Tailscale Gives You Remote Access to Your LAN from Anywhere

Excellent post.

One suggestion: if you have installed TailScale on a computer that is remote to you, and that you do not often go to, open the admin console. which will open a browser window showing you all of the machines in your TailNet. Click/tap the three-dot menu to the right of that machine and then click/tap “disable key expiry” so you won’t be surprised one day with a remote machine that’s gone off-line because the default five-month expiration date has passed. (As I learned from experience.)

This sounds an awful lot like LogMeIn Hamachi. Is it?

It’s sort-of the same, but quite different.

TailScale has a very good post explaining some of the differences: Tailscale vs. Hamachi: A Modern VPN Replacement for Gaming and Collaboration

Anything that is free has me asking “What is their business model?”. Is it the business accounts and the free personal accounts are teasers? Or do they have some other long term plan?

They’re mostly a business service. They went from 5,000 paying business customers in March 2024 to 10,000 in January of this year. They’re a rare Canadian tech startup!

Because the company doesn’t transit data, only run a control plane, it’s a pretty thin layer of resources required for these free, personal accounts. They’re using open-source software, which also reduces some aspects of development costs.

Is this cross-platform? Is it better than Splashtop (which is a bit cheaper but I know it works well)

I’ve been using TailScale for several months and find it very useful. I previously used my Ubiquiti Alien’s Teleport software that worked similarly to TailScale, but the former is more cumbersome to set up. Tailscale works on my iMac, iPhone and iPad and allows me to watch shows only available in the U.S. on DirectTV while I’m in Australia. Like Teleport, it’s free for personal use.

Many platforms and architectures. You can even run it on a robot vacuum.

Indeed! Every platform! From the article:

Install apps. Tailscale has apps for every major mobile and desktop platform, plus some streaming operating systems, including tvOS!

It’s not a screen-sharing system like Splashtop. It’s a VLAN so you can use something like Screen Sharing via the VLAN. Imagine that all your devices are connected to each other no matter where they are, so anything you can do on your local network, you can do wherever you are.

I know the MacOS/iOS app called Screens that referenced Tailscale. It is a screen sharing app that can work in concert with Tailscale I would assume.

Thank you! I started to read the webpage and got pulled away. I think I’ll check it out, remote access can sure come in handy some days. No robot vacs for me though ;)

Yes, using it with Screens is how I use TailScale for almost everything. I also use it to monitor uptime of remote devices, and to back up and sync files between locations.

@glennf
What an excellent writeup! I’ve been using Tailscale for several months, but your article taught me a couple of things I didn’t know. Thanks!!

I’ve found that one of the best ‘features’ is the tvOS application. The TailScale client can be downloaded from the App Store and installed on an Apple TV, where it just sits in the background happily running 7x24. Even when the ATV is ‘sleeping’, it will still respond to incoming connections from one’s Tailnet, and provide access to the local LAN environment. The tvOS client really reduces the barrier to deployment.

Thank you!

I honestly am not sure how the Apple TV fits into the picture! I just installed the client—you can’t access your Apple TV remotely, can you? But the Apple TV can access remote stuff? How are you using it?

Does Screens rely on Tailscale behind the scenes?

Screens has a special way to aggregate all of your local/remote devices in the TailNet with support for TailScale built in. Edovia has a good write-up:

This is relatively recent - before this I had to manually add my host by their TailNet IP address to the Screens client. Now as long as your device is connected to TailScale, Screens finds all of the configured hosts, plus it also shows an icon showing whether you can connect or not.

Glenn - no you can’t access the Apple TV remotely. But you can access anything that’s on the LAN the ATV is connected to. One of my use cases is to access my security cameras when I’m out and about. The cams all live on an isolated IOT subnet, separate from my main LAN. Further, the cams are blocked (using a firewall rule) from connecting to the internet. I don’t want them ‘phoning home’ and potentially sharing personal private information (or videos) with nosy developers in far-away places… If/when I want to check in on things at home, I activate the TS client on my iPhone, and then view the cameras through my Tailnet.

Second use case: accessing my home automation server when I’m away. I use Indigodomo, a very nice HA application running on an old Mac mini in my basement.

