How to Use a Tailscale VPN for Remote Work and Travel

Introduction

Remote work has taken off since the COVID-19 pandemic and further spawned what some refer to as “digital nomads”. Many have begun to realize that for some positions, coming into the office is actually not necessary at all and perhaps even less productive than working from home. Moreover, it’s becoming apparent to some that they don’t necessarily need to stay at home every single day of the year. For some, that 12 days (or even 24 days) of PTO is not enough.

So, why not switch it up and work from somewhere new, whether that be another state in the U.S. or a whole new country?

Why a self-hosted VPN?

Most companies have I.T. departments that monitor things like IP addresses and thus your location(s). One of the reasons for this monitoring is to ensure foreign intruders are detected and thwarted appropriately. Obviously it’s no one’s business where you’re working from, and all that really matters (and what your boss cares about) is that the work gets done. And so, the way we can appear somewhere that we truly aren’t is by using a VPN (virtual private network). But not just any VPN… you need to self-host your own VPN at your home. If your I.T. department is somewhat sophisticated, they probably have software which detects commercial VPN providers by referencing a large list of pre-known IP addresses from companies like NordVPN. This distrust in using other commercial servers, despite their popularity, is valid and one reason you should have your own VPN to avoid any malicious snooping on your internet traffic even though it might be unlikely. The other reason to host your own VPN is because you want to appear as if you are working at home as usual. It’s also perfectly fine to host the server at a nearby family member’s house, wherever you can achieve the fastest internet speeds.

How?

Basically, we will use our own travel router between your personal/work device and the local Airbnb/hotel’s internet router. On our travel router, we will use Tailscale. We will use Tailscale at home as well to host our own VPN server or “exit node”. Technically, Tailscale is not a VPN, but rather an overlay network where we route the internet traffic through our own IP at home. Note that in some cases, the connection to your Tailscale server will not be direct, but will use one of Tailscale's "DERP" relay servers, which could add some latency to your connection. There are a few last ditch effort things you can do to try get peer-to-peer direct connection as opposed to relay servers.

A brief technical description on Tailscale: Tailscale IS Wireguard, but with some add-ons. A few nice advantages of Tailscale is that we don't have to port forward on our home router nor use a dynamic DNS (DDNS) service to prevent a dynamic public IP at home from killing things. While using bare Wiregard may have better internet speed performance (aka throughput) all the time, Tailscale provides a fool-proof method particularly if your home ISP uses CGNAT, which would NOT allow bare Wireguard to work. Cellular network providers also often use CGNAT. In cases where both ends of the connection use CGNAT, Tailscale would still work but it would use the previously mentioned public DERP relay servers (reducing your throughput unfortunately due to throttling). Now, there is a way to host your own DERP relay server, but it is a bit complex for someone inexperienced with networking.

NOTE: IF your work laptop uses Zscaler or Cisco Umbrella for example, you will be forced through these DERP relay servers and thus have a severely reduced internet speed and increased latency. For more information regarding VPN compatability with Tailscale go here. For an alternative VPN method (increased difficulty level) to ensure a direct connection and fast speeds is to follow this guide to setup a Wireguard VPN instead.

Before I continue with the technical implementation, a quick disclaimer: I am not liable for any troubles you cause yourself or your company including but not limited to: termination of employment due to policy violation, failure to obey tax compliance laws, protection of customer data, country data requirements in your respective country.

Raspberry Pi 4B Tailscale Server Exit Node

Equipment Needed:

The following models are compatible with Tailscale: GL-AX1800 (Flint), GL-A1300 (Slate Plus), GL-AXT1800 (Slate AX), GL-MT3000 (Beryl AX), GL-MT2500/GL-MT2500A (Brume 2) and GL-X3000 (Spitz AX).

A travel router is needed because we are unable to install 3rd party software, let alone a VPN client, onto our work machine. So we will connect the work computer to the travel router like a normal Wi-Fi network, and the router will point everything to our VPN server. Think of the travel router as a repeater that takes your Airbnb/hotel Wi-Fi network and re-broadcasts it to your device. Of course, we will only use a wired ethernet connection from the laptop to the travel router, never Wi-Fi as this can expose our location.

