Home lab to production, powered by Tailscale

23 Dec, 2025

A clean, readable summary of my setup, starting with the home lab and ending with production hosting.

Why I did this

I wanted three things:

  1. Zero public ports on my home network
  2. One private network connecting everything I own
  3. Production-grade deployments without VPN hacks or SSH pain

Tailscale made all three easy.

Home lab

This entire setup is a Christmas holidays project. The new homelab is still a work in progress, and the current layout is temporary while I wait for my Ubiquiti equipment and 4U rack.

Connectivity

Both homelabs run on 1 Gbps fiber. No CGNAT, stable latency, and plenty of headroom for backups and remote access.

New homelab work-in-progress
New homelab work-in-progress

One mesh, every device

Everything sits on a single Tailscale network:

  • Macs, phones, Apple TV
  • Raspberry Pi, Synology NAS
  • AdGuard DNS, CCTV DVRs, LAN-only devices
Tailscale dashboard showing all devices
Tailscale dashboard showing all devices

MagicDNS resolves by name, so I never hunt for IPs. Everything talks over private 100.x addresses. No port forwarding. No NAT headaches. It feels like a single LAN.

Two locations

A Raspberry Pi in the second site advertises the remote subnet:

192.168.1.0/24

That makes every remote LAN device reachable from anywhere as if it were local.

AdGuard DNS

AdGuard runs on a small Vultr VPS. DNS latency over Tailscale DERP is ~0.5 ms, so DNS never feels slow.

DERP latency snapshot
DERP latency snapshot

Upstream DNS:

  • Primary: 1.1.1.1 and 1.0.0.1
  • Fallback: 9.9.9.9

All Tailscale devices use it, and my home router points to it too. Traffic handled: ~100,000 DNS queries per day.

My router uses AdGuard's public DNS IP, and it's heavily restricted under Vultr's firewall rules.

Vultr firewall rules
Vultr firewall rules
AdGuard Home dashboard
AdGuard Home dashboard

Synology NAS (DS925+)

  • I'm using Synology HDDs in the NAS.
  • 2 × 16 TB drives in SHR
  • Usable: 16 TB, 1-drive redundancy
Synology NAS
Synology NAS
Synology Storage Manager
Synology Storage Manager

Planned upgrade: add 2 more 16 TB drives for 48 TB usable.

Tailscale SSH

One click from the dashboard and I'm in. No passwords, no public SSH ports, identity-based access.

Tailscale SSH demo
Tailscale SSH demo

Hosting: yoginth.com + hey.xyz

Caddy runs on a Vultr VPS and handles all HTTP traffic. Caddy makes a Tailscale VPN call to my Mac server hosted in the 1 Gbps homelab. The VPS is the only public-facing edge.

DNS:

  • A yoginth.com → Caddy's public IP
  • A hey.xyz → same Caddy public IP

hey.xyz handles ~1 million network requests daily via Tailscale.

Exact Caddy config:

{
  email hey@yoginth.com
}

yoginth.com {
  reverse_proxy server.skate-marlin.ts.net:3000
}

hey.xyz {
  reverse_proxy server.skate-marlin.ts.net:4783
}

Deployments

GitHub Actions deploys directly over the Tailscale mesh:

  • Auth to Tailscale
  • Resolve via MagicDNS
  • Deploy over the mesh

Example workflow run (hey deploy): https://dub.sh/VgKcWcX

All done within 50 ms.

Production deploys feel like local deploys.

Final thoughts

This setup gives me:

  • 1 Gbps connectivity at home
  • Private by default networking
  • Production-grade deployments
  • Full access to every device I own, anywhere
  • No port forwarding
  • No dynamic DNS hacks
  • No SSH anxiety

The homelab is real infrastructure now, not a side project.