LJAweb – Local AI, Global Ideas

Tailscale VPN Guide

Securely Access Your Local AI Systems Remotely with Tailscale

Tailscale provides a secure, zero-configuration VPN that allows you to access your local AI systems from anywhere. This guide explains how to set up Tailscale to create a secure network for accessing your home AI infrastructure remotely without compromising on security.

Tailscale Network Diagram
Tailscale creating a secure network between devices

What You’ll Learn

  • Setting up Tailscale on your devices
  • Configuring secure access to your local AI systems
  • Managing permissions and access controls
  • Creating subnet routers for whole-network access
  • Implementing best security practices

Requirements

  • Local AI systems you want to access remotely
  • Admin access to your devices
  • Basic networking understanding
  • Email account for Tailscale registration

1. Creating a Tailscale Account

To get started with Tailscale, you’ll need to create an account:

  1. Visit https://tailscale.com and click “Sign Up”
  2. Choose an authentication provider:
    • Google account
    • Microsoft account
    • GitHub account
    • Email-based authentication
  3. Complete the authentication process
  4. Once logged in, you’ll be directed to the Tailscale admin console

The free Tailscale plan includes:

  • Up to 100 devices on your network
  • Up to 1 user (perfect for personal use)
  • Basic subnet routing

This is usually sufficient for accessing your home AI systems remotely.

2. Installing Tailscale on Your AI Server

First, you’ll need to install Tailscale on the machine hosting your AI systems:

For Linux (Ubuntu/Debian)

curl -fsSL https://tailscale.com/install.sh | sh

For macOS

  1. Install using Homebrew: brew install tailscale
  2. Or download from the Tailscale website

For Windows

  1. Download the installer from https://tailscale.com/download
  2. Run the installer and follow the prompts

Connecting Your AI Server

  1. After installation, start Tailscale: sudo tailscale up (on Linux/macOS) or run from the Start Menu on Windows
  2. You’ll be prompted to authenticate. Follow the link provided
  3. Log in with your Tailscale account
  4. Grant the necessary permissions
  5. Your AI server should now be connected to your Tailscale network

To verify the connection:

tailscale status

This will show your server’s Tailscale IP address (typically in the 100.x.x.x range) and other connected devices.

3. Adding Client Devices

Now you’ll need to install Tailscale on the devices you’ll use to access your AI server remotely:

Mobile Devices

  • iOS: Download Tailscale from the App Store
  • Android: Download Tailscale from the Google Play Store

Laptops/Desktops

Follow the same installation steps as for your AI server, appropriate for each operating system.

Connecting Client Devices

  1. Install Tailscale on each device
  2. Launch Tailscale and authenticate with your account
  3. Once connected, all devices will appear in your Tailscale admin console
  4. Devices can now communicate directly with each other through encrypted connections

You can now access your AI server using its Tailscale IP address from any connected device, anywhere in the world.

4. Setting Up Access Controls

Tailscale provides several ways to control access to your devices:

Device Approval

For added security, you can require manual approval for new devices:

  1. Go to the Tailscale admin console at https://login.tailscale.com/admin/machines
  2. Click on “Settings” in the left sidebar
  3. Under “Preferences,” enable “Require device authorization”

Now, when a new device tries to join your network, you’ll need to approve it explicitly.

Access Control Lists (ACLs)

For more advanced setups, you can define ACLs to control which devices can communicate with each other:

  1. In the admin console, go to “Access Controls”
  2. Click “Edit” to modify access controls
  3. Define rules specifying which devices can connect to which services

For example, you could allow only certain devices to access your AI server’s web interface while restricting others.

5. Configuring Subnet Routing

Subnet routing allows you to access other devices on your home network through your AI server, not just the server itself:

Setting Up Your AI Server as a Subnet Router

  1. On your AI server, run: sudo tailscale up --advertise-routes=192.168.1.0/24 (Replace 192.168.1.0/24 with your actual home network subnet)
  2. In the Tailscale admin console, go to “Machines”
  3. Find your AI server and click on it
  4. Under “Subnet routes,” click “Approve” for the subnet route

This enables your client devices to access your entire home network through the secure Tailscale connection.

