🚀 Ultimate Guide: Secure Remote Access to Your Home Server Using Tailscale

This guide will show you step-by-step how to install and configure Tailscale to securely access your Proxmox, Debian, or OpenMediaVault (OMV) server from anywhere without opening router ports. This method is fast, free for personal use, and extremely secure.


✅ What You’ll Achieve:

  • Remote access to web interfaces (Proxmox, OMV, CasaOS, Docker Apps)

  • Remote SSH access

  • No router port forwarding required

  • Secure connections using WireGuard-based VPN


🔧 Step 1: Create a Free Tailscale Account

  1. Go to https://tailscale.com

  2. Click “Get Started” and log in with your Google, Microsoft, or GitHub account

  3. You will now be able to manage your private Tailnet


🪥 Step 2: Install Tailscale on Your Server

🔐 Best Approaches for Remote Access Without Port Forwarding

  • What it does: Creates a secure mesh VPN over WireGuard.

  • Access: You can SSH into your server or access Proxmox Web UI from anywhere, as if you were on the same LAN.

  • No router config needed.

  • Web UI access: https://<your-server-tailscale-ip>:8006

🛠️ Setup:

  1. Install Tailscale on Proxmox Host:

    bash

    CopyEdit

    curl -fsSL https://tailscale.com/install.sh | shsudo tailscale up

    Sign in with your Gmail or GitHub account and authorize the device.

  2. Install Tailscale in VM (optional):

    • For each Linux VM, install Tailscale to access it directly via Tailscale IP.

    • Alternatively, just SSH or access VMs through the Proxmox shell.

  3. Access Remotely:

    • Use tailscale ip to get your Proxmox IP and access from any other Tailscale-connected device (phone, laptop, etc.).

    • You can even use VS Code Remote SSH or mobile SSH apps.

For Debian, Proxmox, or OMV:

  1. Update packages:
sudo apt update && sudo apt upgrade -y
  1. Install Tailscale:
curl -fsSL https://tailscale.com/install.sh | sh
  1. Start and enable the service:
sudo systemctl enable tailscaled
sudo systemctl start tailscaled
  1. Authenticate and connect the server to your Tailnet:
sudo tailscale up

Follow the URL provided and log in to approve the server.


🔒 Step 3: Optional Firewall Setup (UFW)

If UFW is enabled, allow traffic on the Tailscale interface:

sudo ufw allow in on tailscale0 to any port 22 proto tcp  # SSH
sudo ufw allow in on tailscale0 to any port 80 proto tcp  # HTTP
sudo ufw allow in on tailscale0 to any port 443 proto tcp # HTTPS
sudo ufw allow in on tailscale0 to any port 3000 proto tcp # CasaOS / Web Apps
sudo ufw reload

To check firewall rules:

sudo ufw status verbose

✅ NEXT STEPS AFTER PROXMOX + TAILSCALE SETUP

1️⃣ Create Storage for VMs and ISOs

Make sure your Proxmox sees your storage drives:

  • Go to Datacenter → Storage

  • Add your storage (e.g., SSD/HDD, ZFS pool, or directory).

  • Use one for VM Disks, and optionally one for ISO Images/Backups.

Want help setting up ZFS or mounting additional drives?


2️⃣ Upload ISO Files

To install VMs (Linux, Windows, etc):

  • Go to: Datacenter → local (your-node) → ISO Images

  • Upload ISO (Ubuntu, Debian, Fedora, etc.) via web UI.

  • Or place them via SSH:

     

    scp ubuntu.iso root@<tailscale-ip>:/var/lib/vz/template/iso/


3️⃣ Create a Virtual Machine

  • Go to Create VM

  • Choose:

    • Name

    • ISO image

    • Storage (for disk)

    • CPU/RAM

    • Network: use virtio for performance


4️⃣ Install Tailscale on the VM (Optional)

If you want direct access to VMs from any device via Tailscale:

curl -fsSL https://tailscale.com/install.sh | shsudo tailscale up

  • This gives the VM its own Tailscale IP.

  • Great for SSH, Docker apps, or exposing web interfaces.


