How Tailscale Helped Me Ditch My iCloud Storage Subscription
A mesh VPN built on WireGuard that takes ten minutes to set up and turns every device you own into one private network. Why I use it for my home lab, and how to get started.
For longer than I want to admit, I have paid the Apple subscription tax. Every month I would look at the charge and think, I can do this myself. And every month, until recently, I just accepted it. Then I started building a home lab, put Immich (the self-hosted answer to iCloud Photos) on a Raspberry Pi in a 3D-printed 10-inch rack.
The Immich app on my phone needs to connect to the server to properly back up photos. The server is on my home network. My phone, most of the time, is not.
The “obvious” answer for years was to expose things through the router with port forwarding, put a reverse proxy in front, register a domain, manage certs, and harden everything. I did pieces of that. I never finished any of it. The work between “this runs at home” and “this runs on my phone in a coffee shop without me thinking about it” was always more than a weekend, and I always had something more interesting to do that weekend.
Tailscale ate the entire problem in about ten minutes. iCloud is canceled.
What Tailscale actually is
Tailscale is a mesh VPN built on top of WireGuard, the modern in-kernel VPN protocol that has eaten OpenVPN’s lunch over the last few years. WireGuard, by itself, is an amazing protocol that asks you to do less than amazing things to use it: generate keys, distribute them, configure each peer, handle NAT traversal, fix it when an IP changes. Tailscale is the thin coordination layer that does all of that for you. You install the client, sign in with an existing identity (Google, Microsoft, GitHub, whichever), and every device signed into that account joins the same private network, called a tailnet. Each device gets a stable IP in the 100.x range and a clean hostname. They can all reach each other directly, regardless of which network they are on or how many NATs sit between them.
Your actual traffic does not flow through Tailscale’s servers, which is what most “VPN” tools get wrong. Tailscale runs a control plane that handles identity, key exchange, and peer discovery, and that is it. The data plane is direct WireGuard tunnels between your devices. When my phone talks to my Immich server, the bytes go phone → carrier → home internet → server, encrypted end-to-end.
The free tier is 100 devices and 3 users. That is “all my hardware plus everyone in the house” territory, and I will not hit that limit anytime soon.
Setting it up
On each device the flow is the same. Go to tailscale.com, sign up with whatever identity provider you already use, install the client (one curl-pipe-bash on Linux, App Store on everything else), and run tailscale up. Sign in with the same identity. The device shows up in the admin console with its tailnet IP. Repeat on every device you want on the network, and they can all reach each other.
Turn on MagicDNS in the admin console and every device becomes reachable as <hostname>.<tailnet>.ts.net from anywhere, no extra config.
Out of the box, Tailscale only connects devices that have a Tailscale client installed. Your laptop talks to your Pi because both are in the tailnet. Your Pi cannot, by default, talk to your printer, your NAS, your smart plugs, or anything else on your home network that you would never bother installing Tailscale on.
The fix is to pick one Tailscale device sitting on your home network (a Pi works perfectly) and tell it to act as a gateway for the rest of the LAN. Tailscale calls this a subnet router. One command on that device:
sudo tailscale up --advertise-routes=<your-home-subnet>Replace <your-home-subnet> with your private network’s CIDR range, which is whatever your router hands out to devices on your LAN. You can find it in the router’s admin page; it usually looks like 192.168.1.0/24, 192.168.0.0/24, or 10.0.0.0/24. Approve the route once in the Tailscale admin console, and from anywhere on the planet your phone can now reach every device on your home LAN, including a printer that will never see a Tailscale client.
What I run on it
A handful of things, in rough order of how much I would miss them:
- Immich, on my phone, from anywhere. Self-hosted photos stop being painful when the mobile app backs up in the background and serves the whole library when I open it, the same on cellular as on home wifi. Tailscale is the reason that works without a port-forwarded public IP, a domain, a Let’s Encrypt cert, a reverse proxy, and a quiet hour every Saturday.
- MyCalPal. A small calorie tracker I built and host myself, because every commercial calorie tracker is either an ad farm or a subscription. I want it accessible from my phone the same way I want any other app on my phone.
- Local LLM servers. A desk machine running LM Studio exposes an OpenAI-compatible endpoint, and my laptop’s coding harness points at it from wherever I am working that day. There is a longer post coming on this whole stack.
- The NAS. Mounted by SMB on its tailnet IP when I want it. I do not want it often, but when I do, it is there.
None of these are Tailscale-specific applications. They are ordinary home services that, with Tailscale, behave like they live on the same network as whatever device I am holding.
Caveats
Tailscale also does not secure your services. It gets your devices on the same network. Immich still wants a password. If a friend joins your tailnet, they can hit every service on it the same as you can. Read the ACL docs if that matters.
For everyone else, install it tonight. The next time you want to reach something on your home network from somewhere that is not your home network, it will already be working.