Third use case: accessing my Synology NAS (and its video surveillance app) remotely.

Prior to Tailscale, I used to use OpenVPN, terminating on a vpn server running in an ASUS router. But I found OpenVPN to be pretty brittle, with ongoing challenges configuring the two ends of the VPN (iPhone, iPad, and macOS clients in combination with the Asus server), keeping them up to date, etc. I often found the vpn tunnel wouldn’t come up, for reasons I could never figure out. I spent a fair bit of time with one such issue a year or so ago, and finally diagnosed the reason for the vpn blockage was a misconfiguration of an interworking server deep in the bowels of Rogers data network.

A final use case, which is why I find the ATV TS client is so appealing, is deployment of an ATV at a family member’s home for remote support. Family member is not terribly technical, and would have a tough time configuring the VPN server in their router. The tvOS Tailscale app is quite easy to configure and make part of my Tailnet. I can then remotely connect to his LAN from wherever I may be, log in to his router for troubleshooting network issues, do screen sharing, etc. The TS client on the distant ATV can also be used as an exit node - handy for when one might want to appear to be located in another country.

Doug,
Thank you so much for posting this. I’m also a Screens user, but I’m still on V4. Although a bit old, it’s been working OK for me, and I’ve not been motivated to upgrade to V5 (which now requires a pricey subscription, or a steep $150 one-time purchase). I didn’t know they had rolled TailScale support into V5. I’ll now go check it out, and perhaps revisit my decision to stick with V4.

Holy cow, I didn’t understand that at all! I thought it was all device specific. You need to have the IP addresses of each of your resources?

Glenn,
It helps to know the local IPs of all the devices on the LAN, but I’ve found that’s really not an issue.

I have a security cam app on my iPhone which is configured with the name and LAN IP of all my cameras (192.168.20.x). They appear in a list on the app. So after using the TS client on my iPhone to connect to my TailNet (the TS client is a widget right on the lock screen), I just launch the cam app and tap the camera(s) I want to look at. There’s no need for me to remember any of the camera IP addresses.

Ditto for the Synology surveillance app on my phone. It’s already configured with the LAN IP, port number, and login credentials for the Synology. A single tap connects to the NAS, logs in, and lets me browse any security footage the cams have captured. Similarly, I can connect to Synology as a file server and access any/all of the files on it.

Ditto for my Indigo home automation server. When I’m away from home, a single tap on the Indigo app on iPhone (or on iPad) connects through the ATV and lets me do home automation things. No need for me to remember the IP of the Mac mini that is running the Indigo server.

This is all possible due to TailScale’s nifty subnet routing feature. The TailScale client in my ATV is configured to know about all my subnets (192.168.1.0, 192.168.2.0, 192.168.20.0). Thus any of my devices with the TS client (iPhone, iPad, MacBook) can access any of the many devices on my various subnets.

Just to be clear - this isn’t limited to the tvOS client on the Apple TV. Any TS client running on any device can be configured as a subnet router. I’ve also deployed the Linux variant of TS on a Raspberry Pi and it can provide the same access to any device on the LAN to which it’s connected.

David

Could Tailnet enable me to view videos stored by my eufy video doorbell’s base station when my iPhone isn’t at home? The eufy doesn’t use cloud storage.

I think the challenge would be getting the “Homebase” base station on the Tailnet network. One way, maybe, would be to share a local WiFi network from my iMac and connect the eufy to it. But then the iPhone would only be able to access the eufy if the Tailnet VPN was on.

Michael,
That’s exactly how I use Tailscale. I have a half-dozen security cams, and I don’t let them record to the cloud. They have internal SDcards to capture video. When I’m out and about, I activate the TS client on my iPhone, and then launch the camera viewing apps to access the cams, just as I would if I were at home.

I’m not familiar with Eufy, but I presume that their HomeBase hub is connected to your LAN with wired ethernet. If so, it’s pretty easy to arrange to get access to the hub over Tailscale. What you need is a Tailscale client on your LAN to be part of your Tailnet. I use an AppleTV, with the TS app installed. The ATV just sits on my LAN, happily running the TS app 7x24. Even when it’s sleeping, it will respond to remote requests from your iPhone when you’re away from home, activate the VPN, and let you connect through the VPN to any device on your LAN (such as the HomeBase). In order to let the ATV serve as a TS ‘gateway’, you enable the Subnet Router feature so that TS clients (such as your iPhone) can access any LAN devices.

