Deep Dive: Tailscale 1.60 Subnet Routing and How to Use for Home Lab Access

Home labs are a staple for IT pros, developers, and hobbyists looking to test software, host services, and learn new technologies. But accessing home lab resources remotely often requires complex VPN setups, port forwarding, or dynamic DNS. Tailscale, a zero-config mesh VPN, simplifies remote access — and its 1.60 release brings key improvements to subnet routing, a feature that makes accessing entire home lab subnets seamless.

What Is Tailscale Subnet Routing?

Tailscale creates a secure mesh network between all your devices, each assigned a unique 100.x.x.x IP address. Subnet routing extends this by letting you designate a Tailscale-enabled device as a subnet router that forwards traffic between your Tailscale network and a physical subnet on your local network (e.g., 192.168.1.0/24). This means you don’t need to install Tailscale on every device in your home lab — any device on the advertised subnet becomes accessible to your Tailscale clients automatically.

What’s New in Tailscale 1.60 for Subnet Routing?

Tailscale 1.60 builds on existing subnet routing capabilities with three key improvements for home lab users:

• Improved Reliability: Optimized NAT traversal and connection stability for high-throughput workloads like media streaming or large file transfers between home lab and remote devices.
• Streamlined Multi-Subnet Configuration: Simplified setup for environments with multiple home lab subnets (e.g., separate subnets for IoT, services, and management interfaces).
• Enhanced Health Visibility: New subnet router health metrics in the Tailscale admin dashboard, including uptime, throughput, and error rates for easier troubleshooting.

Prerequisites

Before setting up subnet routing, ensure you have:

• A free or paid Tailscale account.
• A device to act as your subnet router: This can be a Raspberry Pi, a spare VM, a Docker container, or a router with native Tailscale support (e.g., Ubiquiti, pfSense). The device must have two network interfaces: one connected to your Tailscale network (via the Tailscale client) and one connected to your home lab subnet.
• Your home lab subnet CIDR blocks (e.g., 192.168.1.0/24, 10.0.0.0/24) that you want to expose via Tailscale.
• Tailscale 1.60 or later installed on the subnet router device.

Step-by-Step Setup Guide

1. Install Tailscale 1.60+ on the Subnet Router

First, install Tailscale on your chosen subnet router device. For most Linux-based systems (Ubuntu, Debian, Raspberry Pi OS), run the official install script:

curl -fsSL https://tailscale.com/install.sh | sh

Once installed, start Tailscale and advertise your home lab subnets. Replace the CIDR blocks below with your own subnets:

sudo tailscale up --advertise-routes=192.168.1.0/24,10.0.0.0/24

Note: You may also need to enable IP forwarding on the subnet router to allow traffic to pass between interfaces. For Linux, run:

sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

2. Approve Subnet Routes in the Tailscale Admin Console

Advertised routes are not active by default for security. Log in to the Tailscale Admin Console, navigate to the Machines tab, and select your subnet router device. Click the Routes tab, and you’ll see the subnets you advertised. Click Approve next to each subnet to activate them.

3. Connect Client Devices to Tailscale

Install Tailscale on any device you want to use to access your home lab (laptops, phones, tablets) and log in to the same Tailscale account. Once connected, these clients will automatically have access to the approved subnet routes — no additional configuration needed.

4. Verify Connectivity

From a connected Tailscale client, ping a device on your home lab subnet using its local IP address:

ping 192.168.1.100

If the ping succeeds, your subnet routing is working correctly. You can also test accessing services like SSH, HTTP, or RDP on home lab devices directly via their local IPs.

Advanced Configuration

Restrict Access with Tailscale ACLs

By default, all Tailscale users in your network can access advertised subnets. To restrict access, use Tailscale Access Control Lists (ACLs). Edit your ACL policy in the Admin Console under Access Controls. Below is a sample ACL that only allows members of the home-lab-admins group to access home lab subnets:

{
  "acls": [
    {
      "action": "accept",
      "src": ["group:home-lab-admins"],
      "dst": ["192.168.1.0/24:*", "10.0.0.0/24:*"]
    }
  ]
}

Subnet Router Redundancy

For home labs that require high availability, set up multiple subnet routers advertising the same subnets. Tailscale will automatically load balance traffic between healthy subnet routers, ensuring access even if one router goes offline.

Troubleshooting Common Issues

• Subnet routes not appearing in Admin Console: Check that the subnet router has advertised the routes correctly by running tailscale status on the router. Ensure you’re logged in to the correct Tailscale account.
• Can’t reach subnet devices: Verify IP forwarding is enabled on the subnet router, check that the subnet router’s firewall allows traffic from the Tailscale interface (usually tailscale0) to the local subnet, and confirm ACLs aren’t blocking access.
• High latency or packet loss: Ensure the subnet router is connected via wired Ethernet (not Wi-Fi) for better stability. Update Tailscale to the latest 1.60+ release to benefit from performance improvements.

Best Practices for Home Lab Use

• Use a dedicated, always-on device (like a Raspberry Pi 4) for your subnet router to avoid downtime.
• Regularly update Tailscale on all devices to get the latest security patches and performance improvements.
• Use ACLs to limit subnet access to only trusted users and devices.
• Monitor subnet router health via the Tailscale Admin Console to catch issues early.

Conclusion

Tailscale 1.60’s subnet routing improvements make it easier than ever to access your entire home lab remotely, without complex VPN setups or port forwarding. By designating a single subnet router, you can expose all your home lab devices to your Tailscale network in minutes, with the security and reliability Tailscale is known for. Whether you’re managing a small homelab or a large test environment, subnet routing is a game-changer for remote access.