← Browse articles

Tip of a Hat to Tailscale

By Sumit March 24, 2026 5 min read
infrastructure tailscale self-hosting networking

Tip of a Hat to Tailscale

I have been experimenting with basic networking stuff - DNS filtering, network monitoring, exit node etc. on a Pi for some time now. I love my network ad free. And a single node was all I needed. Until the rise of the coding agents and personal assistants like nanoclaw were too much for a single node.

The fix was simple in theory

Initially I thought I would just add a second DNS server somewhere in the cloud. Keep the Pi for what it does well at home. Put the failover so that it doesn't share the same power supply or ISP.

I also wanted to control the costs, and realized that a small fleet of VMs across a couple of regions is all I need together with a local Pi. It was perfect for infrastructure that sits around waiting for DNS queries or forwarding packets.

But the fleet started to grow a little bit from there. A VM running a personal AI assistant that wraps coding agents inside Docker containers. A monitoring instance running Uptime Kuma from a different region so it can tell me when other nodes go down. An exit node in a different geography for when I need traffic routed through another country. All stuff that I wanted always-on but didn't want to depend on my home internet for.

I was bracing for the networking pain. VPNs, port forwarding, firewall rules, access management across devices.

Then Tailscale happened

I have used Tailscale a bit before. WireGuard under the hood, mesh networking etc. But I realized the power only after trying it out.

The first thing you do is install it on nodes, run a command to join the network, and it can now talk to every other node on the mesh. No ports to open, no firewall rules to write. The cloud VMs have zero public ports exposed now. If you're not on my Tailscale, the VMs do not exist. Plus I was able to just use Copilot to wire everything together.

I kept waiting for the catch. Some complicated config file, some edge case where the mesh breaks down. It just kept working.

MagicDNS is where it clicked

The DNS setup is where Tailscale went from "nice" to "how is this free."

In the Tailscale admin console, you set your DNS servers. I pointed it at the Pi running Pi-hole as primary, and the cloud VM running AdGuard Home as secondary. Enabled the override-local-DNS toggle. And that was it.

Every device on the mesh picks up that config automatically. My phone on mobile data in another city gets the same ad-blocked DNS as the laptop at home. No per-device configuration. And when the Pi is unreachable, the OS falls back to the cloud DNS automatically. Failover just happens now.

Pi-hole runs great on the Pi with plenty of RAM and its full stack. But the cloud VM has limited memory. AdGuard Home turned out to be the right tool there. Single binary, no dependencies, tiny memory footprint. Same upstream blocklists, same result, a fraction of the resources.

Tailscale SSH killed my key management

This is the one I never thought about till it started working. Traditional access management meant generating key pairs, copying public keys to different servers, managing authorized_keys files, and hoping you don't lose your private key. Rinse and repeat every time you add a new device.

Tailscale SSH works differently. It uses your Tailscale identity, checks access policies, and creates short-lived certificates. I don't fully understand all the internals but the experience is that from any device on the mesh, I just SSH in by hostname. No keys to distribute, no files to manage.

If you lose a device? Just sign it out from the Tailscale console.

What it costs

The VMs are small burstable instances. DNS and exit nodes need almost no compute, so the cheapest tiers work fine. The only VM that costs more is the one running Docker.

Total cloud spend is a really small number, something you typically forget about.

What I'd do differently

Start with Tailscale from day one. I set up the Pi first, configured everything with local IPs, then bolted Tailscale on later. Would have been cleaner the other way around.

Check how you want to handle key expiry on infrastructure nodes. Find the right-size VMs for single-purpose workloads. My first instinct was to pick something with headroom. Turns out DNS and packet forwarding need almost nothing. And finally wire everything through a coding agent, in my case Copilot. It just sets everything up for you.

The thing about Tailscale

Well, for free software, it is genuinely just wow. No VPN server to babysit, no certificates to rotate, no firewall rules per node, no port forwarding on the home router, no DNS config on each device. It removed the whole layer that I was dreading. There are ACLs for additional controls too.

I think it turned a project that could have been a month of networking headaches into a weekend of actually building the things I wanted to run. Copilot just nailed it outright for the setup.

Study Notes
TL;DR

I run a small fleet of cloud VMs and a Raspberry Pi at home, wired together with Tailscale. This is about how that setup came together and why Tailscale made it surprisingly simple.