Things I wish I knew about Tailscale, domains and homelab

2025-05-05

Simple things with rather tremendous quality-of-life impact.

Point domain to local IP

Simple and straightforward. Point FQDN (i.e. *.homelab.example.com) to local IP (i.e. 192.168.1.123). Simplifies router config.

Get free wildcard https certificate for local use

I have to admit I struggled a lot with certificates. My ISP was very finicky with network setup and I had to constantly change my local config, which was very draining. Luckily, my current solution consists of 4 rather simple steps:

  1. Owning a domain
  2. Using Cloudflare as DNS provider even tough I bought it elsewhere. Important thing was that DNS provider needed to provide API for editing zones
  3. Using certbot to get free wildcard certificate using DNS Challenge
  4. Locally set up NGINX reverse proxy and acme.sh to renew the certificate automatically

The beauty of it is that it does not matter whether homelab is accessible from the internet. In my opinion it should not be accessible, because it is more secure that way. Certbot only needs to verify that you are the owner of the domain, which is done by creating a TXT record in your DNS provider.

Utilize Tailscale to bypass CG-NAT and access your devices from anywhere

Tailscale is rather straightforward to set up and works well bypassing things like various NATs/firewalls and other restrictions. But there was one thing I struggled with: domain resolution. Tailscale assigns separate domains and IP addresses to each device, which makes it difficult to access them using your own domain. So I had to set up a DNS server on my homelab to resolve the existing domain names to IP assigned by Tailscale.

Create DNS records for local domain to be used inside Tailscale

I use local DNS server Dnsmasq (and only when connecting to tailscale using DNS override). Set your domain (i.e myservice.homelab.example.com) to point to tailscale IP of the machine and voila - you can use said domain seamlessly when on or off the Tailscale network.

I keep my services in docker compose, and run Tailscale with Dnsmasq directly on the host, so docker containers update won't affect DNS resolution.

Bonus: Use Tailscale exit nodes and treat your homelab as a personal VPN.