Network access with IoT devices (OpenBeken/Tasmota/itd) and Home Assistant from outside - TailScale

p.kaczmarek2 174 2

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

» | Topic author Helpful post? (+3)

Post #1
21773549 07 Dec 2025 09:56

Today I'm going to present an interesting free solution to connect externally to our local network - for example IoT devices. You won't need a public IP here - everything will work even if we are behind NAT and don't have port forwarding. What's more, there will only be two devices to configure, namely our active computer, and an intermediary computer providing an outlet to the target LAN. In this way, we will get access to all devices on this network - including IoT hardware based on ESP8266, ESP32 or thereabouts BK7231.

We start the adventure by downloading Tailscale to both machines, administrator rights are needed. It is also important to reboot the system - I've already fallen for this once, because seemingly access to HTTP worked, but with other services there was a problem.
https://tailscale.com/
It is best to log into Tailscale via your Google account. Once installed, the service will be hidden as an icon in the toolbar:

It also sees the new IP of our device. Similarly, the installation should add the Tailscale virtual network card for us:

The full extent of our virtual network is easiest to check on the Tailscale website:

This is sufficient for the devices to see each other:

But this will not give us access to the entire LAN of the target computer. You need to do more than that - you need to enable the so-called Subnet Router (subnet routing). This will allow other devices on the Tailscale network to see the entire LAN behind this computer - i.e. ESP8266, ESP32, router, cameras, printers etc.

You can also use the command: tailscale up --reset --advertise-routes=192.168.1.0/24
Then on the intermediary computer go into the routing settings:

There we enable the subnet-router:

By default this checkbox is disabled!
From now on we can access the devices from the target network via their normal IP.
In summary, in this configuration I have:
- my LAN 192.168.0.1/24
- the target LAN 192.168.1.1/24
and being on my machine on my LAN, I can access the device from the target LAN by its normal IP, e.g. IP 192.168.1.123 works, both in the browser and in programs. I can make TCP or HTTP connections normally and communication works both ways.
If in doubt, this can be tested at least in PuTTY:

The screenshot shows the final test for three levels of communication - device on my LAN, target computer, device on the target LAN:

This is a very convenient solution - and certainly more accessible than public IP and port forwarding.
Do you use this type of tunneling, and if so, for what? Which VPNs do you recommend? Feel free to discuss.
PS: It is also worth mentioning what an Exit Node is. An Exit Node is a device that can act as an exit for all Internet traffic to other devices. While a Subnet Router only provides access to the selected local network behind the intermediary computer, an Exit Node takes over all traffic - both to the LAN and out to the Internet.8daabababe08

Cool? Ranking DIY
Helpful post? Buy me a coffee.

About Author

p.kaczmarek2 p.kaczmarek2

Moderator Smart Home
Offline

Joined: 26 Dec 2014

Posts: 13411

Help: 617

Posts rating: 11242

Points: 129375

p.kaczmarek2 wrote 13411 posts with rating 11242, helped 617 times. Been with us since 2014 year.

ADVERTISEMENT

#2 21773802 07 Dec 2025 14:10

Nargo Nargo

Level 23

» | Helpful post? (0)

Post #2
21773802 07 Dec 2025 14:10

Looks interesting. From what I've quickly read it can be put on OpenWRT, so 24/7 remote access.
I'll have to test it out. At the moment I'm using ZeroTier One for HA.

#3 21773908 07 Dec 2025 15:51

Camis Camis

Level 10

» | Helpful post? (0)

Post #3
21773908 07 Dec 2025 15:51

I would recommend NetBird more, however, because it is fully open-source. And also the coordinating server itself is in the official version, where with Tailscale we have an unofficial server.
So everything can be set up at home on HomeLab.

Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

Follow us

📢 Listen (AI):

Report a violation of the law

Home page

/

Forum

/

Smart Home

/

Smart Home IoT

/

Smart Home Guides

/

Network access with IoT devices (OpenBeken/Tasmota/itd) and Home Assistant from outside - TailScale

Popular Topics

OpenBeken for Smart Bulb GU10 5W (?) by ? with BK7231N and SM2235

CB3S (BK7231N) Flashing Error with FT232R and Easy UART Flasher: Serial.BytesToRead 0