5️⃣ Install Docker or Cockpit in VMs (Optional)

If you’re planning to run apps inside VMs:

Example: Ubuntu VM – Docker & Cockpit

sudo apt update && sudo apt install docker.io cockpit -ysudo systemctl enable --now cockpit

Access Cockpit via:

https://<vm-tailscale-ip>:9090


6️⃣ Create Backups / Snapshots

Use the Backup tab to schedule VM backups:

  • Type: Snapshot or Stop

  • Storage: local or external (NAS, etc.)

  • Schedule via built-in cron


7️⃣ (Optional) Setup Templates for Fast VM Cloning

Once you set up a VM with Tailscale, Docker, Cockpit, etc., turn it into a Template for rapid deployment of more VMs.


🎯 Bonus Tips:

  • Monitor Proxmox via web UI or tools like Prometheus/Grafana.

  • VM Firewalling: Use Tailscale ACLs or Proxmox firewall rules.

  • Resource Isolation: Set CPU/Memory limits for VMs/containers.

🧱 Your Current VM Setup:

  • Debian (base OS)

  • OpenMediaVault (OMV) – NAS management

  • Docker – For containerized apps

  • CasaOS – App store & dashboard for managing Docker apps


✅ What to Do Next

1️⃣ Tailscale Access to VM

If you haven’t already:

curl -fsSL https://tailscale.com/install.sh | shsudo tailscale up

This gives you direct access to OMV, Docker, CasaOS from any device using Tailscale IP.


2️⃣ Access OMV & CasaOS Web UI Remotely

Now you can:

  • OMV:
    http://<tailscale-ip>:80 (or custom port)

  • CasaOS:
    http://<tailscale-ip>:port (usually 80, 3000, or 8123 depending on how installed)

Use a Tailscale alias or MagicDNS for easier access.


3️⃣ Add Shared Storage (NAS) to OMV

  • Mount and format your HDD/SSD/RAID drives.

  • Use OMV to create:

    • SMB/NFS shares

    • Docker volumes from storage

This is perfect for:

  • Media sharing (e.g., Jellyfin, Plex)

  • Backups

  • Nextcloud or Photoprism


4️⃣ Use CasaOS to Deploy Apps Easily

CasaOS is great for 1-click Docker apps like:

  • Jellyfin / Plex (Media Server)

  • Nextcloud (Cloud Storage)

  • qBittorrent / Transmission (Torrent Client)

  • FileBrowser / Syncthing

  • Nginx Proxy Manager (Reverse proxy with SSL support)

Want a list of recommended apps based on your setup?


5️⃣ Backup & Snapshots

You can:

  • Use Proxmox to back up the full VM

  • Or, configure Duplicati / Restic / Rsnapshot inside Debian for file-level backup

  • Store backups on:

    • External drive

    • Another VM/NAS

    • Cloud (optional, via rclone)


6️⃣ Enhance Docker Management

Consider adding:

  • Portainer (optional): Web-based Docker manager

    docker run -d -p 9000:9000 \ -v /var/run/docker.sock:/var/run/docker.sock \ portainer/portainer-ce

  • Watchtower: Auto-update containers

    docker run -d \ --name watchtower \ -v /var/run/docker.sock:/var/run/docker.sock \ containrrr/watchtower


🛡️ Security Tips

  • Use Tailscale ACLs to limit access to your OMV/CasaOS only from certain devices.

  • Disable unused services in OMV.

  • Keep your containers updated.


💡 Bonus Ideas

  • Turn this VM into a home automation hub (add Home Assistant).

  • Run a private media cloud (Jellyfin + Nextcloud + Photoprism).

  • Setup self-hosted Git, Gitea or Forgejo.

  • Create public-access (zero ports) services using Cloudflare Tunnel if needed.

🚀 Step 4: Install Tailscale on Your Remote Device (Laptop/Desktop/Phone)

For Windows/macOS:

  1. Download from https://tailscale.com/download

  2. Install and log in using the same account as your server

For Android/iOS:

  1. Download the Tailscale app from Google Play or App Store

  2. Log in to connect your phone to the Tailnet


🔍 Step 5: Access Your Server Remotely

Once both devices are online:

  • Open browser and go to:

    • https://100.x.x.x:8006 (Proxmox Web UI)

    • http://100.x.x.x (OMV)

    • http://100.x.x.x:3000 (CasaOS or Docker app)

  • Or connect via SSH:

ssh root@100.x.x.x

You can also use device hostnames like:

ssh root@debian-nas1

🔧 Troubleshooting & Tips

  • Make sure tailscaled is enabled on all Linux devices:
sudo systemctl enable --now tailscaled
  • Use tailscale status to see connected devices

  • Ping devices to test connectivity

  • Enable Tailscale auto-start on Windows from Task Manager > Startup


📅 Use Case Example

You can now manage your home lab, Proxmox, Docker apps, file shares, and more from anywhere in the world — without touching your router!

