How to Use a Tailscale VPN to Embrace Remote Work and Explore the World

Remote work has taken off since the COVID-19 pandemic and further spawned what some refer to as “digital nomads”. Many have begun to realize that for some positions, coming into the office is actually not necessary at all and perhaps even less productive than working from home. Moreover, it’s becoming apparent to some that they don’t necessarily need to stay at home every single day of the year. For some, that 12 days (or even 24 days) of PTO is not enough. So, why not switch it up and work from somewhere new, whether that be another state in the U.S. or a whole new country?

Why a self-hosted VPN?

Most companies have I.T. departments that monitor things like IP addresses and thus your location. One of the reasons for this monitoring is to ensure foreign intruders are detected and thwarted appropriately. Obviously it’s no one’s business where you’re working from, and all that really matters (and what your boss cares about) is that the work gets done. And so, the way we can appear somewhere that we truly aren’t is by using a VPN (virtual private network). But not just any VPN… you need to self-host your own VPN at your home. If your I.T. department is somewhat sophisticated, they probably have software which detects commercial VPN providers by referencing a large list of pre-known IP addresses from companies like NordVPN. This distrust in using other commercial servers, despite their popularity, is valid and one reason you should have your own VPN to avoid any malicious snooping on your internet traffic even though it might be unlikely. The other reason to host your own VPN is because you want to appear as if you are working at home as usual. It’s also perfectly fine to host the server at a nearby family member’s house, wherever you can achieve the fastest internet speeds.

How?

Basically, we will use our own travel router between your personal/work device and the local Airbnb/hotel’s internet router. On our travel router, we will use Tailscale as well as on the VPN server at home to host our own “exit node”. Technically, Tailscale is not a VPN, but rather an overlay network where we route the internet traffic through our own IP address at home. Wireguard is the VPN protocol, which Tailscale uses. Using plain Wireguard is the preferred VPN method (click here for a Wireguard guide), but given that it has the ability to be blocked or not work at all for some users, Tailscale is the option that will be described here (read more below).

Note that in some cases, the connection to your Tailscale server will not be direct, but will need to use one of Tailscale’s “DERP” relay servers, which will throttle your internet speeds and add some latency to your connection. Additionally, in the case of a DERP-relayed connection, if one were to run a “traceroute” on your connection, they would see the public DERP relay server IP address, since it is routing your traffic in the middle. This IP obviously belongs to a commercial/enterprise IP block, but it’s only visible by running a traceroute which is able to see every “hop” your traffic makes. Whether or not your employer’s telemetry would pick up on this is what would determine whether this method would still work for you or not. There are a few last ditch effort things you can do to try get peer-to-peer direct connection as opposed to relay servers. For more information on bare Wireguard vs. Tailscale use-cases, performance, and why I use Wireguard as my primary and Tailscale as my backup, see my other Medium article (5-min read):

Wireguard vs. Tailscale, key differences and which VPN to use

A brief technical description on Tailscale: Tailscale IS Wireguard, but with some add-ons. A few nice advantages of Tailscale is that we don’t have to port forward on our home router (more secure) nor use a dynamic DNS (DDNS) service to prevent a dynamic public IP at home from killing things. While using bare Wireguard is the recommended approach since it will have better internet speed performance (aka throughput) all the time, Tailscale provides a fool-proof method particularly if:

• Either the firewall you connect to while traveling happens to block your Wireguard port (default: 51820)
• Your home ISP uses CGNAT, which would NOT allow bare Wireguard to work. Cellular network providers also often use CGNAT. In cases where either end of the connection (client or server) uses CGNAT, Tailscale would still work but it would use the previously mentioned public DERP relay servers (reducing your throughput unfortunately due to throttling).
• You do not have admin access to the primary ISP router.

Now, there is a way to host your own DERP relay server which would ensure full tunneling at nearly full performance through your home IP and without the use of any public servers, but it is a bit complex for someone inexperienced with networking.

NOTE: If your work laptop uses Zscaler or Cisco Umbrella for example, you will be likely be forced through these DERP relay servers and thus have a severely reduced internet speed and increased latency. For more information regarding VPN compatibility with Tailscale go here. For an alternative VPN method (increased difficulty level) to ensure a direct connection and full tunnel to your home VPN and the fastest speeds, follow this guide to setup a normal Wireguard VPN instead.

