Homelab
Tailscale Mac Bastion Host
Setting Up a Mac as a Tailscale Bastion Host for Remote Homelab Access
Overview
Setting up a Mac as a bastion host for remote homelab access. The Mac stays on your home network and connects to Tailscale, providing a jump box for SSH access when you're away.
Before You Begin
Prerequisites
- Tailscale High Availability completed (or Tailscale Kubernetes Subnet Router if not using HA)
- Mac (Mac Mini, Mac Studio, etc.) on home network
Why This Approach
- Access home network resources not exposed to Tailscale
- Run
talosctlandkubectlcommands remotely via SSH - Backup access if Tailscale subnet router is down
Install Tailscale
Download the standalone app (avoids App Store dependency).
Download
Download from Tailscale macOS Downloads.
Sign In
Open Tailscale and sign in to your tailnet.
Enable CLI
Tailscale menu → Settings → CLI integration → Show me how → Add "tailscale" Command to PATH → Add now
Enable Remote Login
Enable macOS's built-in SSH server1.
SSH Server
System Settings → General → Sharing → Remote Login: Enable
SSH Keys
Add your public key (~/.ssh/id_ed25519.pub or similar) to ~/.ssh/authorized_keys on the bastion.
SSH Config
Disable password authentication (keys only).
/etc/ssh/sshd_config:
PasswordAuthentication no
KbdInteractiveAuthentication noRestart SSH:
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshdKeep Bastion Online
The bastion needs to stay online and recover from power outages.
Energy Settings
System Settings → Energy:
| Setting | Value |
|---|---|
| Prevent automatic sleeping when display is off | On |
| Put hard disks to sleep when possible | Off |
| Wake for network access | On |
| Start up automatically after a power failure | On |
Verify Setup
Test SSH Access
From another device on your tailnet:
ssh <username>@<tailscale-ip>Configure 1Password CLI
Touch ID doesn't work over SSH. Set up 1Password CLI with manual authentication.
Sign In
export OP_BIOMETRIC_UNLOCK_ENABLED=false
eval $(op signin)If no account is configured, it will prompt to add one manually. You'll need:
- Sign-in address (e.g.,
my.1password.com) - Email address
- Secret Key
- Password
- 2FA code
Once signed in, op commands work for the session.
Access Cluster via Bastion
The bastion provides cluster access when:
- Working remotely via SSH
- The Tailscale subnet router in the cluster is down (backup access)
Remote kubectl/talosctl
ssh <username>@<tailscale-ip>
# On the bastion
cd ~/homelab
export KUBECONFIG=$(pwd)/talos/clusterconfig/kubeconfig
export TALOSCONFIG=$(pwd)/talos/clusterconfig/talosconfig
kubectl get nodes
talosctl --nodes 192.168.1.30 healthWake on LAN via Bastion
If a cluster node is powered off:
ssh <username>@<tailscale-ip> "wakeonlan <MAC_ADDRESS>"Resources
Footnotes
Apple, "Allow a remote computer to access your Mac," support.apple.com. Accessed: Dec. 20, 2025. [Online]. Available: https://support.apple.com/guide/mac-help/mchlp1066/mac ↩