The Hitchhiker’s Guide to Local Tailscale Networking

Setting up Syncthing, Gitea, and Pi-hole behind a closed Tailscale VPN with zero public ports. A guide on maintaining your digital privacy across the local sector.

1. The Golden Rule: Don't Panic

It is a well-documented fact that setting up firewalls can lead to mild hysteria, especially when your DNS filters start blocking your own SSH requests. We avoid this by running Tailscale as our primary gateway.

2. Bindings & Listening Interfaces

Ensure Syncthing is bound only to the tailscale0 IP (100.110.228.97) rather than 0.0.0.0. This prevents any WAN access even if nftables has a temporary hiccup during rule reloads.