Please know both methods still share the risk of being detected if DPI (deep packet inspection) is being used which can “sniff” out packet headers (such as Wireguard’s). This tech does not appear to be used very often except in large tech organizations (ex. FAANG) or financial institutions where security is of paramount importance. In these cases, it is not recommended you try to skirt these policies.

Before I continue with the technical implementation, a quick disclaimer: I am not liable for any troubles you cause yourself or your company including but not limited to: termination of employment due to policy violation, failure to obey tax compliance laws, protection of customer data, country data requirements in your respective country.

Equipment needed:

• Server: Raspberry Pi 4B or 5 (or any Linux “thin client” will do, $50–100). OR, you can now use Apple TV to host an exit node!
• Server (easier alternative): GL.iNet router (recommended model: Brume 2). Skip to Step 3.5
  Note: Tailscale on GL.iNet devices is still in beta release. This is why for the server side, Raspberry Pi is preferred. For a bare Wireguard VPN server w/ a GL.iNet router click here.
• Storage: 32GB (or larger) micro SD card for Raspberry Pi
• Travel router: GL.iNet Beryl AX
• Misc: Thunderbolt and/or USB-C Ethernet adapter for laptop (if required), 2–3 ethernet cables of varying sizes.
  One cable for Pi <-> Home Router LAN, one cable for Laptop <-> Travel router LAN, and an optional 10ft cable for Travel router WAN <-> Local network router (at your Airbnb, hotel, etc.)
• (Optional) Portable battery for powering your travel router on the go when a wall outlet is not accessible.

The following models are compatible with Tailscale: GL-AX1800 (Flint), GL-A1300 (Slate Plus), GL-AXT1800 (Slate AX), GL-MT3000 (Beryl AX), GL-MT2500/GL-MT2500A (Brume 2) and GL-X3000 (Spitz AX).

A travel router is needed because we are unable to install 3rd party software, let alone a VPN client, onto our work machine. So we will connect the work computer to the travel router like a normal Wi-Fi network, and the router will point everything to our VPN server. Think of the travel router as a repeater that takes your Airbnb/hotel Wi-Fi network and re-broadcasts it to your device. Of course, we will only use a wired ethernet connection from the laptop to the travel router, never Wi-Fi as this can expose our location.

GL.iNet Beryl AX (MT-3000)

Basic steps:

1. Flash your microSD card using the official Raspberry Pi imager on your laptop or desktop.

Raspberry Pi Documentation - Getting started

Insert the microSD card into your laptop using whatever adapter necessary. Install the official Raspberry Pi Imager and go follow the steps to flash the OS to your microSD. Don’t forget these things:

1. Choose Raspberry Pi OS (aka “Raspbian”) and select the 64 bit version (preferably non-desktop version)! (64 bit OS will give you ~44% faster throughput than 32 bit OS)
2. Set hostname to “raspberrypi.local” to make logging in easier than remember the IP which you set later.
3. Enable SSH in the Advanced Options!

Once you finish flashing the microSD, insert it into the Raspberry Pi and power the Pi. Then, attach an ethernet cable between the Pi and your computer (you may need a Thunderbolt or USB-C to Ethernet adapter). Turn off Wi-Fi on your Mac so we can only connect to the Pi.

Navigate to your command prompt or terminal (on Mac/Linux, or for Windows open start menu and type “command prompt”) and connect to the Pi by running ‘ssh username@hostname’. Below, we use the default ‘pi’ username and the ‘raspberrypi.local’ hostname. Alternatively, you can use the Pi’s IP for the hostname assuming your laptop has a built-in DHCP server (it should).

ssh pi@raspberrypi.local 

or if that doesn’t work (due to new the way the new Raspberry Pi OS works), use the Pi’s IP address:

ssh pi@your-Pi-IP-address

You can find the Pi IP address a number of ways. One way is to go into Network settings on Mac and view the IPv4 address on the Thunderbolt/Ethernet connection. Or type “ifconfig” in the terminal.

Note that as you type in the password you will not see the characters show on the screen. This is normal. If you are having problems with the SSH login, it’s possible you have a bad cable.

