🚀 Ultimate Guide: Secure Remote Access to Your Home Server Using Tailscale
This guide will show you step-by-step how to install and configure Tailscale to securely access your Proxmox, Debian, or OpenMediaVault (OMV) server from anywhere without opening router ports. This method is fast, free for personal use, and extremely secure.
✅ What You’ll Achieve:
Remote access to web interfaces (Proxmox, OMV, CasaOS, Docker Apps)
Remote SSH access
No router port forwarding required
Secure connections using WireGuard-based VPN
🔧 Step 1: Create a Free Tailscale Account
Go to https://tailscale.com
Click “Get Started” and log in with your Google, Microsoft, or GitHub account
You will now be able to manage your private Tailnet
🪥 Step 2: Install Tailscale on Your Server
🔐 Best Approaches for Remote Access Without Port Forwarding
✅ 1. Tailscale (Recommended – Easy + Secure)
What it does: Creates a secure mesh VPN over WireGuard.
Access: You can SSH into your server or access Proxmox Web UI from anywhere, as if you were on the same LAN.
No router config needed.
Web UI access:
https://<your-server-tailscale-ip>:8006
🛠️ Setup:
Install Tailscale on Proxmox Host:
bash
CopyEdit
curl -fsSL https://tailscale.com/install.sh | shsudo tailscale upSign in with your Gmail or GitHub account and authorize the device.
Install Tailscale in VM (optional):
For each Linux VM, install Tailscale to access it directly via Tailscale IP.
Alternatively, just SSH or access VMs through the Proxmox shell.
Access Remotely:
Use
tailscale ipto get your Proxmox IP and access from any other Tailscale-connected device (phone, laptop, etc.).You can even use VS Code Remote SSH or mobile SSH apps.
For Debian, Proxmox, or OMV:
- Update packages:
sudo apt update && sudo apt upgrade -y- Install Tailscale:
curl -fsSL https://tailscale.com/install.sh | sh- Start and enable the service:
sudo systemctl enable tailscaled
sudo systemctl start tailscaled- Authenticate and connect the server to your Tailnet:
sudo tailscale upFollow the URL provided and log in to approve the server.
🔒 Step 3: Optional Firewall Setup (UFW)
If UFW is enabled, allow traffic on the Tailscale interface:
sudo ufw allow in on tailscale0 to any port 22 proto tcp # SSH
sudo ufw allow in on tailscale0 to any port 80 proto tcp # HTTP
sudo ufw allow in on tailscale0 to any port 443 proto tcp # HTTPS
sudo ufw allow in on tailscale0 to any port 3000 proto tcp # CasaOS / Web Apps
sudo ufw reloadTo check firewall rules:
sudo ufw status verbose✅ NEXT STEPS AFTER PROXMOX + TAILSCALE SETUP
1️⃣ Create Storage for VMs and ISOs
Make sure your Proxmox sees your storage drives:
Go to Datacenter → Storage
Add your storage (e.g., SSD/HDD, ZFS pool, or directory).
Use one for VM Disks, and optionally one for ISO Images/Backups.
Want help setting up ZFS or mounting additional drives?
2️⃣ Upload ISO Files
To install VMs (Linux, Windows, etc):
Go to:
Datacenter → local (your-node) → ISO ImagesUpload ISO (Ubuntu, Debian, Fedora, etc.) via web UI.
Or place them via SSH:
scp ubuntu.iso root@<tailscale-ip>:/var/lib/vz/template/iso/
3️⃣ Create a Virtual Machine
Go to Create VM
Choose:
Name
ISO image
Storage (for disk)
CPU/RAM
Network: use virtio for performance
4️⃣ Install Tailscale on the VM (Optional)
If you want direct access to VMs from any device via Tailscale:
curl -fsSL https://tailscale.com/install.sh | shsudo tailscale up
This gives the VM its own Tailscale IP.
Great for SSH, Docker apps, or exposing web interfaces.