I’ve also had success configuring a Raspberry Pi as a Tailscale endpoint. Ditto with an old Mac mini that’s running High Sierra. So if you have an old Mac sitting around gathering dust, you could deploy it as part of your tailnet. Stick it in a corner somewhere, connect it to your LAN, and it can be the TS gateway to your Eufy HomeBase.

WAG, does this enable syncing all my devices without needing iCloud?

My new book, mentioned in the article, is now out from Take Control! You can get Take Control of Apple Screen and File Sharing from your friendly epublisher.

Hi Glenn.

Great article as always. There is at least one more use case for the AppleTV app. If you set it up as an Exit node and use another device outside the AppleTV network to access the AppleTV as an exit node, you then have essentially made the AppleTV’s network a VPN endpoint to access the internet.

As you probably know, this has some great benefits. Here’s one. I was out of my local area on vacation recently and wanted to watch a basketball game on Xfinity’s streaming app. The place we were staying had an internet plan not tied to a cable provider. Their TV access was internet based and was pretty limited. The game was not available through their Internet TV access. We could not use our Xfinity streaming app to watch the game since we weren’t on an Xfinity network due to some licensing restrictions for the broadcast. If I had had Tailscale hooked up through my AppleTV as an exit node, I could have streamed the game without any trouble. I tried streaming today using the Xfinity Stream app from my phone over cellular internet (5G) connected to my exit-node at home and it streamed well without any stuttering. I have been blown away with how performant the exit-node connection is - as good or better than my current VPN provider, probably due to my fast connection at home and the peer to peer nature of the connection.

Tailscale is pretty darn amazing. Thanks for the article.

Norm

I use ZeroTier. I forget why, several years ago, I chose ZT over TailScale?

Many thanks for this interesting article. I started to explore and downloaded Tailscale from the appstore to my mac. I was put off, however, when starting it, that it requested my setting up an account. After entering my email address, a window opens asking me to select my Microsoft account:

Bildschirmfoto 2025-02-27 um 13.31.55277×101 2.64 KB

How come Microsoft is in the picture? I certainly don’t want this company to be sniffing my VLAN - what am I doing wrong?

MS is not able to sniff your VLAN.
Tailscale doesn’t require that you set up an account, at least not in the normal sense. They use well-known SSO providers to provide authentication (Google, Apple, Github, and even Microsoft). So there’s no need to create yet another userid and password for Tailscale; you just use an existing userid. If you already have an Apple Account (formerly known as an AppleID), just click the Sign up with Apple button on their set-up page. TS will then use Apple’s auth server to verify you’re you, and then sign you in. Or if you have a Gmail account, hit the Sign up with Google button. If you have a Microsoft account, you could use that. Whichever you choose, whenever you log in to TS, you’ll then be prompted to enter those credentials. I use my Apple account for Tailscale. When I log it, my Mac asks me to use the touchID feature to confirm I’m me. That makes access to my Tailscale account quite easy (and secure).

Screenshot 2025-02-27 at 8.19.15 AM1006×1252 57.4 KB

Thanks @david0! I was confused by the sign in-window, which seems to indicate login either with an individual account or with an existing account eg Apple:

Bildschirmfoto 2025-02-27 um 15.10.56373×578 20 KB

Thanks so much for posting this. I did not know about the tvOS client, but, as you describe, it adds a lot of great features and possibilities. As I have an Apple TV 4K in my two distinct networks, and setting up subnet routing is easy, I’m looking forward to what I can do with this.

Doug,
Since you have ATVs at two locations, here’s a tip on what you can do with them. Let’s say you’re at location 1, using ATV-Home to watch streaming content. But you’d like to appear to be at location 2 where the other ATV is located. You first configure ATV-Remote to act as a possible exit node for your tailnet. Then when desired, you choose ATV-Remote to be the exit node for ATV-Home (you do that with the TS app on ATV-Home). ATV-Home will then use the distant ATV as the gateway out to the internet. Presto, ATV-Home thinks it’s in the other location.

