Joe's Tech Blog

Just another Tech Blog

August 2025

Blog

🛡 How to Turn an Alpine Linux Server into a Tailscale Gateway for Your LAN

Joseph Klimczak No Comments

Why a Tailscale Gateway?

Tailscale normally requires each device to run the Tailscale client. That works fine for laptops, phones, and servers, but what about devices like printers, cameras, or NAS boxes?

With a Subnet Router, a single Tailscale-connected server can act as a bridge to your entire LAN — so any device on your Tailscale network can reach those local-only devices securely.

What You’ll Need

  • A small Alpine Linux server (VM, bare metal, or Raspberry Pi)
  • An active Tailscale account
  • Access to your LAN network (e.g., 192.168.1.0/24)
  • Your Tailscale auth key (from the Tailscale admin panel)

Step 1: Update & Install Tailscale

First, update Alpine and install Tailscale:

apk update && apk upgrade
apk add tailscale tailscale-openrc

Step 2: Enable IP Forwarding

This allows the Alpine box to forward traffic between your Tailscale network and LAN.

Edit /etc/sysctl.conf:

nano /etc/sysctl.conf

Add:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Apply:

sysctl -p

Step 3: Start Tailscale & Advertise Routes

Start the Tailscale service:

rc-update add tailscaled default
rc-service tailscaled start

Now bring Tailscale online, advertising your LAN subnet:

tailscale up \
  --auth-key=tskey-auth-XXXXXXX \
  --advertise-routes=192.168.1.0/24 \
  --accept-routes

Step 4: Approve Routes in Tailscale Admin

Log in to Tailscale Admin Routes and enable the route for 192.168.1.0/24.

Step 5: (Optional) Adjust Firewall Rules

If Alpine’s firewall is active, you’ll need to allow forwarding:

apk add iptables
iptables -A FORWARD -i tailscale0 -j ACCEPT
iptables -A FORWARD -o tailscale0 -j ACCEPT
/etc/init.d/iptables save

Done! 🎉

Now, any device on your Tailscale network can securely reach devices on your LAN without needing a VPN client installed.

Example:

  • From your laptop on Tailscale, you can hit http://192.168.1.50 to access your NAS dashboard — even from across the world.

Why This Rocks

  • Zero Trust Security — Every connection is authenticated via your Tailscale identity provider.
  • No Port Forwarding — Works through NAT and firewalls.
  • Cross-Platform — Works for Windows, macOS, Linux, iOS, Android, and even cloud VMs.

💡 Pro tip: Combine this with Tailscale ACLs to restrict who can access which LAN devices.