Skip to main content

TailScale: The Holy Grail of VPNs for Amateur Radio Remote Operation

Operating an Amateur Radio station remotely will require you to have some understanding of network fundamentals.   If you are the station owner, this may require knowledge of IP Addressing, protocols and perhaps port forwarding.    Depending on who supplies your Internet, their may be insurmountable issues.

In this blog post, I'm going to explain the complexities of hosting a remote station, and a solution to solving the issues for 99% of the situations out there.   I've tested this solution in many scenarios, and I can say that it works pretty flawlessly.

First, some basics.   If you understand  IP and routing, or just want to get to the info about TailScale, skip this part.  However, to many hams it remains a mystery.

About IP and Routing

Every Internet connection has an IP address.  Think of it as a unique address -- similar to your home address.    With that unique address, any other computer in the world can reach your router (your home.)

There are two schemes in use today.  So-called "IPv4", the traditional address space, has a limit of 4,294,967,296 addresses.   It seems like a lot, but the world is a big place.   So, we now have IPv6, which has a limit of 3.4x10 to the 38th power of addresses, essentially limitless.  IPv6 is very common today, but, luckily in our work in amateur radio, we can deal with IPv4 addresses.

Now, I said you have your house (router) has one particular IP address, unique to you.   However, in your home you may have multiple computers, such as a PC, iPad, Android Tablet, IP-based Amateur radio, or other device.     How do all these devices share the common address of the house (router)?  Just like a house, each room (computer or device) can have it's own individual address, but only INSIDE the house.

The smart people who invented Internet Protocol came up with addresses that are "non routable".   What this means is that data flowing from a room (computer/device) inside your house (router) cannot flow to the Internet.   This is quite useful for connections inside your house or business, but useless if you want to connect to the outside world.

So, IP has a concept of Network Address Translation, or NAT for short.  What does NAT do?   It says if you are trying to reach a computer outside of your house (your local SUBNET, or "Local Area Network (LAN)" as they are called), NAT will automatically route your data out your router (using your common whole-house -- or router -- address, to the far end.)    Responses coming back are sent to your whole-house router address, and NAT again connects to the inside-house -- or SUBNET -- address.

About IP Addresses

The folks who invented IP set aside the following IP address ranges for SUBNETS:

  • ( Range: – )
  • ( Range: – )
  • ( Range: – )

For many of us, you will recognize the familiar IP address starting with "192.168.0.x" subnet, which typically supports up to 255 IP Addresses.   Any of these ranges can be, and  used in a local LAN.

How does a device or computer GET it's address?  How is it assigned?   There are two ways: the most common is a protocol called DHCP. (Dynamic Host Configuration Protocol.)  It is a so-called "Plug-N-Play" protocol.   If you power on a device connected to your LAN, your device or computer sends out a request asking if anyone can supply an IP Address.   The device that answers is typically your router, which has a DCHP server.   It ensures your computer gets a unique IP address inside your local LAN.

The other option is to specify an IP address statically.  To do this, you must know a lot about your network, to ensure you do not conflict with other devices.   (More on this topic later.)

If an IP Address is OUTSIDE the ranges above, it is typically a routable address (meaning directly usable and addressable on the internet.)

About your Whole -House (Router) Internet Address

Typically, your public Internet address is assigned dynamically by your Internet Service Provider.  It may stay the same for a very long time, or change quite often.   If all you are doing is going outside, this is not an issue.   However, if you are trying to host remote amateur radio equipment, knowing how to get to your address is very important.   This address can be IPv6 or IPv4.   An IPv4 client cannot directly connect to an IPv6 address,

The Domain Name System (DNS)

Remembering the IP address of 4,294,967,296 IPv4 computers (let alone, IPv6) is impossible, of course.  So, luckily, we have the Domain Name System.    DNS converts a domain name into an IP Address.  For example, I host a lot of files on -- easy to remember, huh?  However, would you remember  Probably not for long.     You can purchase your own domain name, and manage the translations of your IP Addresses to domain names yourself (a topic of another blog).