Once you’ve logged into the Pi via SSH, run the following:

systemctl enable ssh
systemctl start ssh

These two commands will permanently enable SSH on the Pi and start the service. This really shouldn’t be necessary since the imager should already run this for you, but it doesn’t hurt.

And lastly, disable Wi-Fi since we don’t need it and to reduce power draw.

rfkill block wifi

Simply re-run this command but with “unblock” if you wish to re-enable it ever.

2. Configure a static IP for the Raspberry Pi for an ethernet connection to your local network.

First, we need the subnet to match the local internet’s. So, verify whether your router at home uses 192.168.1.x or 10.0.0.x addresses (remember x is only 1–254). To do this, open a terminal window on your laptop connected to the Wi-Fi and type ifconfig and then look for the IPv4 addresses to the right of en0:. Alternatively, go to your network settings and view the IPv4 address. Also take note of the router IP, you will need that in a second.

macOS Network Settings

Next, we will modify /etc/network/interfaces and add some code. Use your preferred editor by typing “sudo nano /etc/network/interfaces” or “sudo vi /etc/network/interfaces”.

Add the below block of code, where “??”, is any number (0–254) that is not a currently used IP on your network. Next, 10.0.0.1 is the IP of the Xfinity home router in my case. Replace this with whatever your router IP. This is set to both the gateway and dns-nameservers entries as shown below. 8.8.8.8 is an additional DNS entry and happens to be Google’s server.

#static IP address for eth0
auto eth0
iface eth0 inet static
    post-up /sbin/ethtool --set-eee eth0 eee off
address 10.0.0.??
netmask 255.255.255.0
gateway 10.0.0.1
dns-nameservers 10.0.0.1 8.8.8.8

eth0 at the top specifies that we are using an ethernet connection to our router’s LAN port. Using an ethernet/wired connection to your home’s internet service ensures the fastest possible speeds.

Lastly, disable the DHCP client daemon and switch to standard Debian networking:

sudo systemctl disable dhcpcd
sudo systemctl enable networking

Reboot for the changes to take effect.

sudo reboot

Now, plug the Pi into one of your home router’s LAN port and ensure the green light is blinking.

3. SSH into your Raspberry Pi, install Tailscale, and enable exit node

Now that we’ve set a static IP for the Raspberry Pi and connected the Pi to the router, we should be able to access it by using SSH on the local network. Using your laptop (connected to the home Wi-Fi) open a terminal window and type:

ssh pi@raspberrypi.local

OR

ssh pi@static-IP-you-set (ex. 10.0.0.?? or 192.168.1.??)

If you are successfully able to access your Pi, then congrats for making it this far! If not, there could be a problem with the IP you set. Go verify your /etc/network/interfaces again.

We’re ready to install Tailscale on the server to create the VPN, or what Tailscale calls an “exit node”. To install on your Rasp Pi running Linux, simply run the following command:

curl -fsSL https://tailscale.com/install.sh | sh

If this doesn’t work, then determine the particular OS you are running on the Pi. If you don’t remember, simply run the command below and read the first line of hte output:

cat /etc/os-release

You’ll see the Linux distro name on your Pi. Using this info, try a manual install by following instructions here.

Once installed, follow the Tailscale documentation in order to set up your exit node. Be sure to select the “Linux” instructions in order to properly configure your Raspberry Pi’s operating system. Do Step 2 and Step 3: https://tailscale.com/kb/1103/exit-nodes/

NOTE: In Step 2, run the command instead as:

sudo tailscale up --advertise-exit-node --accept-routes

This way we can allow the GL-iNet’s subnets which we will advertise in Step 5. If you missed this, don’t worry, you can always run this command again on your Pi later.

Once finished, give your Tailscale web admin panel a look-over to confirm everything is configured correctly as the documentation instructs. For example, click the 3 dots button all the to the right of the “raspberrypi” exit node and click on “Edit route settings…” and make sure exit node is switched ON.

Raspberry Pi “Edit route settings..”

Your Tailscale machines page should now show your Raspberry Pi and your Travel Router as such:

Admin panel example

Don’t forget to click the 3 dots on the right side for both the Pi and the GL router and “disable key expiry” for both the Pi and your GL.iNet router. This is extremely important to ensure we maintain authenticated. For example, if the key expires on the exit node and you are out of the country, you will be unable to regenerate a key without manually being present at the Raspberry Pi.

