How to Set Up Tailscale on Your Home Network: Zero-Config Remote Access, Exit Nodes, and Subnet Routing Without Port Forwarding

Tailscale gives you secure remote access to every device on your home network without port forwarding, dynamic DNS, or a traditional VPN server. Built on WireGuard, it creates a peer-to-peer encrypted mesh between all your devices. When NAT traversal succeeds — which it does on most home connections — traffic flows directly device-to-device with no relay in the middle. The free Personal plan covers up to six users with unlimited personal devices after Tailscale’s April 2026 pricing overhaul, making it practical for almost every home setup at zero cost. Once configured, you can reach your NAS, access a local printer, or route your travel laptop’s traffic through your home IP as if you never left. Run a speed test before and after enabling an exit node to see how much throughput your home upload connection actually passes through.

How Tailscale Works

Every device running Tailscale joins your “tailnet” — a private overlay network with its own 100.x.x.x address space. WireGuard handles encryption; Tailscale’s coordination server handles key distribution and device discovery. Devices communicate directly (peer-to-peer) when both have reachable IP addresses, or through Tailscale’s DERP relay servers when both are behind strict NAT. Home broadband connections almost always achieve direct peer paths. The result is that your phone abroad can reach your home server as if it were on the same LAN, with as little as 1–5 ms of added latency on a direct path. Tailscale also sidesteps CGNAT entirely — a major advantage over traditional VPNs that require port forwarding. See our CGNAT explainer for background on why port forwarding fails on shared ISP IPs.

Step 1: Create an Account and Install the Client

Sign up at tailscale.com using a Google, Microsoft, GitHub, or Apple account — Tailscale delegates authentication to your chosen identity provider, so no separate password is required. Then install the client on each device you want in the tailnet:

• Windows and macOS: Download the installer from tailscale.com/download. The app installs a system tray icon and logs in with one click.
• Linux: Run the official one-liner curl -fsSL https://tailscale.com/install.sh | sh, which auto-detects your package manager and installs the daemon. Then run sudo tailscale up and follow the authentication URL.
• iOS and Android: Install the Tailscale app from the App Store or Play Store. Log in and the device joins the tailnet immediately.
• Raspberry Pi: Use the same Linux one-liner. A Pi running 24/7 costs under $1/month in electricity and makes an ideal always-on subnet router or exit node.

After installing and logging in, each device appears in your Admin Console at login.tailscale.com with its assigned 100.x.x.x address. Devices can ping each other by Tailscale IP immediately, with no firewall rules needed.

Step 2: Enable MagicDNS

MagicDNS lets you reach tailnet devices by hostname (“homeserver” or “raspberrypi”) instead of memorizing 100.x.x.x addresses. Enable it in the Admin Console under DNS › Enable MagicDNS. Once active, every device resolves other tailnet members by their machine name. You can also set a global nameserver — Cloudflare (1.1.1.1) or NextDNS are popular choices for adding DNS-level filtering across all tailnet traffic.

Step 3: Set Up a Subnet Router

A subnet router is a single Tailscale device that advertises your entire home LAN (e.g., 192.168.1.0/24) to the rest of the tailnet. Devices without Tailscale installed — printers, smart TVs, NAS units, IP cameras — become reachable from anywhere once a subnet router is running.

Enable IP Forwarding on Linux

On the Linux device that will serve as subnet router, IP forwarding must be active:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Advertise Your Home Subnet

Tell Tailscale which subnets to expose to remote devices:

sudo tailscale up --advertise-routes=192.168.1.0/24

Replace 192.168.1.0/24 with your actual LAN subnet. To expose multiple subnets — for example, a main network and a separate IoT VLAN — list them comma-separated: 192.168.1.0/24,192.168.10.0/24.

Approve Routes in the Admin Console

Subnet route advertisements require explicit approval. In the Admin Console, go to Machines, click your subnet router device, then Edit route settings. Check each advertised subnet and save. On every remote client that should use the routes, run tailscale up --accept-routes, or toggle Accept routes in the desktop client UI.

Step 4: Set Up an Exit Node

An exit node routes all internet-bound traffic from a remote device through your home connection. This is the Tailscale equivalent of a home-based VPN: your traffic exits from your home IP rather than the local network at a hotel or airport. Exit node throughput is capped by your home upload speed, so check that number first with a speed test.

Advertise as an Exit Node

On the always-on home device, combine the exit node and subnet router flags into one command:

sudo tailscale up --advertise-exit-node --advertise-routes=192.168.1.0/24

In the Admin Console, approve the exit node capability the same way you approved subnet routes. On the remote device, open Tailscale settings, find Use exit node, and select your home machine. All internet traffic from that device now tunnels through your home connection.

Step 5: Install Tailscale Directly on Your Router (Optional)

If your router runs OpenWRT, Tailscale is available as a package: opkg install tailscale installs the daemon on supported hardware. ASUS routers running ASUS-Merlin firmware can use the community Tailscale Merlin add-on script. Installing directly on the router means every device on the LAN gains subnet routing benefits without needing a dedicated Pi. This approach also works through CGNAT without any port forwarding requirements.

Troubleshooting Common Issues

Devices Can’t Reach Each Other

Check that both devices show “Connected” in the Admin Console. Run tailscale ping <device-name> to test connectivity. If it times out, both devices may be behind symmetric NAT — Tailscale will route through a DERP relay automatically, but latency will be higher (typically 20–80 ms depending on relay location). Check tailscale status to see whether a direct or relay path is in use.

Subnet Devices Not Reachable

Confirm IP forwarding is active: cat /proc/sys/net/ipv4/ip_forward should return 1. Verify routes were approved in the Admin Console and that remote clients ran tailscale up --accept-routes. If a subnet device uses a different default gateway than the subnet router, add a static route on that device pointing the 100.x.x.x tailnet range back to the subnet router’s LAN IP.

Exit Node Drops Speed

Exit node throughput is bounded by home upload speed — a 50 Mbps upload connection caps remote download at roughly 40–45 Mbps after WireGuard overhead. Run a speed test on your home network to establish the upload baseline, then run the same test on the remote device with the exit node active. If throughput is well below the baseline, a DERP relay may be in use instead of a direct path; tailscale netcheck on the remote device shows relay latencies and direct-path feasibility.