAT traversal – happen automatically. You are not maintaining an OpenVPN config file or renewing certificates on a schedule.

Your tailnet IP (100.x.x.x) is permanent for each device and does not change even if your home IP does.
MagicDNS eliminates the need to track IP addresses – use hostnames instead.
Exit nodes protect you on untrusted Wi-Fi by routing all traffic through a trusted machine.
ACLs are optional for personal use but essential if you are sharing tailnet access with others.
tailscale status and tailscale ping are your primary debugging tools when something does not connect.

One thing to watch: Tailscale’s coordination server (the part that handles authentication and key distribution) is managed by Tailscale the company. Your traffic itself never passes through their servers, but if their coordination server goes down, new authentications fail. For fully self-hosted control, Headscale is an open-source alternative that replicates the coordination layer – worth considering if your setup involves sensitive infrastructure that cannot depend on a third-party service.