emory · February 7, 2026 17:12
diff --git a/tailnet-explainer-ai-gateways b/tailnet-explainer-ai-gateways
 ## Securing systems like openclaw via Tailscale

 Tailscale is a WireGuard-based SD-WAN that creates private, authenticated peer-to-peer connections between devices. Instead of exposing services to the public internet, you bind them exclusively to your Tailscale network interface. You can have 3 users and 100 devices on a private tailnet for free at home.

 **Why this matters:** Services bound to `localhost` only work on that machine. Services bound to `0.0.0.0` (IPv4) or `::` (IPv6 + IPv4 dual-stack) expose to *anyone* on your network or the internet. This is how services get compromised—often by frustrated developers binding to these shortcuts when something isn't working.

 Services bound to Tailscale's interface only accept connections from authenticated, authorized devices in your tailnet. No public exposure. No shortcuts. No regrets.

 **What's a tailnet?**

 A tailnet is your Tailscale virtual network—a private, encrypted mesh where all your devices authenticate and authorize each other automatically. Tailscale uses the Carrier Grade NAT address space (100.0.0.0/8) so devices can communicate across networks, firewalls, and NATs without port forwarding.

 **Your setup:**

 You run Tailscale on multiple device types (phones, iPads, AppleTVs, servers). Two AppleTVs act as subnet routers—one in Philadelphia, one in Iowa City—keeping your tailnet alive 24/7 (because tvOS + ethernet = always-on client, even during device sleep).

 This creates a pseudo-trusted internal network: your Philadelphia subnet (192.168.240.0/24) is directly routable from Iowa City (192.168.153.0/24) via the tailnet. Both locations share a unified WiFi network (Estuary\_nomap) for HomeKit and human devices, with split DNS (iow.kvet.ch and phl.kvet.ch for location-specific services, estuary.kvet.ch for shared resources).

 **Binding services to Tailscale (the safe way):**

 Instead of this:
 ```bash
 ollama serve --listen 0.0.0.0:11434     # exposes to EVERYONE
 lmstudio --port ::11337                 # exposes to EVERYONE (dual-stack)
 ```

 Bind to your Tailscale interface:
 ```bash
 ollama serve --listen tailscale0:11434  # only accessible from your tailnet
 lmstudio --port [tailscale0]:11337      # only accessible from your tailnet
 ```

 Now inference services (wintendo:11434, icon:11434, lmStudio:11337) are only reachable from authenticated devices on your tailnet. No public exposure. No ransom attacks. No unauthorized access.

 When something isn't working and you're frustrated, do NOT reach for `0.0.0.0` or `::`. That's the mistake that gets systems breached. Bind to Tailscale instead. It's more secure, and it actually solves the problem.

 **Optional privacy layer:**

 Mullvad VPN integration (USD $5/month for 5 approved devices) adds an additional privacy layer if needed. But for most traffic, configuring a Tailscale exit node (your AppleTV, Synology, etc.) gives you the ability to also use an optional full tunnel all of your network traffic back to your house and out that exit node as if you were there. 

 You can use that tailnet as a private secure backplane for management or private transit between services and devices in your household. All authenticated and authorized. Just like enterprise network engineering does!
	## Securing systems like openclaw via Tailscale

	Tailscale is a WireGuard-based SD-WAN that creates private, authenticated peer-to-peer connections between devices. Instead of exposing services to the public internet, you bind them exclusively to your Tailscale network interface. You can have 3 users and 100 devices on a private tailnet for free at home.

	Why this matters: Services bound to `localhost` only work on that machine. Services bound to `0.0.0.0` (IPv4) or `::` (IPv6 + IPv4 dual-stack) expose to anyone on your network or the internet. This is how services get compromised—often by frustrated developers binding to these shortcuts when something isn't working.

	Services bound to Tailscale's interface only accept connections from authenticated, authorized devices in your tailnet. No public exposure. No shortcuts. No regrets.

	What's a tailnet?

	A tailnet is your Tailscale virtual network—a private, encrypted mesh where all your devices authenticate and authorize each other automatically. Tailscale uses the Carrier Grade NAT address space (100.0.0.0/8) so devices can communicate across networks, firewalls, and NATs without port forwarding.

	Your setup:

	You run Tailscale on multiple device types (phones, iPads, AppleTVs, servers). Two AppleTVs act as subnet routers—one in Philadelphia, one in Iowa City—keeping your tailnet alive 24/7 (because tvOS + ethernet = always-on client, even during device sleep).

	This creates a pseudo-trusted internal network: your Philadelphia subnet (192.168.240.0/24) is directly routable from Iowa City (192.168.153.0/24) via the tailnet. Both locations share a unified WiFi network (Estuary\_nomap) for HomeKit and human devices, with split DNS (iow.kvet.ch and phl.kvet.ch for location-specific services, estuary.kvet.ch for shared resources).

	Binding services to Tailscale (the safe way):

	Instead of this:
	```bash
	ollama serve --listen 0.0.0.0:11434 # exposes to EVERYONE
	lmstudio --port ::11337 # exposes to EVERYONE (dual-stack)
	```

	Bind to your Tailscale interface:
	```bash
	ollama serve --listen tailscale0:11434 # only accessible from your tailnet
	lmstudio --port [tailscale0]:11337 # only accessible from your tailnet
	```

	Now inference services (wintendo:11434, icon:11434, lmStudio:11337) are only reachable from authenticated devices on your tailnet. No public exposure. No ransom attacks. No unauthorized access.

	When something isn't working and you're frustrated, do NOT reach for `0.0.0.0` or `::`. That's the mistake that gets systems breached. Bind to Tailscale instead. It's more secure, and it actually solves the problem.

	Optional privacy layer:

	Mullvad VPN integration (USD $5/month for 5 approved devices) adds an additional privacy layer if needed. But for most traffic, configuring a Tailscale exit node (your AppleTV, Synology, etc.) gives you the ability to also use an optional full tunnel all of your network traffic back to your house and out that exit node as if you were there.

	You can use that tailnet as a private secure backplane for management or private transit between services and devices in your household. All authenticated and authorized. Just like enterprise network engineering does!
No results found