How to Flash Ewelink SMART GU10 RGBWW (LN882H, LN-CBLC8) with Soft PWM and RPi

ESP32 WTH01 - how to plan the connection of modules to the ESP

Read more new topics

Hotel card/ key fob switch - how to control remotely from the switchboard, battery powered
07 Dec 2025 21:06 (1)
Hello! This is my first post on Elektroda, as I have been coping on my own so far :) I am asking you to recommend a solution to the following problem. My wife and I are renting a flat on a so-called short-term basis. We don't generally have problems with guests, but they notoriously leave the lights on or, worse, the air conditioning. I want to install a system similar to a hotel's, that is, combined...[Read more]
OpenBeken Home Assistant Discovery Fails With Space or Special Characters in Device Name?
07 Dec 2025 14:51 (0)
OpenBeken Home Assistant discovery not working; got it finally working. There was a space character in my device description name, or was it the special character like ä, ü, ö? Can someone clarify which short names/full names work and which don't? Why can't Home Assistant discover/configure a device?[Read more]
OpenBeken for Wifi Smart Socket EU (SPL-W-TY-PM-EU-RY-L) by Sky-Lighting with CB2S and BL0937
07 Dec 2025 11:19 (1)
The Wifi Smart Socket EU (SPL-W-TY-PM-EU-RY-L) by Sky-Lighting has been available under various brand names since around August 2022, for example at Action DE , Amazon.de and Calex . There is a variant with 10A at a maximum of 2500W and another with 16A at a maximum of 3680W, which are usually integrated into the smart home using the Alpina Smart, Calex Smart, Hema Smart, LSC Smart Connect or Smart...[Read more]
CY365 BK7252NQN481 Tiny WiFi Camera Teardown, Internal Photos, OpenBK7252N, GC0311
06 Dec 2025 14:42 (0)
Hi, here's a peak at a tiny little Beken BK7252N 'Xiaomi' '4k' Rear View Car IP camera bought from Ali Express. It's far from a full rear-view camera car kit, more like another cheap Chinese mini cam packaged with standard micro USB cable. No mounting options are supplied. The case is pried open very easily with only 4 plastic corner pips holding the two main parts together. then the insides. toothbrush...[Read more]
Moes BHT-006GAW Thermostat Compatibility with CB3S Module from Aliexpress
05 Dec 2025 18:56 (1)
Moes BHT-006GAW Thermostat with CB3S Module. AliExpress: Sorry, no meaningful pins data found. This device may be TuyaMCU or a custom one with no Tuya config data. Baud keyword found, this device may be TuyaMCU or BL0942. Baud value is 9600 No module information found. And the Tuya section starts, as usual, at 2023424[Read more]

FAQ

TL;DR: Two devices to configure, zero public IPs needed; "more accessible than public IP and port forwarding." Use Tailscale Subnet Router to reach Home Assistant and ESPs from anywhere. [Elektroda, p.kaczmarek2, post #21773549]

Why it matters:** It solves "how do I access my IoT and Home Assistant remotely behind NAT/CGNAT" without port forwarding or exposing services.

Requires admin rights and a reboot after installing Tailscale for reliable service access. [Elektroda, p.kaczmarek2, post #21773549]

Enable Subnet Router to reach a full LAN, e.g., advertise 192.168.1.0/24. [Elektroda, p.kaczmarek2, post #21773549]

Works behind NAT/CGNAT; no public IP or router port rules needed. [Elektroda, p.kaczmarek2, post #21773549]

Exit Node pushes all traffic; Subnet Router exposes only selected LANs. [Elektroda, p.kaczmarek2, post #21773549]

Tested with ESP8266/ESP32/BK7231 devices, routers, cameras, and printers. [Elektroda, p.kaczmarek2, post #21773549]

Quick Facts

- Requires admin rights and a reboot after installing Tailscale for reliable service access. [Elektroda, p.kaczmarek2, post #21773549] - Enable Subnet Router to reach a full LAN, e.g., advertise 192.168.1.0/24. [Elektroda, p.kaczmarek2, post #21773549] - Works behind NAT/CGNAT; no public IP or router port rules needed. [Elektroda, p.kaczmarek2, post #21773549] - Exit Node pushes all traffic; Subnet Router exposes only selected LANs. [Elektroda, p.kaczmarek2, post #21773549] - Tested with ESP8266/ESP32/BK7231 devices, routers, cameras, and printers. [Elektroda, p.kaczmarek2, post #21773549]

How do I access Home Assistant and IoT devices from outside without port forwarding?

Install Tailscale on your computer and an intermediary computer on the target LAN. Log in, then enable Tailscale Subnet Router on the intermediary to advertise the target subnet. You can now reach devices, including Home Assistant, via their normal LAN IPs from anywhere. This avoids public IPs and router changes. The author calls it a “very convenient solution.” [Elektroda, p.kaczmarek2, post #21773549]

What is Tailscale Subnet Router and why use it?

