Skip to content
KnausDev KnausDev
engineering

How Tailscale Replaced Our Entire VPN Setup

Moving from OpenVPN configuration hell to Tailscale mesh networking at Exlink and how it changed my personal infrastructure workflow.

tailscale networking infrastructure devops

Traditional VPN architecture transitioning to mesh networking

The Problem

At Exlink, we were running OpenVPN for remote access to the server infrastructure. It worked, but managing it was a constant tax — distributing keys, maintaining configs across the team, dealing with certificate renewals, debugging connection issues that always seemed to happen at the worst time. Every new developer onboarding meant another round of VPN configuration.

A friend suggested Tailscale. I was skeptical. VPN tooling doesn’t just “work” — that’s not how networking goes.

I set it up on a small VPS to test. It took 30 minutes to go from zero to connected. No port forwarding, no certificate management, no routing table surgery.

We moved the entire engineering team onto Tailscale. The difference was immediate:

  • SSH access: no more key distribution across machines, Tailscale handles identity
  • ACLs: access control that reads like plain English instead of iptables incantations
  • Zero downtime: over a year of usage without a single connectivity outage
  • Updates: Tailscale updates itself without breaking active connections
  • Onboarding: new developer gets access in minutes, not hours of VPN configuration

The OpenVPN server is gone. Nobody misses it.

Personal Infrastructure

The bigger shift was in how I work day-to-day. I consolidated my development environment to a single Hetzner server accessible through Tailscale from any device — laptop, phone via Termux, whatever is in front of me.

My Proxmox homelab, Gitea, Nextcloud, Jellyfin, Mailcow, everything talks over the Tailscale mesh. Nothing is exposed to the public internet. Friends connect to the Minecraft server through it. The same network secures work infrastructure and personal services.

The One Thing to Watch

Tailscale becomes a single point of access if you’re not careful. I learned this the hard way when I re-authorized a node and killed my only SSH path. Every server now has a firewalled public SSH fallback. Tailscale is the primary access method, not the only one.

Why It Stuck

I’ve tried a lot of networking tools. WireGuard is excellent for targeted tunnels between specific machines. OPNsense handles routing and firewall rules. But Tailscale solved the problem I actually had — making every machine reachable from everywhere without managing the plumbing. It’s the one tool in my stack that I’d recommend to anyone regardless of their infrastructure experience.

Written by

Peter Knaus

Founder of KnausDev. I build backend systems, AI pipelines, and enterprise platforms.

Work with me →

More from the blog

engineering

When NextDNS Broke Minecraft

Apr 11, 2025

engineering

The Great Server Lockout of 2025

Mar 10, 2025

engineering

Uptime Kuma Changed How I Monitor Everything

Dec 10, 2025

View all services → See the work →