Enabling IP Forwarding

For subnet routing to work properly, you need to enable IP forwarding on your AI server:

  • Linux:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
  • macOS: sudo sysctl -w net.inet.ip.forwarding=1
  • Windows: Enable IP forwarding through the registry or use the route command

6. Testing Remote Access

Now that your Tailscale network is set up, let’s test remote access to your AI systems:

  1. Connect to a different network with your client device (e.g., mobile data or another Wi-Fi network)
  2. Ensure Tailscale is running on your client device
  3. Open a browser and navigate to your AI server’s Tailscale IP address with the appropriate port (e.g., http://100.x.y.z:3000 for a web interface running on port 3000)

You should be able to access your AI server’s interface as if you were on the same local network.

Accessing Common AI Systems

  • LM Studio Server: http://[tailscale-ip]:1234/v1
  • AnythingLLM: http://[tailscale-ip]:3001
  • n8n: http://[tailscale-ip]:5678
  • Ollama: http://[tailscale-ip]:11434

7. Security Considerations

While Tailscale provides strong encryption, there are additional security measures you should consider:

Secure Your Tailscale Account

  • Enable two-factor authentication (2FA) for your Tailscale account
  • Use a strong, unique password
  • Regularly review connected devices and remove any that are no longer needed

Keep Tailscale Updated

Always run the latest version of Tailscale to benefit from security patches:

  • Linux: sudo apt-get update && sudo apt-get upgrade tailscale
  • macOS: brew upgrade tailscale
  • Windows: Update through the installed application

Secure Your AI Services

Even with Tailscale, it’s good practice to secure your AI services:

  • Enable authentication on your AI services when possible
  • Use HTTPS for web interfaces
  • Consider running services inside Docker containers for isolation
  • Apply the principle of least privilege: only expose the ports and services you need

8. Troubleshooting Connection Issues

Connectivity Problems

If you’re having trouble connecting to your AI server:

  • Check that Tailscale is running on both the server and client devices
  • Verify that both devices show as “connected” in the admin console
  • Use tailscale ping [tailscale-ip] to test connectivity
  • Check for firewall rules that might be blocking connections

Service Accessibility

If Tailscale is connected but you can’t access specific services:

  • Verify that the service is running and listening on the expected port
  • Check if the service is configured to listen only on localhost (127.0.0.1) instead of all interfaces (0.0.0.0)
  • Use netstat -tulpn | grep [port] on Linux to check listening ports
  • Test local access first to ensure the service itself is working

Real-World Applications

Here are some practical ways to use Tailscale with your local AI systems:

Access your home LLM server from anywhere

Use your powerful home GPU to run models remotely:

  • Run LM Studio or Ollama on your home server
  • Configure applications on your laptop or mobile device to connect to the API endpoints via Tailscale
  • Enjoy high-quality AI responses powered by your home hardware while traveling

Securely query document collections while traveling

Access your private knowledge base from anywhere:

  • Set up AnythingLLM with your document collection on your home server
  • Connect securely via Tailscale from any location
  • Query your documents without uploading sensitive information to cloud services

Share AI resources with trusted collaborators

Collaborate securely by granting access to team members:

  • Upgrade to Tailscale Teams plan
  • Add team members to your Tailscale network
  • Use ACLs to control precisely which services each team member can access
  • Share powerful AI resources without exposing them to the public internet

Create a private AI network between multiple locations

Connect AI systems across different physical locations:

  • Set up Tailscale on servers at different locations (home, office, etc.)
  • Configure subnet routing to integrate entire networks
  • Create a seamless private network where AI services can communicate securely
  • Distribute workloads across multiple machines based on their capabilities

Conclusion

Tailscale provides a secure, easy-to-configure solution for accessing your local AI systems from anywhere. By following this guide, you’ve created a private network that allows you to leverage your home hardware while maintaining complete privacy and security.

This setup gives you the best of both worlds: the privacy and control of local AI systems combined with the convenience of remote access. Whether you’re traveling, working from a coffee shop, or simply away from your home network, you can now securely connect to your AI infrastructure as if you were sitting right next to it.

Explore Projects
Back to Guides