Homelab on the Go - Travel Setup with Beryl AC and Tailscale

How I maintain secure access to my homelab while traveling using Beryl AC router and Tailscale.

Every homelab enthusiast knows that sinking feeling when you're about to head out on a trip. Will your services stay up? What if something needs fixing? Can you trust that cobbled-together VPN setup you made last year? After one too many times where I couldn't help my family with their tech while away or something went down in my homelab, I decided to build a proper travel setup using the GL.iNet Beryl AC router and Tailscale.

Note: While this guide provides a working setup as of late 2024, both Tailscale and GL.iNet regularly update their software. Always check their latest documentation for the most up-to-date instructions at the Tailscale and GL.iNet documentation sites.

Prerequisites

Before we dive in, make sure you have:

  • A GL.iNet Beryl AC router (or similar compatible model)
  • A Linux server/VM at home that will act as your exit node
  • Basic familiarity with SSH and command line
  • Administrative access to your home network
  • A Tailscale account

Why This Setup?

Traditional VPN solutions often feel like a compromise. Port forwarding is finicky, hotel Wi-Fi blocks everything useful, and explaining to family members how to reconnect when things break is... challenging. What we really want is for everything to work exactly like we're home - no matter where we are in the world.

The magic of this setup is that it combines the reliability of traditional VPNs with modern mesh networking. When properly configured, you get a secure connection that works through most corporate firewalls and restrictive networks, while maintaining access to your internal DNS names and local services.

The Core Components

The Beryl AC router has become my constant travel companion. It's barely larger than my phone charger but packs some serious capabilities. Running OpenWrt under the hood means it's as configurable as any full-size router, but its real magic comes from its integration with Tailscale.

Tailscale is where this setup really shines. Think of it as a VPN that "just works." No port forwarding, no static IPs, no calling home to ask someone to reboot the router. It creates a secure mesh network between all your devices, regardless of where they are in the world.

Setting It All Up

Let's start with the core setup. On your main homelab server (assuming you're running Ubuntu/Debian), first install Tailscale:

curl -fsSL https://tailscale.com/install.sh | sudo bash

Then comes the crucial part - the configuration that took me several iterations to get just right:

sudo tailscale up --reset --advertise-routes=[YOUR-SUBNETS] --advertise-exit-node --accept-dns=true --ssh --accept-risk=lose-ssh

After running this command, you'll need to complete a few quick steps in Tailscale's web interface:

  1. Visit your Tailscale admin console
  2. Look for your server in the machines list
  3. Click the three dots next to it and select "Edit route settings"
  4. Enable both "Exit Node" and "Subnet Routes" options
  5. Save your changes

I recommend setting this up on at least two servers - maybe one VM and one physical machine - so you have a fallback if one goes down. Just make sure they advertise the same routes.

Once that's done, the final step is configuring your Beryl AC router. Connect to its admin interface (typically 192.168.8.1), head to the Applications page, and enable Tailscale. You'll need to authenticate it with your Tailscale account, and then select your newly configured exit node from the dropdown menu.

A quick note about that command we ran earlier - each flag serves a specific purpose:

  • --reset ensures a clean configuration
  • --advertise-routes tells other devices about your home network
  • --advertise-exit-node allows routing all traffic through this device
  • --accept-dns=true enables split DNS (more on this below)
  • --ssh enables Tailscale's SSH capabilities
  • --accept-risk=lose-ssh acknowledges we're modifying SSH settings safely

The SSH Dilemma (And Its Solution)

One of the trickiest parts was getting SSH access right. I wanted the security and convenience of Tailscale SSH but didn't want to lose traditional SSH access - because redundancy is every homelab enthusiast's best friend.

The --ssh --accept-risk=lose-ssh flags in our configuration enable Tailscale SSH while preserving traditional SSH access on port 22. This gives you two independent ways to access your machines:

  • Traditional SSH on port 22 (useful as a fallback)
  • Tailscale SSH that works through any firewall

DNS: The Silent Hero

Running your own DNS server while using Tailscale initially seems like it might be problematic, but it's actually one of the setup's strongest features. With --accept-dns=true, you get the best of both worlds:

  • Internal DNS resolution works exactly like when you're home
  • Tailscale's MagicDNS handles .ts.net domains seamlessly
  • Split DNS ensures everything resolves correctly, whether it's internal or external

This means you can keep using your internal DNS names for home services (like homeassistant.local or plex.home) while still getting the benefits of Tailscale's name resolution. No more remembering IP addresses or dealing with VPN DNS leaks.

Security Considerations

While this setup is quite secure, there are a few things to keep in mind:

  • Always keep both your Beryl AC and home server updated
  • Use strong passwords and keep your Tailscale account secure
  • Consider setting up multiple exit nodes for redundancy
  • Regularly check your Tailscale admin console for any unauthorized devices
  • Remember that while Tailscale uses WireGuard under the hood, it might sometimes use DERP relay servers which could impact performance

Real-World Usage

This setup has saved me countless headaches. Last month, while at a conference with notoriously restrictive Wi-Fi, I needed to restart a few containers and update some configurations. Instead of fighting with hotel Wi-Fi or tethering to my phone, I just connected to my Beryl AC (which was happily sharing the hotel's Wi-Fi), and everything worked exactly like I was home.

When Things Go Wrong

Even the best setups occasionally have issues. Here's what I've learned:

  1. If DNS resolution acts up, first check if you can ping your internal DNS server through Tailscale. Sometimes it's as simple as ensuring your routes are properly advertised.

  2. SSH problems? Remember you have two paths:

    • Traditional SSH on port 22
    • Tailscale SSH via tailscale ssh username@hostname

  3. For connectivity issues, tailscale status is your friend. It'll show you exactly which devices are connected and how they're routing.

  4. If things seem slow, remember that Tailscale might be using DERP relay servers. This is normal and helps with connectivity but can impact performance.

I'm constantly tweaking this setup and will make more posts about it as I learn more.

The Bottom Line

This combination of Beryl AC and Tailscale has transformed how I manage my homelab while traveling. No more worrying about access, able to help my family with their tech while away, and no more compromising on security. Everything just works - which is exactly what we're all aiming for, isn't it?

Got questions about this setup? Found a way to improve it? Drop me a line - I'm always excited to chat about homelab adventures.