Stop opening firewall ports and start using identity

How to access home labs, cloud VMs, and services securely from anywhere.

Remember LAN parties? Low latency, direct server access, no complicated security policies, just plug in and play. In this presentation at All Things Open, Allen Vailliencourt from Tailscale shares how to recreate that seamless connectivity across cloud VMs, home networks, and mobile devices without opening a single firewall port or managing complex VPN infrastructure.

Allen’s demo network spans AWS VMs in Virginia, Vultr servers in Atlanta, a Raspberry Pi subnet router at home, a GL.iNet router in a hotel, and MongoDB Atlas in the cloud. Zero firewall ports allow ingress anywhere. Everything connects through Tailscale’s WireGuard tunnels using MagicDNS instead of remembering IP addresses. He SSH’d from the conference WiFi to his Vultr box in Atlanta, then to AWS in Virginia, accessed his home printer on a 192.168.40.0 network from North Carolina, managed his Synology NAS in South Carolina, and even RDP’d into his gaming PC. All using his identity, no public/private key management, no exposed services.

The technical implementation shows practical patterns developers can use immediately. Subnet routers let Tailscale access devices and CIDR ranges behind networks, like home printers and cameras accessible remotely without port forwarding. App connectors secure cloud-based applications, demonstrated with MongoDB Atlas whitelisting only traffic from his AWS VM’s IP. Machine-to-machine connectivity enables one-way access where his Vultr VM can talk to AWS but not vice versa, enforced through ACL policies. Tailscale SSH eliminates managing PKI infrastructure, recording sessions in asciinema format for postmortems or training. Exit nodes route traffic through specific locations, useful for geo-restricted content or privacy.

Read more: 15 open source backup solutions to protect your data

Two features particularly stand out for self-hosters. TSIDP (Tailscale Identity Provider) is a community project that leverages existing Tailscale authentication for other services, letting Allen sign into Portainer and Actual Budget using his identity without separate credentials. Services, now generally available, exposes internal web services over the tailnet with fully qualified domain names and Let’s Encrypt certificates, manageable through identity-based access policies. Allen demonstrated Stirling PDF running as a container, accessible only to authenticated tailnet users without Tailscale installed on the container itself.

The architecture relies on Tailscale’s NAT traversal and adaptive policy engine. Policies use user identity rather than IP addresses, enforcing access within seconds across all devices. Visual Studio Code has an extension for accessing tailnets, mapping drives, and SSH directly from the IDE.

Key takeaways

• Zero open firewall ports with full encrypted WireGuard tunnels enable secure remote access to home labs, cloud VMs, and internal services using identity-based policies.
• Subnet routers and app connectors solve the complexity of accessing non-routable networks and cloud services without VPN overhead or exposed endpoints.
• TSIDP and Tailscale Services eliminate redundant authentication and enable self-hosted tools to leverage existing identity management seamlessly.

Allen’s network proves modern developers don’t need exposed SSH servers, public RDP endpoints, or complex VPN infrastructure. WireGuard tunnels, MagicDNS, and identity-based policies recreate LAN party simplicity at internet scale.

More from We Love Open Source

• 15 open source backup solutions to protect your data
• 10 common Linux issues and the fast fixes you need
• Stop guessing, start measuring developer engagement
• 6 must-read Linux and open source tutorials
• 5 forces driving DevOps and AI in 2026