In general, Tailscale documentation is very good so it’s good to refer to it often throughout the process.

3.5. (ONLY if using GL.iNet router as server/exit node)

Plug an ethernet cable between your personal laptop and the GL.iNet router’s LAN port (keep Wi-Fi turned on so you have an internet connection). Then, open a browser tab and navigate to the gateway IP addresses that is written on the provided card.

Next, navigate to the Applications page and at the bottom enable Tailscale. If you don’t see Tailscale and/or the installation of the Tailscale plugin fails, try upgrading the firmware on your GL.iNet first.

Follow the binding instructions here:

Tailscale - GL.iNet Router Docs 4

Don’t forget to disable key expiry!

Once you’ve confirmed added the device to your Tailscale account, open up Terminal (on Mac/Linux), or if you’re on Windows open start menu and type “command prompt”:

1. SSH into the router by running ssh root@[ip or hostname of router] (e.g. ssh root@192.168.8.1). You can also use its tailnet IP or hostname assuming you’ve already connected it to your Tailscale account as shown later.
2. Enter your GL.iNet’s router password and hit enter/return
3. Run this command to install “nano” editor. opkg update && opkg install nano
4. Edit the gl_tailscale config file by running sudo nano /usr/bin/gl_tailscale
5. Scroll down line 73 (as of 4.2.1), which currently reads: /usr/sbin/tailscale up --reset $param --timeout 3s
6. Add in --advertise-exit-node after tailscale up. It should now read: /usr/sbin/tailscale up --advertise-exit-node --reset $param --timeout 3s
7. Save and exit by hitting your esc key, and typing Control+X and hitting “y” and your enter/return key
8. Now run these three commands to enable IP forwarding:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Restart your GL.iNet router (server) and verify that it’s available as an exit node by connecting back to your local Wi-Fi network checking in the Tailscale devices internet webpage.

4. Connect to your GL.iNet travel router and configure it to point to your exit node

Once your exit node is live and all settings are correct based on Tailscale documentation, we can configure the travel router.

Simply connect an ethernet cable between the powered GL.iNet router’s LAN port and your personal laptop. Then, open a browser and type 192.168.8.1 to see the login screen.

Once you’ve logged in, enable the Repeater function on the “Internet” page, and connect the router to your cellphone hotspot or some Wi-Fi network other than the one you’re hosting the Raspberry Pi exit node off of.

Next, navigate to the Applications page and at the bottom enable Tailscale. If you don’t see Tailscale and/or the installation of the Tailscale plugin fails, try upgrading the firmware on your GL.iNet first.

Follow the binding instructions here:

Tailscale - GL.iNet Router Docs 4

Enabling Tailscale will allow us to force all Internet traffic coming into the router (i.e., from your work laptop) to pass through your VPN server (aka “exit node”) back at home.

Once you’re finished with this step, you can confirm the router has Tailscale installed and connected to your account by viewing the Tailscale web admin page to see “Connected” with the green dot as shown below:

Tailscale device status (web admin page)

Lastly, enable “Custom Exit Nodes” and select your exit node IP and apply.

5. Enabling IP-forwarding and adding subnets on the GL-iNet router

OK, so you’ve enabled Tailscale on the GL-iNet router in the Applications section. Now, in order to allow our work laptop (or any device) connected to the router’s LAN to access Tailscale, we must enable IP forwarding and add subnets. It might sound a little tricky at first, but it’s very easy.

First, SSH into your router. Remember to use the password to your router this time, not your laptop or Raspberry Pi password. Open a Terminal window on your Mac/Linux laptop (or use PuTTY for Windows) and type:

ssh root@gl-mt3000

where “gl-mt3000” is the hostname of the GL-iNet router YOU are using.

Alternatively, you can use the router’s Tailscale IP address instead. It should look like 100.x.y.z

ssh root@your-ROUTER-Tailscale-IP

Once logged into the router via SSH, we will use this Tailscale documentation to enable IP forwarding and add subnets. I’ve included the relevant commands for your convenience below.