GL-iNet Beryl AX (MT-3000)

Basic steps:

1. Flash your microSD card using the official Raspberry Pi imager on your laptop or desktop.

Raspberry Pi Documentation - Getting started
The official documentation for Raspberry Pi computers and microcontrollers

Insert the microSD card into your laptop using whatever adapter necessary. Install the official Raspberry Pi Imager and go follow the steps to flash the OS to your microSD. Don't forget these things:

  1. Choose Raspberry Pi OS (aka "Raspbian") and select the 64-bit version! (64-bit OS will give you ~44% faster throughput than 32-bit OS)
  2. Set hostname to "raspberrypi.local" to make logging in easier than remembering the IP which you set later.
  3. Enable SSH in the Advanced Options!

Once you finish flashing the microSD, insert it into the Raspberry Pi and power the Pi. Then, attach an Ethernet cable between the Pi and your computer (you may need a Thunderbolt or USB-C to Ethernet adapter). Turn off Wi-Fi on your Mac so we can only connect to the Pi.

Navigate to your command prompt or terminal (on Mac/Linux), or on Windows open start menu and type "command prompt" and connect to the Pi by running 'ssh username@hostname'. Below, we use the default 'pi' username and the 'raspberrypi.local' hostname. Alternatively, you can use the Pi’s IP for the hostname assuming your laptop has a built-in DHCP server (it should).

ssh pi@raspberrypi.local
        

or if that doesn't work, use the Pi's IP address:

ssh pi@your-Pi-IP-address
        

You can find the Pi IP address a number of ways. One way is to go into Network settings on Mac and view the IPv4 address on the Ethernet connection. Or type "ifconfig" in the terminal.

Note that as you type in the password, you will not see the characters show on the screen. This is normal. If you are having problems with the SSH login, and you are sure that you are entering the correct password, then it is possible you need a few settings tweaked still. You will need to connect your Pi to an external monitor and open a Terminal window to edit one file. If the SSH login works, simply skip to the ‘systemctl’ commands.

sudo nano /etc/ssh/sshd_config
        

Then look for the following lines:

#PasswordAuthentication yes
        

Remove the “#” in front of PasswordAuthentication. Once you’re finished, CTRL + X, “Y”, Enter to save and exit from nano editor. Now plug the Pi back into your laptop via Ethernet and try SSHing in again.

Once you’ve logged into the Pi via SSH, run the following:

systemctl enable ssh
systemctl start ssh

These two commands will permanently enable SSH on the Pi and start the service. This really shouldn’t be necessary since the imager should already run this for you, but it doesn’t hurt.

And lastly, disable Wi-Fi since we don’t need it and to reduce power draw.

rfkill block wifi
        

Simply re-run this command but with “unblock” if you wish to re-enable it ever.

2. Configure a static IP for the Raspberry Pi for an ethernet connection to your local network.

First, we need the subnet to match the local internet’s. So, verify whether your router at home uses 192.168.1.x or 10.0.0.x addresses (remember x is only 1-254). To do this, open a terminal window on your laptop connected to the Wi-Fi and type ifconfig and then look for the IPv4 addresses to the right of en0:. Alternatively, go to your network settings and view the IPv4 address. Also, take note of the router IP, you will need that in a second.

macOS Network Settings

Next, we will modify /etc/network/interfaces and add some code. Use your preferred editor by typing “sudo nano /etc/network/interfaces” or “sudo vi /etc/network/interfaces”.

Add the below block of code, where “??”, is any number (0–254) that is not a currently used IP on your network. Next, 10.0.0.1 is the IP of the Xfinity home router in my case. Replace this with whatever your router IP. This is set to both the gateway and dns-nameservers entries as shown below. 8.8.8.8 is an additional DNS entry and happens to be Google’s server.


        #static IP address for eth0
        auto eth0
        iface eth0 inet static
            post-up /sbin/ethtool --set-eee eth0 eee off
        address 10.0.0.??
        netmask 255.255.255.0
        gateway 10.0.0.1
        dns-nameservers 10.0.0.1 8.8.8.8

eth0 at the top specifies that we are using an ethernet connection to our router’s LAN port. Using an ethernet/wired connection to your home’s internet service ensures the fastest possible speeds.

Lastly, disable the DHCP client daemon and switch to standard Debian networking:

sudo systemctl disable dhcpcd
sudo systemctl enable networking

Reboot for the changes to take effect.

sudo reboot

Now, plug the Pi into one of your home router’s LAN port and ensure the green light is blinking.

3. SSH into your Raspberry Pi, install Tailscale, and enable exit node

Now that we’ve set a static IP for the Raspberry Pi and connected the Pi to the router, we should be able to access it by using SSH on the local network. Using your laptop (connected to the home Wi-Fi) open a terminal window and type:

ssh pi@raspberrypi.local

OR

ssh pi@static-IP-you-set (ex. 10.0.0.?? or 192.168.1.??)

