Skip to content

Tailscale

Jump to bottom
Griffen Fargo edited this page Jun 9, 2026 · 1 revision

Tailscale — Remote Access

Access your Lights Pi from anywhere using Tailscale, a zero-config mesh VPN built on WireGuard. No port forwarding, no dynamic DNS, no firewall holes needed.

Why Tailscale?

  • Access from anywhere — Control lights from your phone at home, a laptop at a café, or backstage at a different venue
  • Zero network config — Works through NATs and firewalls automatically
  • Encrypted — All traffic is WireGuard-encrypted end-to-end
  • Free — Personal plan supports up to 100 devices

Installation

Prerequisites

  • A Tailscale account (free)
  • SSH access to your Pi (./lightsctl.sh ssh)
  • Tailscale on at least one other device (phone, laptop)

Install on the Pi

./lightsctl.sh ssh

# On the Pi:
curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaled
sudo tailscale up

Open the printed URL in your browser to authorize the device.

Verify

tailscale status

Your Pi should appear with a 100.x.x.x Tailscale IP.

Accessing Services

Once connected, all services are reachable via Tailscale IP or MagicDNS:

Service Local Tailscale
Landing page http://lights.local http://lights.<tailnet>.ts.net
QLC+ Web UI http://lights.local:9999 http://lights.<tailnet>.ts.net:9999
Control Server http://lights.local:5000 http://lights.<tailnet>.ts.net:5000
MCP Server http://lights.local:5001 http://lights.<tailnet>.ts.net:5001
SSH ssh pi@lights.local ssh pi@lights.<tailnet>.ts.net

MagicDNS uses the Pi's hostname. If hostname returns lights, the MagicDNS name is lights.<your-tailnet>.ts.net.

Firewall Notes

Tailscale operates on the tailscale0 virtual interface and bypasses ufw rules by default. Your existing firewall configuration stays unchanged.

For per-device access restrictions, use Tailscale ACLs in your admin console.

Sharing Access (Tailscale Funnel)

Temporarily share access with someone NOT on your tailnet:

# On the Pi — expose the control server publicly
sudo tailscale funnel 5000

# Remove when done
sudo tailscale funnel --remove 5000

⚠️ Funnel exposes the service to the public internet. Use temporarily and only for non-sensitive services.

MCP Agents Over Tailscale

If you've installed the MCP server, Claude Desktop or other agents can connect over Tailscale by pointing their MCP config at the Tailscale address:

{
  "mcpServers": {
    "lights-pi": {
      "transport": "streamable-http",
      "url": "http://lights.<tailnet>.ts.net:5001/mcp"
    }
  }
}

This works from anywhere — home, office, or mobile.

Troubleshooting

Pi Not Appearing in Tailnet

sudo systemctl status tailscaled
sudo tailscale up --reset    # Re-authenticate

MagicDNS Not Resolving

Enable MagicDNS in your Tailscale admin console.

High Latency

Check connection type:

tailscale ping lights

Look for "direct" (fast) vs "via DERP" (relay, slower). Ensure UDP port 41641 is allowed on both ends for direct connections.

Uninstalling

sudo tailscale down
sudo apt remove tailscale
sudo rm /etc/apt/sources.list.d/tailscale.list

Getting Started

Usage

Advanced

Clone this wiki locally