Secure Remote Access to Raspberry Pi using Tailscale (No Port Forwarding)¶
Access your Raspberry Pi from anywhere in the world without exposing ports on your home router! This step-by-step guide explains how to install and configure Tailscale to create a secure, encrypted mesh VPN network for easy remote access.
Introduction¶
Traditionally, accessing your Raspberry Pi from outside your home network required configuring Dynamic DNS (DDNS) and setting up Port Forwarding on your home router. This process is not only complicated but also exposes your home network to malicious scans and attacks.
Tailscale solves this problem by using the modern WireGuard protocol to establish secure, peer-to-peer connections (a "mesh VPN"). It traverses firewalls and NATs automatically, meaning you do not need to open any ports on your router.
Step 1: Install Tailscale on the Raspberry Pi¶
Tailscale provides an automated installation script that detects your Raspberry Pi OS version and configures the repository.
- Connect to your Raspberry Pi locally (via terminal or local SSH).
- Run the official Tailscale installation script:
- Once the installation completes, the Tailscale daemon will start automatically.
Step 2: Connect the Raspberry Pi to Your Tailnet¶
Now, authenticate your Raspberry Pi to associate it with your Tailscale account (your "Tailnet").
- Run the login command:
- The terminal will print a unique authentication URL:
- Copy this URL, paste it into a web browser on your PC or phone, and sign in (using Google, Microsoft, GitHub, or email).
- Click Authorize to connect the Raspberry Pi to your network.
- Back in the terminal, you should see:
To find your Raspberry Pi's new private Tailscale IP address, run:
100.x.y.z) is static and belongs only to your private network.
Step 3: Remote Connect from Your Client Devices¶
To access your Raspberry Pi remotely, you must install Tailscale on the device you want to connect from (such as your laptop, desktop, or smartphone).
- Download and install Tailscale on your client device from tailscale.com/download.
- Launch the Tailscale app and sign in with the same account you used for the Raspberry Pi.
- Once connected, your client device and Raspberry Pi are part of the same secure virtual network.
Test SSH Access¶
From your laptop (connected to any network, e.g., cellular data or public Wi-Fi), run:
Test VNC Desktop Access¶
If you use VNC for graphical desktop access, open your VNC Viewer client and enter your Raspberry Pi's Tailscale IP address (e.g., 100.80.90.100) to log in.
Advanced: Configure the Pi as an Exit Node¶
You can configure your Raspberry Pi to act as an Exit Node. This routes all of your client device's internet traffic through your home network—useful for securing your connection when using untrusted public Wi-Fi.
1. Enable IP Forwarding on the Pi:¶
Edit the sysctl file:
2. Advertise the Exit Node:¶
Restart Tailscale on the Pi with the exit-node flag:
3. Approve the Exit Node:¶
- Open the Tailscale Admin Console.
- Locate your Raspberry Pi in the machine list.
- Click the three dots menu (...) next to it, select Edit route settings, and toggle on Use as exit node.
Now, from the Tailscale app on your phone or laptop, you can select your Raspberry Pi as the "Exit Node" to secure your web browsing.
Troubleshooting¶
- Tailscale cannot connect:
- Run
sudo systemctl status tailscaledto verify that the daemon is running. - If it is stopped, run
sudo systemctl enable --now tailscaled.
- Run
- Latency is high:
- By default, Tailscale attempts to make a direct peer-to-peer connection. If it fails due to strict NAT firewalls, it relays traffic through encrypted DERP servers, which increases latency. You can check connection status by running
tailscale status.
- By default, Tailscale attempts to make a direct peer-to-peer connection. If it fails due to strict NAT firewalls, it relays traffic through encrypted DERP servers, which increases latency. You can check connection status by running