Tailscale For The Win

May 17, 2026

#tailscale, #wireguard, #homelab

This was a long time coming. After all, which homelab-ber does not run Tailscale? I have a very (read, super large) collection of media that I have always missed accessing outside of my home network. But do not want it to be publicly accessible like Navidrome. I believe a separate post for my home lab setup is warranted. But we’ll reserve that for another time.

What do I know about Tailscale? Just that it is a lean setup for Wireguard tunnels. I haven’t had time to venture into understanding what it is beyond. Conceptually though, it makes sense and so I’m sticking with that definition for now.

For some reason, I have always put off setting up Tailscale for a while. Perhaps trying to setup my own OIDC (short for OpenID Connect) provider took a very very long time that ran into debating whether I should continue running by DO droplet or explore Hetzner like the other internet folks do. I got tired of that and for the moment, I have gone ahead with using Github to prove my identity.

Right now, I had a single point agenda - setup a LXC container for Tailscale and include a reverse proxy to Jellyfin and Immich.

I assume you run Proxmox as your hypervisor. But the setup should be very similar in any other home lab env.

Step 1 - Install Tailscale

To keep this post super brief, I’m going to refer to you to the super nice tutorial that Tailscale folks had already put together here. We’ll only differ in the way we provide access to the Tailnet.

Having individual LXC containers run Tailscale seems like a waste of resources and frankly a security nightmare. I like how Cloudflare Tunnel setup works where I can setup a single tunnel container and have it route all my requests to any of my subnetworks. Perhaps this is possible natively in Tailscale too, I wonder? Will need to check on that sometime.

Step 2 - Use a Reverse Proxy

For now though, I setup Caddy as reverse proxy to forward requests internally.

# apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
# curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
# curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
# chmod o+r /usr/share/keyrings/caddy-stable-archive-keyring.gpg
# chmod o+r /etc/apt/sources.list.d/caddy-stable.list
# apt update && apt install caddy

Latest on the above can be found here

Caddyfile setup

$ cat /etc/caddy/Caddyfile
:80 {
        root * /usr/share/caddy
        file_server
}

# Used vanilla port for Jellyfin
:8096 {

    reverse_proxy 192.168.1.133:8096
}

And voila! I was able to stream my media over Tailnet from my Proxmox server to Android phone connected over public internet without hiccups. (1080p works. 4k struggles. But that can also be due to transcoding issues. Haven’t checked that yet.)

What Next?

This has definitely piqued my curiosity to understand Tailscale and Tailnet more! Importantly, Wireguard and understand how things work. Can this lead me to setup Pangolin eventually? We’ll see.