Once you’re finished doing whatever you were doing, you change the exit node setting on ATV-Home back to ‘none’. It will then revert to using your home internet connection. This sleight of hand can be useful, especially if the two ATVs are located in different geographies.

Markus,
I can’t explain the presence of the Microsoft Window that you encountered. When I signed up for TS several months ago, I registered with the Sign up with Apple button. Since then, I’ve only ever logged in using Sign in with Apple button. I’ve noticed the Enter your email field, but have ignored it. I find the Sign in with Apple option is simple and elegant - it works with all my Apple devices (Mac, iPad, iPhone) and only requires a single operation to authenticate with either TouchID or FaceID. Out of curiosity today, I entered my email address into the Enter email field to see what would happen. Like magic, the Apple authentication screen appeared, and I then used TouchID on my MacBook to log in. It’s all very slick, with no need to create and maintain yet another userid and password combo to use with Tailscale.

If you have a Mac that is always on, you can use the Tailscale Open Source Variant which will run at boot without requiring a user login. Note there’s no GUI for this, but the CLI is very easy to use and as well designed as the rest of Tailscale. For me, the easiest way to install and keep it updated is to use Homebrew. I guess this provides a similar experience to how @david0 uses the Tailscale tvOS app but can be used if you don’t have an TV. (I’ve used it with a small organisation with a Mac mini running in a server room.)

I do this on my two Mac minis after realizing that changing user accounts while screen sharing meant losing the Tailscale connection.

For me, the easiest way to install and keep it updated is to use Homebrew.

Oh, I didn’t even think of using Homebrew. I just followed the directions Tailscale provide. Homebrew will be a better way, though. So I’m going to look into that now.

Thanks for this post. Like the recent post about Cyberduck, this is the post that got me to try something I’d heard about for a while.

I had been using Wireguard directly, but its configuration is a little daunting.

Tailscale is a lot more impressive than I initially thought.

Bought. ;-)

Thank you for this article.

On setting up AppleTV I’m wondering if I set it up in my name does the AppleTV have to stay signed into my account to keep working? The AppleTV is usually set to our joint account (see below), but sometimes it gets changed to another account.

This comes up because between my wife and I we have three accounts, mine, hers and a joint account. I set up the joint account at least a decade ago to share music and some apps. The joint account is probably not needed now, but I’m reluctant to change it for fear of losing music or who knows what issue will pop up.

PS. Amazing discussion software. Can see finished post and search puts in markers in the scroll bar which show up even while writing this.

Greg,
That is a really good question. I don’t know the answer, but it got me curious. My wife and I both have AppleIDs - I’ll do a little experiment with my ATV to see what happens if I switch the AppleID used by tvOS.

You may have already found the answer on your own. If TS is sensitive to which AppleID is used for the ATV to sign in with, one workaround might be to create another account specifically to use with Tailscale. Perhaps a Google account — TS can use Google for authentication. If you happen to have a Gmail account (or a MS/Outlook/Live account), you could use one of them for TS.

Wow. Mind blown. I didn’t even know such products existed. To be fair, I’m not exactly a networking savant.

I have installed Tailscale on my MBP and my ATV, and set up the ATV as an exit node and a subnet router. I have proved everything working by connecting my MBP to my iPhone hotspot; web browsing and even screen sharing to another Mac on my LAN (once I got its IP address) worked flawlessly.

So my remaining question is: Do I still need my third-party VPN subscription (I use NordVPN)? I’ve only ever used it to secure a WiFi connection outside my local network. I never found the “pretend you’re in country x” feature to do anything worthwhile. The resource I was attempting to access seemed to always say “It appears you’re using a VPN…”. If I can use Tailscale to join my LAN from anywhere, and effectively do my browsing from there, it doesn’t seem subscribing to a third-party VPN service does anything for me.

Thanks for looking. I haven’t found an answer, but I’m mainly thinking about a VPN and know next to nothing about networking and VPNs.
So before breaking things, I’m waiting for an answer and watching discussion here before proceeding with ATV. I do have Tailscale installed on my Mini and MBA.