1. Enter the following four lines to enable IP forwarding:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

2. Advertise the IPv4 subnet routes for this GL-iNet router:

sudo tailscale up --advertise-routes=192.168.8.0/24

It will likely spit back a longer command. Copy and paste the one it gives you and run that command.

NOTE: There is a small chance you may have a subnet conflict, and you will need to use something other than “192.168.8.0/24” above such as “192.168.10.0/24”, etc.

3. Enable the subnet routes from the Tailscale web admin console.

Open the Machines page of the admin console, and locate the GL-iNet router. Click the 3 dots button on the right side and “Edit route settings…”

Click Approve all, so that Tailscale distributes the subnet routes to the rest of the nodes on your Tailscale network. Alternatively, you can approve the route individually by clicking the toggle to the left of the route.

Once you’ve enabled IP forwarding and enabled subnets, you should verify that the “edit route settings” for your GL-iNet router in the Tailscale web admin look like this:

Example GL-iNet router “Edit route settings” page

If you are using the Slate AX (GL-A1300): Set your Firewall settings as described here: https://forum.openwrt.org/t/help-to-configure-tailscale-as-a-proxy-service/142428/2 in | System | Advanced Settings | Network | Firewall.

6. Confirm your client device (ex. work computer) is showing your home IP

Now that you’ve turned on the Tailscale exit node on your travel router, connect your client laptop to the travel router using the Repeater function. Then run the following Linux command:

dig -4 +short myip.opendns.com @resolver1.opendns.com

If that command doesn’t output anything, then try this one:

curl ifconfig.co

Obviously if you’re on your work computer with Windows and cannot use the above Linux command, then alternatively you can just go to any web browser and navigate to whatsmyip.com to view your IPv4 address from back home.

Remember that the maximum DOWNLOAD speed you will be able to achieve at your work computer when connected to the Tailscale exit node will be your home internet’s UPLOAD speed. If this doesn’t make sense, try drawing out on a piece of paper the connection including acknowledgements/requests between your client computer and the Internet (via your exit node).

More GL.iNet travel router settings to tweak for privacy

1. Clone or Randomize (Manual) MAC address.

Clone your client device’s MAC address to the GL.iNet travel router so you appear as one device. Or, randomize the MAC address so that at least you can’t tell that it’s a GL.iNet router by the first two octets.

Network -> MAC Address

In Advanced Settings -> LuCI (http://192.168.8.1/cgi-bin/luci)

2. Remove Hostname in System -> System

Remove “GL-MT3000” and leave blank

3. Remove host entries in Network -> Hostnames

4. Change WAN interface to “Do not send a hostname” when requesting DHCP in Network -> Interfaces

Manually upgrade Tailscale version

An awesome admin over on the GL.iNet forum created a super useful script to force a Tailscale update to the GL.iNet routers since the firmware’s Tailscale version is outdated (security flaw!).

https://forum.gl-inet.com/t/script-update-tailscale-on-nearly-all-devices/37582

Simply SSH into your routers and run this command (make sure your router has an internet connection) and follow the prompts:

wget -O update-tailscale.sh https://raw.githubusercontent.com/Admonstrator/glinet.forum/main/scripts/update-tailscale/update-tailscale.sh \ && sh update-tailscale.sh

Additional (mandatory) Tips

1. Turn off Wi-Fi, Bluetooth, and location services on your laptop. Connect your client computer to the travel router via Ethernet only.
2. Set your system clock to the time zone you are pretending to be in
3. If you are using a corporate phone, turn off cellular data, Wi-Fi, Bluetooth, and location services. You may, however, use your personal phone as a cellular hotspot as a primary or secondary/failover source of Internet to your travel router.
4. Maintain a strict wall between your work and personal devices. Your work device should not have access to any of your personal accounts, including your system-level Microsoft account or Apple ID. Do not do personal surfing or chatting on your work device.

Lastly, if you’re interested in finding Airbnb’s with guest-submitted/verified internet speeds to ensure a smooth digital nomad experience, go check out my website https://thewirednomad.com Still in development and growing!

For paid assitance in self-hosting your own VPN, see the Silver Tier on my website page here: https://thewirednomad.com/tiers

https://www.paypal.com/donate/?hosted_button_id=UWSK6NVAEN2TG