별고래의 항해일지

Tag: remote-access

  • No Open Ports — Reaching My Server from Anywhere with Tailscale

    No Open Ports — Reaching My Server from Anywhere with Tailscale

    No Open Ports — Reaching My Server from Anywhere with Tailscale

    Self-hosting build guide part 16. If part 9 was the road for visitors to enter the blog (Cloudflare Tunnel), this is the road for me alone to get inside my server.

    The companion part: Part 9 — Invisible Bridge (Cloudflare Tunnel)

    TL;DR

    • Problem: I want to reach my home server by remote desktop or SSH — from outside, or from a laptop in another room. But opening a port is dangerous.
    • Old method: Open a remote-desktop port on the router → bots brute-force the login 24/7.
    • New method: Tailscale — bundle my devices (server, laptop, phone) into one encrypted private network. Zero holes in the router.
    • Why it’s safe: Nothing is exposed to the internet + end-to-end encryption between devices + only my logged-in devices may enter.
    • Tool: Install the Tailscale app on each device and sign in with the same account. 5 minutes.
    • Cost: $0 (free for up to 100 devices on a personal plan).

    1. The Problem — How Do I Get Into My Server?

    Once you run a small server at home, this need shows up fast: you want to reach it by remote desktop (see the screen as-is) or SSH (a terminal) — from outside, or from another room in the same house.

    The classic old way is to open a port on the router (port forwarding). And that’s where the trouble starts.

    Trouble Why
    Brute-force attacks Open a remote-desktop port to the internet and bots start guessing passwords the moment it’s up
    One thin password If a bot breaks it, the whole server is gone. The login is the only line of defense
    Location exposure The public IP alone hints at your rough neighborhood
    Renewal hassle When the ISP rotates your public IP, the connection address changes too

    Exposing remote desktop directly to the internet is close to security suicide. (Part 9 handled visitor traffic; this is a channel only I, the admin, use, so it’s even more sensitive.)

    2. A Different Idea — Don’t Open Ports, Network the Devices

    Here’s the shift in thinking: Don’t open a door for the outside to come in. Instead, build a separate encrypted private network that only my own devices share.

    Tailscale does exactly this. Its engine is WireGuard (a modern, fast encrypted-tunnel technology), and Tailscale lays down those WireGuard tunnels automatically, with no configuration.

    Once installed, my devices join one private network (a “tailnet”), and each device gets a private address of the form 100.x.x.x. That address is invisible to the internet and reachable only by my own devices. Even far apart, they connect as if on the same LAN cable.

    3. Why It’s Safe — A Matchmaker and a Phone Call

    Tailscale’s cleverest design is separating coordination (control) from data. A matchmaker analogy makes it click.

    • Coordination server = the matchmaker: Tailscale’s servers authenticate devices and introduce them to each other. “These two belong to the same owner, so they may connect” — and they hand over public keys. But they never listen to the actual conversation.
    • Data = the actual call: Real traffic, like your remote-desktop screen, flows directly between devices (peer-to-peer), end-to-end encrypted by WireGuard. It does not pass through the company’s servers.

    That yields three layers of security:

    Safeguard What it means
    Zero exposed ports The server’s remote-desktop port doesn’t even appear to the internet. There’s no target for scanners
    End-to-end encryption WireGuard encrypts every link between devices. Intercept it and you still can’t read it
    Identity-based entry Not a shared password — only devices signed into my account join the network. A lost device can be cut off instantly from the console

    Each device’s private key never leaves that device. Only public keys go to the coordination server, so even if that server were breached, your traffic stays unreadable.

    4. Traffic Flow — Old vs New

    

    The old way punches a hole in the router that anyone can knock on. The new way wires an encrypted tunnel directly between my own devices and opens no door at all to outsiders.

    5. How Is This Different from Cloudflare Tunnel?

    It’s easy to confuse this with Cloudflare Tunnel from part 9. They aren’t competitors — they’re complementary tools with different jobs.