That may depend on the upload speed of your home network. For example, at home I have 700 mbps download but I used to have only 20 mbps upload (I’m up to 30 now, and I was just told that the cable company is about to offer equal upload and download speeds, as they’ve been improving the local network.)

So with a VPN all traffic coming to my remote device would be no faster than that.

For remote access while you are traveling with a phone - that may be good enough.

@david0 Thank you for the wealth of information and advice you’ve offered! The company should hire you for outreach!

@tidbits22
Greg, I did a little experiment. On my ATV, the Tailscale client is normally active (connected to my tailnet), serving as an exit node and subnet router on my tailnet. There’s a single AppleID account (mine) registered and in use on the ATV. So I added my wife’s AppleID, under Settings/Users and Accounts, then switched to it. The Tailscale connection was unaffected - it remained connected, still available as an exit node on my tailnet.

A second experiment: with the ATV still set to use my wife’s AppleID, I opened the Tailscale app on the ATV, disconnected it, then reconnected it. No problem. Even though the ATV was set to her AppleID, the TS client logged into my tailnet using my AppleID for authentication.

It appears that the tvOS Tailscale client retains its own authentication settings and uses them to connect regardless of which Apple account is being used by the ATV.

Thank you for doing that. That will make it much more usable. I’ll pursue that.

@fischej
Jeff, If that’s all you use NordVPN for, there’s probably no need for it. As long as your home internet service is reliable (and fast enough for browsing/banking/emailing when you’re on the road), the ATV-as-exit-node should suffice to maintain your privacy when using hotspots and Internet cafes. That’s been my experience with tailnet. However, my home internet service is a speedy 500/500 Mbps over fibre . YMMV.

I’ve also encountered the “it appears you’re using a VPN….” error when attempting to use commercial VPNs to transport myself into another country. Some people have success with that use case; others not so much. I’ve never really pursued it.

Thanks, David. I have the same Internet connection as you, so that shouldn’t be a problem.

Slightly off topic, but in an earlier post you mentioned using Tailscale to view footage from your security cameras which were not exposed to the public Internet. May I ask what brand and model of camera you use? I’m thinking about switching from Blink for the added security of only local LAN storage.

Jeff,
I have a variety of cameras. Indoors, I have a couple of Amcrest IPM-721s.
Outdoors, I use both HikVision and Reolink. The Hikvisions are more of a commercial product - I’ve seen them deployed in various business settings. The Reolink (an RLC-810) is a consumer product. All are hard-wired to my network, and are powered over the ethernet cable. In my early dabbling with security cameras, I used WiFi, but found wireless connections somewhat problematic, so I migrated to POE (power over ethernet). The wired LAN connections are much more reliable, especially since the cams are continuously streaming video to my DVR.

All but one of the cams are equipped with internal microSD cards for storage. But my primary recording setup is a Synology NAS, using its Surveillance Station application as a DVR. As I mentioned above, I’ve firewalled all the cameras so they can’t ‘phone home’ (which they all attempt to do). The only way I can access them remotely to view the live video streams from the cams (or the recordings from the DVR) is through a VPN connection to my LAN. Hence my use of TailScale.

This is now way off topic (and apologies to @glennf for hijacking his thread): I encountered one unexpected issue with the firewall rule that blocks the cameras from accessing the internet. They all try to keep their internal clocks accurate by contacting an NTP server out on the internet somewhere, generally every few hours. The firewall rule prevents them from connecting, so the cameras’ timestamps would drift and become pretty useless. My ‘fix’ was to enable a local NTP server on the Synology and point the cameras there to get their time.

Note that it’s not essential to block the cameras from accessing the internet, but I prefer not to let them contact their overseas masters and send them who knows what kind of personal/private information.

I have TS installed on my MBP. If that computer is physically on my LAN (i.e., I’m at home), and TS is in the “Connected” state, does TS detect that I’m actually on the LAN that has the exit point, and not route traffic out and back in again (i.e., effectively disable itself)? Or do I need to remember to disconnect at home, and reconnect when traveling?

