Got more than one home lab? Maybe you’ve got one at home and another tucked away in a family member’s basement, or you’re spreading your infrastructure between your primary residence and a vacation home. Whatever the case, there’s a smart, secure, and surprisingly easy way to connect them: a site-to-site VPN using Tailscale.

If you're intrigued, it's quite a powerful setup that will give each home lab access to the other and will give you access to both no matter where you are. This means you can centralize backups, share services across both machines, and treat them as if they're on the same network.

What is a site-to-site VPN? Why use Tailscale?

Access two networks at once

A site-to-site VPN connects entire networks together, as if they were on the same LAN. This means devices on Lab A can talk directly to devices on Lab B without jumping through port-forwarding hoops or awkward reverse SSH tunnels. If you think of a "typical" VPN, where all of your traffic is forwarded to a server before making its onward journey, it's similar to that. Except, in this case, only your traffic designated for the other network will be forwarded.

As for why I recommend Tailscale, Tailscale is a zero-config VPN built on WireGuard. It’s easy to set up, secure by default, and NAT traversal just works, which means you don’t need to mess with routers or firewalls. The most important part of the equation, subnet routing, is the key feature that makes a site-to-site VPN possible and is built-in to Tailscale.

This guide requires that you have two different subnets in each location. For example, if your subnet ID in lab A is 192.168.1.0 and the host range is from 192.168.1.1 to 192.168.1.254, this cannot be the same as lab B. If it is, you will need to change it in your router's settings. This will prevent an overlap of IP addresses.

Set up Tailscale on each machine

It only takes a few minutes

You'll need to set up a Tailscale account and install Tailscale on each of the two machines. On TrueNAS, it's in the app catalogue, and on any other Linux distribution, you can install it with the following basic command:

curl -fsSL https://tailscale.com/install.sh | sh



Once Tailscale is up and running, you'll need to log in to your account on each. To do this, generate auth keys in your admin Tailscale admin console and then run the following command on each machine, making sure that each machine has its own unique auth key.

sudo tailscale up --auth-key=KEYHERE

This will then launch Tailscale, registering it with your account and adding it to your devices list. Once both are connected, you should see them in your Tailscale devices console. You'll next need to advertise subnet routes, and this can get a little bit messy.

Advertising subnets over your Tailscale network

This will forward traffic designated for the local network

Next, you'll want to advertise your subnets over the Tailscale network so that you can access individual devices on the network. Before doing that, you'll need to enable ipv4 forwarding. The instructions for this will vary depending on your Linux distribution, but on TrueNAS, it's found under System, Advanced settings, and Sysctl. Add the following two lines with a variable value of "1", enable them, and then you'll need to reboot your NAS.

net.ipv4.ip_forward

net.ipv4.conf.all.src_valid_mark

For advertising our subnets, we'll assume that Lab A is on the 192.168.1.0 subnet and that Lab B is on the 192.168.2.0 subnet. To enable access, you'll want to start Tailscale on Lab A with the following command.

sudo tailscale up --advertise-routes=192.168.1.0/24 --accept-routes

Then, on Lab B, run the following command.

sudo tailscale up --advertise-routes=192.168.2.0/24 --accept-routes

If you are using TrueNAS, you can Edit the app and add the IP address range to the Advertise routes parameter instead.

Accepting the route and allowing access

The last step

Once you've started Tailscale with those advertised routes, you need to head over to the Tailscale admin console and accept the subnet routes that are being advertised. Now, devices connected to your Tailscale network will be able to access devices with a direct IP address. For example, you'll be able to access Lab A's router control panel from Lab B. Devices that use mDNS won't work, though you can try ZeroTier, which does support mDNS.

There are many ways to enable a site-to-site VPN, and this is one of the easiest ways to do it. It's still incredibly secure, and everything is managed by your Tailscale network. If you want, you can switch to Headscale so that everything is self-hosted, but I find that Tailscale's web UI works just fine for my needs.