5️⃣ Install Docker or Cockpit in VMs (Optional)
If you’re planning to run apps inside VMs:
Example: Ubuntu VM – Docker & Cockpit
sudo apt update && sudo apt install docker.io cockpit -ysudo systemctl enable --now cockpit
Access Cockpit via:
https://<vm-tailscale-ip>:9090
6️⃣ Create Backups / Snapshots
Use the Backup tab to schedule VM backups:
Type:
SnapshotorStopStorage: local or external (NAS, etc.)
Schedule via built-in cron
7️⃣ (Optional) Setup Templates for Fast VM Cloning
Once you set up a VM with Tailscale, Docker, Cockpit, etc., turn it into a Template for rapid deployment of more VMs.
🎯 Bonus Tips:
Monitor Proxmox via web UI or tools like Prometheus/Grafana.
VM Firewalling: Use Tailscale ACLs or Proxmox firewall rules.
Resource Isolation: Set CPU/Memory limits for VMs/containers.
🧱 Your Current VM Setup:
Debian (base OS)
OpenMediaVault (OMV) – NAS management
Docker – For containerized apps
CasaOS – App store & dashboard for managing Docker apps
✅ What to Do Next
1️⃣ Tailscale Access to VM
If you haven’t already:
curl -fsSL https://tailscale.com/install.sh | shsudo tailscale up
This gives you direct access to OMV, Docker, CasaOS from any device using Tailscale IP.
2️⃣ Access OMV & CasaOS Web UI Remotely
Now you can:
OMV:
http://<tailscale-ip>:80(or custom port)CasaOS:
http://<tailscale-ip>:port(usually 80, 3000, or 8123 depending on how installed)
Use a Tailscale alias or MagicDNS for easier access.
3️⃣ Add Shared Storage (NAS) to OMV
Mount and format your HDD/SSD/RAID drives.
Use OMV to create:
SMB/NFS shares
Docker volumes from storage
This is perfect for:
Media sharing (e.g., Jellyfin, Plex)
Backups
Nextcloud or Photoprism
4️⃣ Use CasaOS to Deploy Apps Easily
CasaOS is great for 1-click Docker apps like:
Jellyfin / Plex (Media Server)
Nextcloud (Cloud Storage)
qBittorrent / Transmission (Torrent Client)
FileBrowser / Syncthing
Nginx Proxy Manager (Reverse proxy with SSL support)
Want a list of recommended apps based on your setup?
5️⃣ Backup & Snapshots
You can:
Use Proxmox to back up the full VM
Or, configure Duplicati / Restic / Rsnapshot inside Debian for file-level backup
Store backups on:
External drive
Another VM/NAS
Cloud (optional, via rclone)
6️⃣ Enhance Docker Management
Consider adding:
Portainer (optional): Web-based Docker manager
docker run -d -p 9000:9000 \ -v /var/run/docker.sock:/var/run/docker.sock \ portainer/portainer-ceWatchtower: Auto-update containers
docker run -d \ --name watchtower \ -v /var/run/docker.sock:/var/run/docker.sock \ containrrr/watchtower
🛡️ Security Tips
Use Tailscale ACLs to limit access to your OMV/CasaOS only from certain devices.
Disable unused services in OMV.
Keep your containers updated.
💡 Bonus Ideas
Turn this VM into a home automation hub (add Home Assistant).
Run a private media cloud (Jellyfin + Nextcloud + Photoprism).
Setup self-hosted Git, Gitea or Forgejo.
Create public-access (zero ports) services using Cloudflare Tunnel if needed.
🚀 Step 4: Install Tailscale on Your Remote Device (Laptop/Desktop/Phone)
For Windows/macOS:
Download from https://tailscale.com/download
Install and log in using the same account as your server
For Android/iOS:
Download the Tailscale app from Google Play or App Store
Log in to connect your phone to the Tailnet
🔍 Step 5: Access Your Server Remotely
Once both devices are online:
Open browser and go to:
https://100.x.x.x:8006(Proxmox Web UI)http://100.x.x.x(OMV)http://100.x.x.x:3000(CasaOS or Docker app)
Or connect via SSH:
ssh root@100.x.x.xYou can also use device hostnames like:
ssh root@debian-nas1🔧 Troubleshooting & Tips
- Make sure
tailscaledis enabled on all Linux devices:
sudo systemctl enable --now tailscaledUse
tailscale statusto see connected devicesPing devices to test connectivity
Enable Tailscale auto-start on Windows from Task Manager > Startup
📅 Use Case Example
You can now manage your home lab, Proxmox, Docker apps, file shares, and more from anywhere in the world — without touching your router!