If you are successfully able to access your Pi, then congrats for making it this far! If not, there could be a problem with the IP you set. Go verify your /etc/network/interfaces again.

We’re ready to install Tailscale on the server to create the VPN, or what Tailscale calls an “exit node”. To install on your Rasp Pi running Linux, simply run the following command:

curl -fsSL https://tailscale.com/install.sh | sh

If this doesn’t work, then determine the particular OS you are running on the Pi. If you don’t remember, simply run the command below and read the first line of the output:

cat /etc/os-release

You’ll see the Linux distro name on your Pi. Using this info, try a manual install by following instructions here.

Once installed, follow the Tailscale documentation in order to set up your exit node. Be sure to select the "Linux" instructions in order to properly configure your Raspberry Pi's operating system. Step 2 and 3 here: https://tailscale.com/kb/1103/exit-nodes/

NOTE: In Step 2, run it as:

sudo tailscale up --advertise-exit-node --accept-routes
so that we can allow the GL-iNet's subnets which we will advertise in Step 5. If you missed this, don't worry, you can always run this command again on your Pi later.

Once finished, give your Tailscale web admin panel a look-over to confirm everything is configured correctly as the documentation instructs. For example, click the 3 dots button all the to the right of the "raspberrypi" exit node and click on "Edit route settings…" and make sure exit node is switched ON.

Raspberry Pi 'Edit route settings..'

Your Tailscale machines page should now show your Raspberry Pi and your Travel Router as such:

Admin panel example

Don't forget to click the 3 dots on the right side for both the Pi and the GL router and "disable key expiry" for both the Pi and your GL-iNet router. This is extremely important to ensure we maintain authenticated. For example, if the key expires on the exit node and you are out of the country, you will be unable to regenerate a key without manually being present at the Raspberry Pi.

In general, Tailscale documentation is very good so it's good to refer to it often throughout the process.

3.5. (ONLY if using GL.iNet router as server/exit node)

Plug an ethernet cable between your personal laptop and the GL.iNet router’s LAN port and make sure your laptop Wi-Fi is turned off. Then, open a browser tab and navigate to the gateway IP addresses that is written on the provided card.

Next, navigate to the Applications page and at the bottom enable Tailscale. If you don't see Tailscale and/or the installation of the Tailscale plugin fails, try upgrading the firmware on your GL.iNet first.

Follow the binding instructions here: https://docs.gl-inet.com/router/en/4/interface_guide/tailscale/

Once you've confirmed that you can connect to the GL.iNet router's admin page, open up Terminal (on Mac/Linux) or on Windows open start menu and type "command prompt":

  1. SSH into the router by running ssh root@[ip or hostname of router] (e.g. ssh root@192.168.8.1. You can also use its tailnet IP or hostname assuming you’ve already connected it to your Tailscale account as shown later.
  2. Enter your GL.iNet’s router password and hit enter/return
  3. Run this command to install “nano” editor. opkg update && opkg install nano
  4. Edit the gl_tailscale config file by running sudo nano /usr/bin/gl_tailscale
  5. Scroll down line 73 (as of 4.2.1), which currently reads: /usr/sbin/tailscale up --reset $param --timeout 3s
  6. Add in --advertise-exit-node after tailscale up. It should now read: /usr/sbin/tailscale up --advertise-exit-node --reset $param --timeout 3s
  7. Save and exit by hitting your esc key, and typing Control+X and hitting 'y' then your enter/return key
  8. Now run these three commands to enable IP forwarding:
  9. echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf

    echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf

    sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Restart your GL.iNet router (server) and verify that it’s available as an exit node by connecting back to your local Wi-Fi network checking in the Tailscale devices internet webpage.

4. Connect to your GL-iNet travel router, enable Tailscale, and configure it to point to your exit node

Once your exit node is live and all settings are correct based on Tailscale documentation, we can configure the travel router.

Simply connect an ethernet cable between the powered GL-iNet router’s LAN port and your personal laptop. Then, open a browser and type 192.168.8.1 to see the login screen.

Once you’ve logged in, enable the Repeater function on the “Internet” page, and connect the router to your cellphone hotspot or some Wi-Fi network other than the one you’re hosting the Raspberry Pi exit node off of.

Next, navigate to the Applications page and at the bottom enable Tailscale. If you don’t see Tailscale and/or the installation of the Tailscale plugin fails, try upgrading the firmware on your GL-iNet first.

Follow the binding instructions here: Tailscale - GL.iNet Router Docs 4

Enabling Tailscale will allow us to force all Internet traffic coming into the router (i.e., from your work laptop) to pass through your VPN server (aka “exit node”) back at home.

Once you’re finished with this step, you can confirm the router has Tailscale installed and connected to your account by viewing the Tailscale web admin page to see “Connected” with the green dot as shown below:

Tailscale device status (web admin page)

Lastly, enable “Custom Exit Nodes” and select your exit node IP and apply.

Custom Exit Nodes Configuration

5. Enabling IP-forwarding and adding subnets on the GL-iNet router

OK, so you’ve enabled Tailscale on the GL-iNet router in the Applications section. Now, in order to allow our work laptop (or any device) connected to the router’s LAN to access Tailscale, we must enable IP forwarding and add subnets. It might sound a little tricky at first, but it’s very easy.

First, SSH into your travel router. Remember to use the password to your router this time, not your laptop or Raspberry Pi password. Open a Terminal window on your Mac or Linux laptop and type:

Before running the commands shown in the below documentation, you will need to first ssh into your router. Remember to use the password to your travel router this time, not your laptop or Raspberry Pi password. To do this, open a Terminal window on your Mac or Linux laptop and type:

ssh root@gl-mt3000

where “gl-mt3000” is the hostname of the GL-iNet router YOU are using.

Alternatively, you can use the router’s Tailscale IP address instead. It should look like 100.x.y.z

ssh root@your-ROUTER-Tailscale-IP

Once logged into the router via SSH, we will use this Tailscale documentation to enable IP forwarding and add subnets. I’ve included the relevant commands for your convenience below.

1. Enter the following three lines to enable IP forwarding:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

2. Advertise the IPv4 subnet routes for this GL-iNet router (Beryl AX):

sudo tailscale up -advertise-routes=192.168.8.0/24 
It will likely spit back a longer command. Copy and paste the one it gives you and run that command.

NOTE: There is a small chance you may have a subnet conflict, and you will need to use something other than "192.168.8.0/24" above such as "192.168.10.0/24", etc.

3. Enable the subnet routes from the Tailscale web admin console.

Open the Machines page of the admin console, and locate the GL-iNet router. Click the 3 dots button on the right side and “Edit route settings…”

Click Approve all, so that Tailscale distributes the subnet routes to the rest of the nodes on your Tailscale network. Alternatively, you can approve the route individually by clicking the toggle to the left of the route.

Once you’ve enabled IP forwarding and enabled subnets, you should verify that the “edit route settings” for your GL-iNet router in the Tailscale web admin look like this:

Example GL-iNet router “Edit route settings” page

If you are using the Slate AX (GL-A1300): Set your Firewall settings as described here located in | System | Advanced Settings | Network | Firewall.

6. Confirm your client device (ex. work computer) is showing your home IP

Now that you’ve turned on the Tailscale exit node on your travel router, connect your client laptop to the travel router using the Repeater function. Then run the following Linux command:

dig -4 +short myip.opendns.com @resolver1.opendns.com

If that command doesn't output anything, then try this one:

curl ifconfig.co

Obviously if you’re on your work computer with Windows and cannot use the above Linux command, then alternatively you can just go to any web browser and navigate to whatsmyip.com to view your IPv4 address from back home.

Remember that the maximum DOWNLOAD speed you will be able to achieve at your work computer when connected to the Tailscale exit node will be your home internet’s UPLOAD speed. If this doesn’t make sense, try drawing out on a piece of paper the connection including acknowledgements/requests between your client computer and the Internet (via your exit node).

Additional (mandatory) Tips

  1. Turn off Wi-Fi, Bluetooth, and location services on your laptop. Connect your client computer to the travel router via Ethernet only.
  2. Set your system clock to the time zone you are pretending to be in.
  3. If you are using a corporate phone, turn off cellular data, Wi-Fi, Bluetooth, and location services. Don't worry, you can still use your Authenticator with work account sign-ins, since it does not require an Internet connection. Additionally, don't forget you may use your personal phone as a cellular hotspot as a primary or secondary/failover source of Internet by connecting it with your travel router.
  4. Maintain a strict wall between your work and personal devices. Your work device should not have access to any of your personal accounts, including your system-level Microsoft account or Apple ID. Do not do personal surfing or chatting on your work device.

If you still need help:

See our Tiers page (Silver Tier) to request tech support and we'll be happy to get you up and running!