Subnet Router lets a Tailscale node expose an entire LAN (for example, 192.168.1.0/24) to your Tailnet peers. Unlike direct device-to-device, it gives you access to every host behind that node, such as ESP8266/ESP32/BK7231 devices, cameras, or printers. It’s ideal when only one machine on the remote site can run Tailscale. [Elektroda, p.kaczmarek2, post #21773549]

What’s the difference between Subnet Router and Exit Node?

Subnet Router shares only selected local subnets to your Tailnet. Exit Node routes all your device’s traffic through the chosen node, including Internet-bound traffic. Use Subnet Router for targeted LAN access. Use Exit Node when you need a single egress for everything. [Elektroda, p.kaczmarek2, post #21773549]

Step-by-step: How do I enable a Tailscale Subnet Router?

Install Tailscale on the intermediary computer and sign in.

Run: tailscale up --reset --advertise-routes=192.168.1.0/24.

In Tailscale admin, approve the advertised routes (enable subnet router) on that device.
After approval, remote peers can reach the whole LAN by normal IP. [Elektroda, p.kaczmarek2, post #21773549]

Do I need a public IP, static DNS, or port forwarding for this setup?

No. The approach works behind NAT and CGNAT and does not require public IPs, static DNS, or router port forwarding. Install Tailscale on two machines, approve the route, and use the LAN IPs directly. This keeps your router untouched and reduces exposure. [Elektroda, p.kaczmarek2, post #21773549]

Will it work with OpenBeken, Tasmota, and similar ESP devices?

Yes. The guide demonstrates reaching IoT hardware on ESP8266, ESP32, and BK7231. Firmware such as OpenBeken or Tasmota exposes services on LAN IPs. Once the subnet is advertised, you can browse, use TCP clients, or query HTTP endpoints on those IPs remotely. [Elektroda, p.kaczmarek2, post #21773549]

How do I reach devices by their normal LAN IP from outside?

After enabling the Subnet Router and approving routes, simply use the device’s usual IP, such as 192.168.1.123. Open it in your browser or connect via TCP clients. Communication works both ways over the Tailnet, treating remote hosts like local ones. [Elektroda, p.kaczmarek2, post #21773549]

How can I test connectivity quickly (HTTP/TCP)?

Use a simple TCP client like PuTTY. Test three levels: a device on your LAN, the intermediary host, and a device on the remote LAN. The screenshots show all three working. This confirms routing and service reachability over the Tailnet. [Elektroda, p.kaczmarek2, post #21773549]

I can open HTTP but other services fail—what’s the fix?

Reboot after installing Tailscale. The author noted HTTP seemed fine, yet other services failed until a system reboot. Reinstall with admin rights if needed, then reboot and retest. This edge case often clears lingering driver or virtual NIC initialization issues. [Elektroda, p.kaczmarek2, post #21773549]

Is this bidirectional, and can I use normal tools and apps?

Yes. Once routes are approved, traffic is bidirectional. You can make HTTP and TCP connections normally with browsers, Home Assistant, SSH clients, and diagnostic tools. The setup behaves like a secure site-to-site overlay without touching router NAT rules. [Elektroda, p.kaczmarek2, post #21773549]

How many networks and devices were demonstrated working?

The example uses two subnets: local 192.168.0.0/24 and target 192.168.1.0/24. The test confirmed three communication levels: local device, intermediary computer, and remote LAN device. That validates end-to-end routing for typical IoT and management traffic. [Elektroda, p.kaczmarek2, post #21773549]

When should I choose Exit Node instead of Subnet Router?

Choose Exit Node when you need all traffic to egress from the remote site, such as for policy or geolocation reasons. Choose Subnet Router when you only need to reach specific LAN devices while keeping your Internet breakout local. [Elektroda, p.kaczmarek2, post #21773549]

What are OpenBeken and Tasmota in this context?

They are popular firmwares used on low-cost Wi‑Fi IoT chips like ESP8266, ESP32, and BK7231. Devices running these stacks expose HTTP or TCP services on their LAN IPs, which become reachable once the Subnet Router advertises the target subnet. [Elektroda, p.kaczmarek2, post #21773549]

Any tips for first-time setup to avoid surprises?

Install with admin rights, sign in (Google works), confirm the Tailscale virtual NIC appears, and reboot. Advertise the correct CIDR. Finally, approve the route in the Tailscale admin panel; the checkbox is off by default. “It’s a very convenient solution.” [Elektroda, p.kaczmarek2, post #21773549]

ADVERTISEMENT