Based on some simple tests I did with traceroute, it appears if you’re accessing another device on your LAN, the connection is direct, whether it’s through your tailnet or the local IP address. If you’re trying to reach a site on the public internet, however, it will still go through the exit node. But when you’re at home, that’s only one extra hop, so it’s probably a negligible performance hit.

Jeff,
It won’t route traffic ‘out and back in again’. In this use case, there’s actually no ‘out’ for it to send traffic to. The TS architecture is (in general) a point-to-point topology**. When you’re away from home, the TS client in your MBP magically discovers the TS node in your AppleTV and establishes a point-to-point VPN between the two. The ATV then routes any traffic from the MBP destined for the internet out through the exit node, and any LAN traffic (as defined by the subnet router routes you specified) onto your LAN.

When your MBP returns home, its still-active TS client re-discovers the exit node on the ATV (both of which are now on your LAN). It’s my understanding that the TS client in the MBP still sets up a VPN to the TS app in the ATV, but it’s point-to-point across your LAN. It doesn’t ‘go out’ anywhere. Full disclosure: I’m not 100% sure about this. But based on some quick Speedtests using my WiFi-connected iPhone, I think that’s what it’s doing:

• Speedtest with TS disconnected: 210/260 Mbps (down/up)
• Speedtest with TS connected, using my ATV as exit node: 140/160 Mbps

Based on this (admittedly limited) test, I don’t think it’s necessary to disconnect TS when you’re at home, but you will incur a performance penalty. I surmise that the reduction in throughput is due to the VPN encrypt/decrypt and other processing being done by the TS clients in my iPhone and ATV.

** This is not completely accurate. There are some scenarios where TS has to use an intermediate relay server to deal with obscure challenges posed by NAT traversal. Tailscale calls these DERP servers.

Thanks @david0 and @chirano. So I think I’m getting a clearer picture of how this works:

1. When you set the TS client to the “connected” state, it looks for the exit node’s address via the Tailscale Connection Server (if I’m reading the TS docs correctly).
2. Once the TS client finds the exit node, it establishes an encrypted peer-to-peer connection with that node.
3. Any subsequent requests are routed via the exit node, either within your LAN (based on the subnet routing rules you set up), or outside.

Conrad’s testing seems to indicate there is some question about #3, though. Perhaps the TS client does special-case traffic between it and another device on the same LAN, based on the subnet routing rules?

Either way, it seems that I should keep the TS client turned off on my MBP when I’m home. Keeping it active doesn’t appear to add any value (other than I don’t have to remember to turn it on when I travel), and, however negligible, it does add overhead to all connections.

Thanks again guys!

FWIW there is an option in the Tailscale menu. Click the menubar icon, click Exit Nodes - here you can turn off the advertised exit node, plus there is an option “Allow local network access.”

Jeff,
Should you not remember to turn it on when you travel, you’ll find out pretty quickly as you won’t be able to access any devices back at home

Personally, I leave the TS client on my iPhone off except when I consciously want to access something on my home network. However, there are occasions when I’ve forgotten to turn it off, and then continued to use the iPhone in other locations (over cellular data, back at home, etc). I’ve never noticed any negative impact. Then a few days later, I’d notice the little VPN icon up in the iOS menu bar and realize it was still active. I think that’s an indication of how stable/reliable TS is!

Just to clarify, when I wrote “direct,” I meant the two devices on the LAN talk to each other with no intermediary, like David described in more detail. Traffic would only go through the exit node if your computer was trying to access something on the public internet (that’s not part of your tailnet).

So when you did your tests, did both of the nodes on the LAN have TS in the “connected” state? Maybe that’s the difference. In that case, they can both find each other, and therefore have point-to-point VPNs between them. But maybe traffic within the LAN between a TS-active node and a non-TS node is routed via the node set up to be the subnet router (which I’ve been imprecisely referring to as the “exit node,” just because in my case they are the same node). Or to put more simply, traffic destined for a LAN node outside your Tailnet is routed via the designated TS subnet router node.