🌍 1. External Access with Domain + SSL (No Port Forwarding) via Cloudflare Tunnel
✅ Requirements:
A domain (e.g.
yourdomain.com)Free Cloudflare account
Cloudflare Tunnel (via
cloudflared)
⚙️ Steps:
1. Install cloudflared inside your VM:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.debsudo dpkg -i cloudflared-linux-amd64.deb
2. Authenticate with Cloudflare:
cloudflared tunnel login
It will open a browser where you select your domain.
3. Create a tunnel:
cloudflared tunnel create my-tunnel
4. Create a config file:
sudo mkdir -p /etc/cloudflaredsudo nano /etc/cloudflared/config.yml
Example for CasaOS:
tunnel: my-tunnelcredentials-file: /root/.cloudflared/my-tunnel.jsoningress: - hostname: casa.yourdomain.com service: http://localhost:3000 - service: http_status:404
5. Route the domain to the tunnel:
cloudflared tunnel route dns my-tunnel casa.yourdomain.com
6. Run it as a service:
cloudflared service installsudo systemctl start cloudflared
✅ Now access CasaOS via https://casa.yourdomain.com with SSL — no router config needed!
🧱 2. Ready-Made Ubuntu Server Setup Script
Here’s a script for fast deployment of an Ubuntu VM with:
Tailscale
Docker + Docker Compose
Cockpit
#!/bin/bash# Quick Setup for Ubuntu Server VMsudo apt update && sudo apt upgrade -y# Install Tailscalecurl -fsSL https://tailscale.com/install.sh | shsudo tailscale up# Install Docker + Composesudo apt install -y docker.io docker-composesudo systemctl enable --now docker# Install Cockpitsudo apt install -y cockpitsudo systemctl enable --now cockpit.socketecho "Setup Done! Access Cockpit at: https://<tailscale-ip>:9090"
You can use this as your base VM and clone it as a template.
📊 3. Monitor Proxmox with Prometheus + Grafana
Option A: Use Proxmox VE Exporter
Install exporter on a VM or separate container.
Point Prometheus to
https://<proxmox-ip>:9221Import Proxmox dashboards in Grafana.
Option B: Run a stack in Docker
docker-compose.yml
version: "3"services: prometheus: image: prom/prometheus volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml ports: - 9090:9090 grafana: image: grafana/grafana ports: - 3000:3000
🔥 4. VM Firewalling via Tailscale ACLs or Proxmox
Tailscale ACLs (simple):
Edit in: https://login.tailscale.com/admin/acls
Example:
{ "ACLs": [ { "Action": "accept", "Users": ["[email protected]"], "Ports": ["debian-vm:22", "debian-vm:80"] } ]}
Deny by default, then allow only what you use.
Proxmox Firewall (per-VM or node-wide)
Enable firewall in:
Datacenter → Firewall → EnableThen add rules for:
SSH (22)
Docker ports
Web UIs
Proxmox firewall syntax is similar to iptables.
🔐 5. Security Tips for Your Setup
✅ General:
Keep everything updated:
apt update && apt upgradeUse strong passwords or SSH keys
Use Tailscale ACLs to block unused ports
Limit root login via SSH
Disable unused services in OMV/CasaOS
✅ Docker:
Avoid
:latesttag, pin versionsUse
Watchtowerto auto-update with controlKeep containers isolated (no
--privilegedunless needed)
🎥 EngineerHow.com + YouTube Recommendation
If you found this guide useful, consider:
✉️ Bookmarking EngineerHow.com
🎥 Subscribing to the YouTube Channel: Engineer How YouTube
🌐 Sharing this post with your friends, students, or team
Coming soon: videos on Cloudflare Tunnel + Domain Access + SSL without port forwarding
Stay tuned for more step-by-step Linux, Proxmox, and networking tutorials from EngineerHow!
