A Beginner Homelab on a Raspberry Pi — One Pi, One Tailnet, Nothing Exposed
A companion post to a guide I wrote and tested on my own hardware: Beginner Homelab on a Raspberry Pi.
It’s a beginner-friendly, build-one-job-at-a-time walkthrough for standing up a small, private homelab on a single Raspberry Pi. Everything is reachable through a Tailscale tailnet with no need for port forwarding, no dynamic DNS, and nothing exposed to the public internet.
The repository contains a per-chapter README, a standalone PDF for each chapter, and a complete whole-book PDF.
I kept getting overwhelmed with most homelab guides I would find online. They went very far very quickly, and I didn’t feel like the point of each step was clear. This guide hopefully does a better job. I also wanted a setup that was easy to reproduce months later. I also wanted to understand the networking concepts behind it rather than treating everything as magic.
The foundation: Tailscale instead of port forwarding
The biggest design decision in the entire guide is that everything is built around Tailscale.
Rather than exposing services through router port forwarding, every device joins the same tailnet and communicates through Tailscale’s WireGuard mesh. That one decision simplifies almost everything else.
A few practical benefits:
- No public-facing services to secure.
- No router configuration.
- No dynamic DNS.
- I can reach my homelab from home, coffee shops, hotels, universities, and corporate networks.
- Every device can reach every other device by a custom name I gave them through MagicDNS in Tailscale.
The answer to “how do I access this when I’m away from home?” is always the same:
Join the tailnet.
The build
The guide is organized into three short volumes.
Volume I — Building the homelab
- Foundation. Install Ubuntu Server, configure SSH, install Docker, and connect a laptop, phone, and Raspberry Pi to the same tailnet.
- Audiobookshelf. Self-host audiobooks, podcasts, language courses, and other spoken audio with proper resume tracking.
- Pi-hole. Block ads and trackers across the network by making Pi-hole the DNS server.
- Pretty URLs. Use Caddy and local DNS so services live at addresses like
https://pihole.homeandhttps://abs.homeinstead of IP addresses and ports. - A one-URL dashboard. Put Homepage and Portainer behind Caddy at
https://home.homeas a central landing page.
Volume II — VPNs and remote access
- Why a VPN, and why Mullvad. What a VPN actually does, what it doesn’t do, and why portable WireGuard configurations matter if you want a VPN to coexist with a homelab.
- Exit nodes and real-world tradeoffs. Tailscale exit nodes, the Mullvad add-on, and the tradeoffs I ran into while trying to combine privacy VPNs with a private tailnet.
Volume III — Extras
A few quality-of-life additions I found useful:
- Accessing the my computers from other computer remotely, or even from my phone using Termius and NoMachine.
- Sending files between phones and Linux machines with LocalSend.
Next Steps and Room for Improvement
The VPN chapter changed the most as I worked through the guide because reality turned out to be messier than the simple explanation.
The core problem is straightforward: I wanted to keep the same setup I use at home on the road. However, it’s really hard to have two VPNs on at one, since both Tailscale and Mullvad want to take over your whole device. I wanted two steams: one for my homelab traffic through tailscale and one for the public internet through Mullvad to protect myself online, with my DNS sinkhole for good measure.
In practice, that means running Tailscale and a traditional VPN side-by-side is often more complicated than it first appears.
After a lot of experimentation, the setup I personally use is the boring one: - Tailscale when I want access to my homelab. - Mullvad when I want VPN privacy. At home, I can set the DNS address to my RPI’s static IP. Anywhere else, I can just use Mullvad’s DNS blocking settings. - One active at a time (usually Mullvad is on, and I switch to Tailscale when I want to access my hosted media).
There are ways around this. Tailscale exit nodes, especially the Mullvad add-on, provide a cleaner integration and can give you the benefits of both at once. But they also introduce tradeoffs in flexibility, and control.
Rather than pretending there is a perfect solution, the guide walks through the tradeoffs and explains why I ultimately chose the setup I did. I also mention an untested idea suggested by friend more experienced in homelabbing, running the VPN at the router level instead of the device level, but I couldn’t evaluate it on my own hardware because my router firmware doesn’t support it.
Why I wrote it this way
A few conventions I followed throughout the guide:
- Manual commands first, scripts beside them. Every chapter shows the actual files and commands, and also includes small helper scripts for the same steps if you’d rather automate the copy-and-paste. The scripts are intentionally short enough to audit before running.
- Safe for public repositories. Secrets come from a local git-ignored
.envfile; nothing real is ever committed. - Placeholders everywhere. Tailnet names, usernames, and IP addresses are stand-ins, so there’s nothing identifying to scrub.
- Fully reproducible. The Quarto source generates the chapter READMEs, standalone PDFs, and the complete guide.
More than anything, the project became a way to learn how the pieces fit together: Docker, DNS, TLS certificates, reverse proxies, VPNs, local networking, and the tradeoffs involved in modern self-hosting.
If you’ve wanted a homelab but didn’t want to expose anything to the public internet, this is the path I’d hand you.
➡️ Beginner Homelab on a Raspberry Pi on GitHub, per-chapter READMEs, standalone PDFs, and the complete whole-book PDF.