I don’t think that’s an issue. If the remote computer on your LAN isn’t running Tailscale, you can’t access it using its Tailscale device name (e.g., xxx.tailnetname or just xxx if you’re using Tailscale to resolve names), so you’d have to access it using its name on the LAN (i.e., xxx.local), which would bypass Tailscale completely.

So I tried Tailscale out recently when I was on holiday to connect in to my desktop and read my email that way and it worked really well, let me do everything I normally do.

My Dad is heading off on a holiday and so I set up his own Tailscale for him so he could do the same with his laptop/desktop.

Then I figured it would be handy if I could connect to his Macs then I could screenshare to his desktop to help with any issues he has. My attempt did not go well. I thought that he could invite me to join his network, which he could, but then after doing that I lost all access to my own network! Thankfully, after leaving his network, my network all reappeared. So that was very confusing.

So - if I have a network and he has a network, is there any way I can have one of my Macs join his network? Is that something that can be done, or not?

By default Tailscale only allows connections to one Tailnet at a time. I did some searching; there seem to be ways to do this, though I have not tried myself.

See How to Connect to Two Tailscale Networks (Home and Work) on One Linux Machine | by Peter M | Medium (which discusses Linux, so may not work on MacOS) and Multi-Tailnet: Unlocking Access to Multiple Tailscale Networks (which does discuss using Macs.)

Peter,
You might consider combining the two tailnets into one. IE, add all of your Dad’s devices onto your tailnet, thus creating a single ‘FamilyNet’. Then add him as a User. With this configuration, you’d have access to all of your devices, as well as to all of his devices (whether you’re at home or travelling).

As a User, he’d also have access to everything. But if that’s not desirable, you can use Tailscale’s ACLs (Access Control List) to restrict what he’d be able to access. Defining an ACL rule is a bit arcane, but Tailscale has a bunch of articles on how to do it, and their support team would certainly help if you get stuck.

Tailscale’s free plan supports up to 100 devices (should be more than enough for the two of you), and up to 3 users.

It turns out that Tailscale was not necessary at all. The eufy video doorbell doesn’t have cloud storage, but it does have Internet access. In fact, it only has Internet access – what I didn’t realize is that even when I’m at home, using the iPhone app to access the doorbell is actually going iPhone > Internet > back to my network > eufy base station > doorbell.

Which means, there is no difference in accessing the doorbell while at home or away. And it also supports access from an Internet web portal; but you need to generate a temporary PIN and enable the access for a defined time period, such as an hour.

I just moved the eufy base station to a guest WiFI network, that only has Internet access.

Michael,
A wise move to put it on the guest network!

You’re probably aware of the security and privacy issues with an internet-accessible camera. Internet scanners such as Shodan will eventually find your Eufy (perhaps already have…) and register it in their database. Hackers may then stop by your public IP and try to compromise the camera. I’ve recently been looking through the logs on one of my routers and am amazed by the number of port scanners trying to break in - hour after hour, day after day.

The irony is I only put it on the guest network because the eufy app won’t permit me to switch it to a Wi-Fi network that has a space in the password! So I set up the guest network – which wasn’t enabled before – to have a passwordwithnospacesinit.

Isolating the IoT device to the guest network doesn’t prevent it from being hacked. It only prevents a hacked camera from being leveraged to attack the local network. Because, the guest network does have Internet access, which is required for the eufy device to be accessed and controlled.

We don’t know how the eufy device is doing its security. I don’t think it is actually open to the public Internet unless I turn on the web portal access*. I think it is probably making an outgoing connection to some eufy server, and then using that connection for the control traffic. There’s also some degree of protection by the effect of the NAT in my router – the eufy device doesn’t use IPv6.

* and even then then the web portal could still be using an outgoing connection from the eufy base station to the eufy server. My point is, I doubt the eufy is listening on a fixed port.

I don’t know if it is doing any security at all.

Two years ago, Anker/Eufy claims they fixed their complete lack of security, but after all their lying and then (after having been caught) pretending it’s no big deal, I don’t believe anything they say today.

