Skip to content

Instantly share code, notes, and snippets.

@brennanMKE

brennanMKE/README.md

Created March 26, 2025 16:51
Show Gist options
  • Save brennanMKE/d1b0b304062fb9c1d5552c3bfef8fa14 to your computer and use it in GitHub Desktop.
Save brennanMKE/d1b0b304062fb9c1d5552c3bfef8fa14 to your computer and use it in GitHub Desktop.
Download ZIP
Getting Started with Tailscale
Raw
README.md

πŸ›  Getting Started with Tailscale: A Practical Guide

(via ChatGPT)

✨ Overview

This guide will help you set up Tailscale to:

  • Connect multiple Macs at home
  • Remotely manage Raspberry Pis in other networks
  • Enable SSH access from outside your Tailnet
  • Bridge two separate Tailnets
  • Allow ESP32 devices to talk to remote servers through local Pi proxies

πŸ” Step 1: Create Your Tailnets

Tailscale uses Tailnets (private networks bound to a domain or account).

You’ll likely want:

  • Tailnet A: Your primary Tailnet (e.g., home + Pi devices)
  • Tailnet B: A second network, for isolated Macs or collaborators

Create accounts for each Tailnet using different logins (e.g., personal email vs. organization email).

πŸ–₯️ Step 2: Add Your Macs to Tailscale

On each Mac:

  1. Install Tailscale:
    https://tailscale.com/download

  2. Sign into your primary Tailnet account.

  3. After sign-in, open Terminal:

    tailscale up --ssh

This enables SSH access via Tailscale (no need for public SSH keys).

Repeat for each Mac you want in the Tailnet.

πŸ“ Step 3: Set Up Raspberry Pis (Remote Networks)

On each Raspberry Pi:

  1. Install Tailscale:

    curl -fsSL https://tailscale.com/install.sh | sh

  2. Start the service:

    sudo tailscale up --ssh --advertise-tags=tag:pi

  3. Approve the Pi via the Admin Console:
    https://login.tailscale.com/admin/machines

Tagging the device lets you control access with ACLs (e.g., who can SSH).

  1. Optional: If these Pis are proxies for ESP32s, ensure they:
    • Expose a local HTTP/MQTT server or TCP socket.
    • Are accessible by IP/port via the Tailnet.

🌍 Step 4: Access from Outside the Tailnet (SSH)

To SSH from a Mac not in your Tailnet, you have two options:

βœ… Option A: Use Tailscale SSH from another Tailnet

If the Mac is in a different Tailnet (B), create a Tailnet-to-Tailnet connection using Tailscale Tailnet Peering.

  • Set up peering between the two Tailnets via the Admin Console.
  • Use ACLs to allow access from Tailnet B β†’ Tailnet A.
  • Then SSH works like this: 
    ssh [email protected]

βœ… Option B: Use a Bastion (Proxy) Host + Tailscale SSH

  1. Set up one Mac as a public SSH entry point using Tailscale Funnel or exit node techniques.

  2. You can use a personal machine or a VPS with Tailscale as a trusted jump host to route into your private Tailnet.

  3. Or, temporarily install Tailscale on the external Mac and sign in as needed.

πŸ” Step 5: Bridge Between Two Macs on Different Tailnets

Let’s say you have:

  • MacA on Tailnet A
  • MacB on Tailnet B

And you want to pass data or proxy commands between them.

Option 1: Tailnet Peering

  • Set up peering between Tailnets A and B.
  • Use ACLs to allow MacA to talk to MacB and vice versa.

Peering is cleaner and more secure than setting up ad hoc relays.

Option 2: Use One Mac as a Proxy

  • Set up MacA with: 
    sudo tailscale up --ssh --accept-routes
  • Use MacA as an SSH or TCP forwarder to MacB.

Or set up a small TCP proxy using socat or ngrok style tools with Tailscale as the secure channel.

πŸ“‘ Step 6: Enable Pi Proxies for ESP32 Data Feeds

ESP32s (not running Tailscale) can use their local network to talk to their Raspberry Pi β€œgateway” (which is in Tailscale).

Your Setup Looks Like:

ESP32 ---LAN---> RPi ---Tailscale---> Mac or Server

  1. On the Pi:

    • Run a proxy service, e.g., HTTP, MQTT, or TCP passthrough.
    • Configure the ESP32 to send data to the Pi’s LAN IP.

  2. On the Pi, forward or store the data:

    • Forward it to a backend service over the Tailnet
    • Log it locally or serve it via a web dashboard

Bonus: If ESP32s Can Run Tailscale (some Linux-based ones can), you can skip the Pi entirely!

🎯 Optional: Funnel for Public Web Access

If you want to expose a web dashboard or API to the public from a Pi or Mac:

  1. Run the web server on a known port (e.g., 3000).
  2. Enable Funnel: 
    sudo tailscale funnel 3000
  3. Access it from: 
    https://machinename.username.ts.net

βœ… ACL Example (Allow SSH + ESP32 Routing)

{
  "groups": {
    "group:admins": ["user:[email protected]"]
  },
  "ssh": [
    {
      "action": "accept",
      "src": ["group:admins"],
      "dst": ["tag:pi"],
      "users": ["pi", "root"]
    }
  ],
  "tagOwners": {
    "tag:pi": ["group:admins"]
  }
}

🧩 Summary

Use Case Solution
Connect Macs at home Add them to the same Tailnet with Tailscale
Remotely manage Raspberry Pis Install Tailscale with --ssh, connect them
SSH from outside Tailnet Use Tailscale SSH + Funnel or Tailnet peering
Bridge separate Tailnets Enable Tailnet Peering
Feed ESP32 data through Pis Have ESP32s talk to Pis locally, route through Tailnet
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment