Context / need
A self-hosted platform quickly accumulates sensitive services: administration dashboards, password manager, internal tools. Exposing them on the Internet behind a simple login means offering your attack surface to the Internet’s constant scanning. Roaming access is needed (travel, mobile) without ever publishing these services.
Constraints
- Minimal public surface. Only deliberately public services should answer from the Internet.
- Real roaming: access from anywhere, including mobile, without configuration gymnastics.
- No sprawling machinery. A single maintainer: the per-device key and configuration management of a classic VPN is a recurring burden I want to avoid.
Options considered
- Hardened public exposure (fail2ban, MFA, geoblocking): every service remains a door open to the Internet. It hardens the door without shrinking the surface.
- Self-managed VPN (bare WireGuard or OpenVPN): solid, but key distribution, rotation and per-device configuration remain on me.
- Tailscale, managed WireGuard: per-device identity, peer-to-peer encryption, ACLs, and zero inbound port to open.
Decision & why
Tailscale as the private access plane. Every device is authenticated and a member of an encrypted mesh network, the tailnet. Private services are only routable there.
Defense in depth: even if a private service answered by mistake on the public
edge, the tailscale-only Traefik middleware only accepts connections
coming from the tailnet. A service’s exposure is declared in its
configuration, independently of where it runs.
A subnet router extends access to equipment that cannot run the Tailscale client. Remote access then goes through an authenticated tailnet node rather than through direct exposure.
Accepted tradeoff
The control plane (coordination, identity) depends on a third party, Tailscale, and identity is backed by an SSO provider. Accepted compromise: traffic stays encrypted peer to peer, the third party does not see the data, and the self-managed alternative would cost a disproportionate operational burden for a single maintainer. If the situation changes, an exit path exists (Headscale, bare WireGuard).
Outcome
- Secure: sensitive services are not attackable from the Internet, they do not exist there. A double lock, network plus middleware at the edge.
- Maintainable: no manual key management, no per-device configuration. Adding a device comes down to authenticating it.
Public / private split (what answers to what)
Without topology details, the split rule is simple:
- Public: client sites, and the only endpoints designed to receive external traffic, such as the Hub event ingest, rate-limited and authenticated.
- Tailnet only: everything else. Dashboards, administration, internal tools, password manager.
- Hybrid: a single service can expose a public part and a private part. The boundary is declared route by route at the edge (Reverse proxy & TLS).