I have now-discontinued EufyCam 2 Pro with the Homebase 2, because they supported (and are only configured for) HomeKit Secure Video. At one point they sent me an upgrade offer, and after I bought it I figured out that they’d dropped support for HSV, so I canceled the order. I have a certain level of trust (possibly misplaced) in the Apple ecosystem, and virtually none for the other ecosystems.
I’m using a Firewalla router, and I’ve blocked the Homebase from accessing the internet. I can still watch video via the Home app, and the Eufy app if I’m on my network (and I’ve got the Firewalla configured to offer a wireguard VPN, with “always on” VPN on my devices when I’m not on one of my home SSIDs). Given that these devices are discontinued, they’re not providing firmware updates. And so blocking it from the internet doesn’t seem to be causing any problems. At some point I’ll probably lock it down further so that the Homebase can only talk to the Apple home hubs.

It was one of the earliest in this space. To this day, it’s unique in being a Layer 2 VPN, which matters if you want to use protocols that rely on multicast or broadcast traffic.

I love the fact that these tools are taking up traction. Zerotier, Tailscale, Nebula, even Cloudflare Tunnel all make the case for end-to-end connectivity across the Internet for your devices. But I hate the fact that it is these tools, instead of IPv6, which is providing connectivity to private little islands, instead of the glorious Internet as a whole. Really, in a sense, they make the case for what the Internet should be, but isn’t, because of the short-termism and inertia that kept IPv4 and NAT and the crappy, corporatised, legacy VPN protocols alive for so long. But this isn’t the space for that rant, and anyway I’m tired.

I use Cloudflare, personally. It’s not for love of Cloudflare, really, but Teams is free, and even though it’s not strictly peer-to-peer, it’s very low-latency and works basically anywhere. Also, I can easily host protected web applications that can be accessed with a web browser on any device, and they host my DNS. But Tailscale is absolutely the right choice if you don’t need any of that stuff, and really, it’s a power-play more than anything for Cloudflare to bundle services. Teams is free for up to 50 users, FWIW. If you have a domain, you can then set up Cloudflare Tunnel to route either hostnames or subnets, and run the agent on a single computer inside your network, and the Cloudflare One client on your devices to VPN in. You can do split-tunnel routing, only routing your private network(s), and you can arrange it so that the client can detect when it’s on-net or not, therefore disabling itself to optimise routing. I anticipate that my ISP will soon have cause to push me into a CGN/LSN arrangement, so I’m preparing for the worst.

With my firewalla router, I have configured the WireGuard VPN, and then added a cleitn VPN connection to each of my mobile devices (iPhone, iPad, MacBookPro, as well as my family devices). I have each of those set up (using the WireGuard app) to have the VPN set for on-demand for all networks except my SSIDs.
The end result is that any time our devices are not on my home network, the VPN activates and all of the traffic is routed through my home network.

Because of this, I haven’t yet found a compelling use case to look at Tailscale. So far I haven’t really had a need for the mesh (device-to-device communication). If I didn’t have the firewalla, though, Tailscale would be extremely compelling.

I am soon going to need a VPS in the US to route certain traffic, including some georestricted traffic, so I might take the opportunity of setting up Nebula rather than Tailscale. It’s self-hostable and peer-to-peer, so you can use your VPS as a “lighthouse” (rendezvous point). That is another option for the so-inclined, and it means depending on one less centralised service, if that’s important to you.

The part about Wireguard that I find objectionable is getting site-to-site working, without source NAT, and without having to completely map out your topology of IP addresses. I know, first-world problems, but it offends my network-nerd brain. That is, of course, a big part of why Tailscale exists. But I note that even Tailscale use source NAT for their “subnet routers”, because yes, there’s really no other way to make it work on most consumer networks (my crappy Netgear router, ironically, does let me set up custom routes, but that’s surely exceptional IME).

Connecting to my Mac from my iPhone via Tailscale
I set up Tailscale on my Mac, Apple TV and iPhone with no problem but couldn’t figure out how to connect to my Mac from my iPhone. Reddit and other sources said I needed an SSH app on my iPhone which I installed to no avail. After much wasted time, I checked with Google AI which said to open the Files app on my phone and choose “Connect to Server” which I found is accessed via the small circle with three dots at the top right. Bingo!

Here are Tailscale’s instructions for installation on an Apple TV as well as configuring Tailscale as a VPN for other devices: