Tailscale for a Private AI Network

Tailscale is a WireGuard-based mesh VPN that “just works”. Your GPU server on our hosting joins your tailnet, your laptops join the same tailnet, and suddenly everyone talks on private IPs with zero port-forwarding.

Contents

• Why Tailscale
• Setup
• Using it
• ACLs

Why Tailscale

• No inbound public ports – more secure than exposing Ollama or Jupyter
• Stable private hostnames across your laptops and servers
• MagicDNS – gpu-server resolves from any tailnet member
• Free for up to 100 devices / 3 users

Setup

On the GPU server:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --hostname=gpu-server

On your laptop: install the Tailscale app, sign in with the same identity.

Both devices now see each other on Tailscale IPs like 100.x.y.z.

Using It

SSH from your laptop:

ssh user@gpu-server.tailnet-name.ts.net

Or with MagicDNS enabled just ssh user@gpu-server.

Point Ollama or vLLM at Tailscale IPs instead of localhost:

# Ollama listens on tailnet only
OLLAMA_HOST=100.x.y.z:11434 ollama serve

Any tailnet member can now reach the API. No firewall changes, no TLS needed for the internal hop.

ACLs

Tailscale ACLs control who can reach what. For a team:

{
  "groups": {
    "group:devs": ["alice@example.com", "bob@example.com"]
  },
  "acls": [
    { "action": "accept", "src": ["group:devs"], "dst": ["gpu-server:22,11434,8000"] }
  ]
}

Devs can reach only the ports they need. Other tailnet members cannot.

See WireGuard alternative and Cloudflare Tunnel alternative.