    Cloudflare Tunnel (part 9) Tailscale (this part)
    Goal Publish the blog to visitors Private access for me
    Audience Anyone, worldwide (https) Only my signed-in devices
    Used for Exposing a blog/website Remote desktop, SSH, admin
    Analogy Hotel front desk (guides guests) A staff-only back hallway

    Publish the blog to the world with Cloudflare Tunnel, and get into that same server to manage it with Tailscale. Running both on one server doesn’t conflict at all.

    6. How to Use It — 5 Minutes

    The idea is simple: install the app on every device you want to reach, sign in with the same account, done.

    1. Install Tailscale on the server (e.g., a Linux mini-PC) → sign in
    2. Install the Tailscale app on your laptop and phone → sign in with the same account
    3. Now every device joins one private network and gets a 100.x.x.x address
    4. For remote desktop or SSH, connect to the server’s Tailscale address

    Turn on MagicDNS and you can connect by device name instead of the address (e.g., myserver → that device). The private address, once assigned, doesn’t change, so you can keep it like a bookmark.

    7. Pitfalls — What We Actually Hit

    Pitfall 1. Connecting via the LAN IP gets blocked

    A device on the same home network has two addresses — the LAN IP the router gave it (192.168.x.x) and the private address Tailscale gave it (100.x.x.x). If you “safely” lock the server’s firewall to allow only the Tailscale path, then connecting over the LAN IP gets dropped by the firewall.

    The symptom is nasty: ping works and SSH (22) works, but remote desktop alone fails — because the firewall blocks only that port. Even inside the same house, you must connect via the Tailscale address. Not knowing this, we burned a while wondering “why doesn’t it work even at home?” (The saved connection address was set to the LAN IP — that was the culprit.)

    Pitfall 2. Both ends must be running

    Tailscale must be up on both devices to connect. If Tailscale is logged out on the laptop, it isn’t on the network, so of course it can’t connect. It usually auto-starts at boot, but when something’s off, suspect this first.

    Pitfall 3. Long-idle devices drop offline

    A device you haven’t powered on for a while (a phone, say) shows as “offline” in the console. Turn it on and sign in to bring it back. Tidying the device list now and then helps.

    8. Verification

    The fastest way to confirm the connection (with Tailscale on at both ends):

    ① Is the server’s private address alive?ping <server's Tailscale address> and watch for replies.

    ② Does the target port actually reach? — on Windows, in PowerShell:

    Test-NetConnection -ComputerName <server Tailscale address> -Port <port>

    If TcpTestSucceeded : True shows up, the private tunnel is healthy. Now point remote desktop or SSH at that address.

    FAQ

    Q. Can I use it together with Cloudflare Tunnel?
    Yes. Different jobs. Publish the blog via Cloudflare Tunnel, and manage the server (remote desktop, SSH) via Tailscale. No conflict.

    Q. What’s the free limit?
    The personal plan is free for up to 100 devices and 3 users. For bundling a few home servers, that’s effectively free forever.

    Q. Does Tailscale’s company see my traffic?
    No. The company’s servers only introduce; the actual data flows directly between devices, encrypted. (On tricky networks where a direct link fails, it goes through an encrypted relay — but even then it’s decrypted only at the two ends, so the relay can’t read it.)

    Q. What if power or internet drops?
    If the server goes down, it leaves the network. When it comes back, it rejoins automatically. The network itself is tied to your account and stays intact.

    Q. Is this used at companies too?
    Yes. It’s widely used in companies as a “zero trust” (trust nothing by default) way to reach internal networks. A home lab just applies the same principle for free.

    One-Line Summary

    To reach a home server from anywhere, instead of the old way of opening a router port and inviting bot attacks, build an encrypted private network of just your own devices with Tailscale. WireGuard encrypts end to end, and not a single port is opened to the internet. Setup is installing the app on each device and signing in with the same account — 5 minutes.

    References