 

🌍 1. External Access with Domain + SSL (No Port Forwarding) via Cloudflare Tunnel

✅ Requirements:

  • A domain (e.g. yourdomain.com)

  • Free Cloudflare account

  • Cloudflare Tunnel (via cloudflared)

⚙️ Steps:

1. Install cloudflared inside your VM:

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.debsudo dpkg -i cloudflared-linux-amd64.deb

2. Authenticate with Cloudflare:

cloudflared tunnel login

It will open a browser where you select your domain.

3. Create a tunnel:

cloudflared tunnel create my-tunnel

4. Create a config file:

sudo mkdir -p /etc/cloudflaredsudo nano /etc/cloudflared/config.yml

Example for CasaOS:

tunnel: my-tunnelcredentials-file: /root/.cloudflared/my-tunnel.jsoningress: - hostname: casa.yourdomain.com service: http://localhost:3000 - service: http_status:404

5. Route the domain to the tunnel:

cloudflared tunnel route dns my-tunnel casa.yourdomain.com

6. Run it as a service:

cloudflared service installsudo systemctl start cloudflared

✅ Now access CasaOS via https://casa.yourdomain.com with SSL — no router config needed!


🧱 2. Ready-Made Ubuntu Server Setup Script

Here’s a script for fast deployment of an Ubuntu VM with:

  • Tailscale

  • Docker + Docker Compose

  • Cockpit

#!/bin/bash# Quick Setup for Ubuntu Server VMsudo apt update && sudo apt upgrade -y# Install Tailscalecurl -fsSL https://tailscale.com/install.sh | shsudo tailscale up# Install Docker + Composesudo apt install -y docker.io docker-composesudo systemctl enable --now docker# Install Cockpitsudo apt install -y cockpitsudo systemctl enable --now cockpit.socketecho "Setup Done! Access Cockpit at: https://<tailscale-ip>:9090"

You can use this as your base VM and clone it as a template.


📊 3. Monitor Proxmox with Prometheus + Grafana

Option A: Use Proxmox VE Exporter

  1. Install exporter on a VM or separate container.

  2. Point Prometheus to https://<proxmox-ip>:9221

  3. Import Proxmox dashboards in Grafana.

Option B: Run a stack in Docker

docker-compose.yml

version: "3"services: prometheus: image: prom/prometheus volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml ports: - 9090:9090 grafana: image: grafana/grafana ports: - 3000:3000


🔥 4. VM Firewalling via Tailscale ACLs or Proxmox

Tailscale ACLs (simple):

Edit in: https://login.tailscale.com/admin/acls

Example:

{ "ACLs": [ { "Action": "accept", "Users": ["[email protected]"], "Ports": ["debian-vm:22", "debian-vm:80"] } ]}

Deny by default, then allow only what you use.


Proxmox Firewall (per-VM or node-wide)

Enable firewall in:

  • Datacenter → Firewall → Enable

  • Then add rules for:

    • SSH (22)

    • Docker ports

    • Web UIs

Proxmox firewall syntax is similar to iptables.


🔐 5. Security Tips for Your Setup

✅ General:

  • Keep everything updated: apt update && apt upgrade

  • Use strong passwords or SSH keys

  • Use Tailscale ACLs to block unused ports

  • Limit root login via SSH

  • Disable unused services in OMV/CasaOS

✅ Docker:

  • Avoid :latest tag, pin versions

  • Use Watchtower to auto-update with control

  • Keep containers isolated (no --privileged unless needed)


🎥 EngineerHow.com + YouTube Recommendation

If you found this guide useful, consider:

Coming soon: videos on Cloudflare Tunnel + Domain Access + SSL without port forwarding


Stay tuned for more step-by-step Linux, Proxmox, and networking tutorials from EngineerHow!