Skip to Content
DocumentationNetworkingTailscale

Tailscale Private Networking

TailscaleΒ  provides a private mesh VPN that lets you access your Companion Hub apps from anywhere β€” without exposing them to the public internet.

When to Use Tailscale

Tailscale is ideal when:

  • You want private access to your apps from your devices only
  • You don’t want apps publicly accessible on the internet
  • You need to connect multiple machines in a private network
  • You want to access your Hub from anywhere securely

Benefits

βœ… Access from Anywhere β€” Securely reach your Hub from any location
βœ… Connect All Devices β€” Link Windows, Mac, Linux, iOS, and Android devices
βœ… Zero Configuration β€” Automatic NAT traversal, no port forwarding needed
βœ… Enterprise Security β€” End-to-end encryption for all traffic
βœ… Free for Personal Use β€” Up to 100 devices on the free tier

Setup Options

Companion Hub offers two ways to use Tailscale:

The easiest way β€” Companion Hub includes a built-in Tailscale container that connects your Hub to your Tailscale network.

Enable During Onboarding

When you first set up your Hub, the onboarding wizard includes a Private VPN step:

  1. Click Log In with Tailscale
  2. Authenticate in the popup window (create a free account if needed)
  3. Your Hub automatically joins your Tailscale network
  4. Continue with the wizard

The onboarding wizard polls connection status in real-time, so you’ll see when your Hub connects successfully.

Enable in Settings

If you skipped Tailscale during onboarding, you can set it up later:

  1. Go to Settings β†’ Network
  2. Find the Private VPN section
  3. Click Log In with Tailscale
  4. Authenticate in the popup window
Network Settings with Tailscale loginNetwork Settings with Tailscale login

Access Your Hub

Once connected, your Hub gets a Tailscale IP address (e.g., 100.x.y.z). You can see it in Settings β†’ Network.

Install Tailscale on your other devices:

Option 2: Host Installation

For advanced users who prefer to install Tailscale directly on the host machine:

Install Tailscale on Host

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Mount the Socket

Ensure /var/run/tailscale/tailscaled.sock is accessible to the Hub container. The Hub will automatically detect and use the host Tailscale installation.

Access Your Hub

Your Companion Hub dashboard and all apps will be accessible via the Tailscale IP.

How It Works

  1. Mesh Network β€” Tailscale creates a peer-to-peer mesh between all your devices
  2. NAT Traversal β€” Works behind firewalls and routers without configuration
  3. Private IPs β€” Each device gets a private IP (100.x.y.z range)
  4. Encrypted β€” All traffic is encrypted end-to-end using WireGuard

Troubleshooting

Sidecar Not Available

If you see β€œTailscale sidecar container is not running”:

  1. Ensure the private-vpn profile is enabled:

    docker compose --profile private-vpn up -d

  2. Or use the Hub CLI (Tailscale sidecar is enabled by default):

    cihub up --detached
cihub status    # shows Tailscale IP when connected

  3. Check that the hub-tailscale container is running:

    docker ps | grep hub-tailscale

Connection Not Working

If the login button doesn’t connect:

  1. Complete the authentication in the popup window
  2. Wait 5-10 seconds for the connection to establish
  3. Refresh the Settings page to see updated status

Can’t Access Hub from Other Devices

  1. Verify Tailscale is running on both devices:

    tailscale status

  2. Ensure both devices show β€œRunning” in Tailscale

  3. Try accessing by IP first: http://100.x.y.z (find IP in Settings β†’ Network)

  4. Try accessing by hostname: http://your-hub-name

Advanced Configuration

Custom Routes

By default, the Hub advertises the Docker bridge network (172.18.0.0/16) so other Tailscale devices can reach your containers directly.

To customize this, set HUB_TAILSCALE_EXTRA_ARGS in your .env file:

HUB_TAILSCALE_EXTRA_ARGS=--accept-routes --advertise-routes=172.18.0.0/16,192.168.1.0/24

Pre-Auth Keys (Automated Setup)

For headless or automated deployments, you can use a pre-authentication key instead of browser login:

  1. Generate a key at login.tailscale.com/admin/settings/keysΒ 
  2. Add it to your .env file: 
    TAILSCALE_AUTHKEY=tskey-auth-...
  3. The sidecar will automatically connect on startup

Pre-auth keys should be kept secret and rotated regularly. The browser login flow is more secure for interactive setups.

Comparison with Cloudflare

FeatureTailscaleCloudflare
PrivacyPrivate mesh, no public exposurePublic URLs (can be secured with Access)
SetupOne-click browser loginRequires Portal registration
Device RequirementTailscale client on each deviceAny browser works
Use CasePersonal, private accessSharing with others, public apps
CostFree up to 100 devicesFree tier available

For public access to your apps, use the Cloudflare Gateway instead. You can use both Tailscale and Cloudflare simultaneously.

Next Steps

Last updated on
Cloudflare GatewayCustomize app config