Important for us as amateurs, if we are hosting a remote station, is the ability to get to the router where the equipment is.  If your IP address is dynamic, you need a way to constantly update your domain name translation, though something called Dynamic DNS (DDNS).   I won't detail it here, but there are many free services you can Google to configure DDNS.   However, if you have a Internet Service Provider that is giving you an IPv6 public address, you are not going to be in great shape for hosting remote amateur radio.

Virtual Private Networking to the Rescue!

A Virtual Private Network (VPN) is a way of connecting multiple houses (routers) across the Internet, where the devices INSIDE the VPN can all talk to each other, without issue.   VPNs have been around almost as long as the Internet.   VPNs are also secure -- they are often used to see content on the internet which cannot be viewed in particular countries.   There are actually many, many types of VPNs.  I'm not going to go into the detail -- I'll leave that research up to the reader.  I'm going to show you how VPNs eliminate 99% of the problems with hosting a remote station.

How can a VPN help when setting up a remote station?

Almost ALL remote operations for ham radio require knowing the ADDRESS or DNS name of the host application or device, because they are server applications.

- a software solution for remoting like RemoteHams has.

- a radio with built-in IP (Elecraft, Icom, Flex, SunSDR, etc)

- a RemoteRig box

- Mumble, RemAud or other audio methodologies.

- Keyers, antenna switces, power control, and amplifiers.

All of these are SERVER applications.  All of them have an IP Address on your LAN in the station.  In order to get those exposed to outside your network, you must Port Forward them properly, and ensure you have DDNS or a fixed IP address, so that people on the outside can get to your equipment.  

This is only possible if your outside IP address is accessible.   Many cellular carriers, and satellite internet providers like StarLink, use what is Called CGNAT.   This allows them to provide service to 100s of thousands of private IP4 users behind their IPv6 public address.  It is not possible to host servers in this environment.

I'm not going to explain how to do any of the above.    

VPNs can solve these problems with ease.   The problem up until now is the VPNs are very hard to configure, and may involve outboard hardware.   If you are an experienced ham but don't work in IT, they can be very intimidating and confusing.  Until now.

Introducing TailScale

TailScale is a new cloud-based MESH VPN Provider.   They have taken the best of existing technology and combined it into a very-easy-to install and use VPN.   No complicated configuration or INI files,  Not a huge amount of Network skills required.   TailScale knows how to navigate through the toughest CGNAT situations, and will allow you to enjoy remote operation no matter your scenario.   Read as much detail as you want at

But at what cost?

TailScale is new to the marketplace.   They operate on what is called the freemium model.  Which means they have a free tier.   I've talked with the CEO about our needs in Amateur Radio -- and he told me they are a "ham friendly" company -- meaning that what we would typically need from TailScale will remain free.   So no worries on the cost front.

How does TailScale work?

First, you download and install TaileScale on your computer, via    They have downloads and instructions for how to install the client on Windows, Macs, IOS, Android and Linux.

You choose the free tier, and authenticate yourself using a Google, Microsoft or GitHub account.  (For the free tier, there is only ONE Login.  My suggestion is to set up a new gmail account for this purpose.)

Once you have Tailscale installed on two computers, and you log in (instructions on Tailscale site), each computer will be able to "see" each other on their TailScale IP, which is in the 100.x.x.x range.   On the TailScale client for Windows, you can right-click on the TailScale icon in the tray, and see all the nodes in your VPN network:

TailScale Admin Page example

Now, as it is, from what I've just shown you, you can do many wonderful remote things, as long as all the server applications are running on the PCs you have TailScale on, without having to worry about Port Forwarding or DNS, etc.  In fact, you don't even have to use the 100.x addresses: Tailscale knows the names of the computers and you can access them by name.

The Best Part:  Subnet Advertisement and Routing.

Let's say remote op A wants to connect his open-source WFVIEW, operating on a computer with local address to an Icom 7610 at the station which has an IP Address of

Tailscale supports what is called Subnet advertisement and routing.  In order for the the 192.168.73.x subnet to be seen by the computer with the address, we would need to advertise and expose the 192.168.73.x subnet to the rest of the computers on the network.   In all versions, this is done by a command-line command (open a command prompt in Windows): 

tailscale up --advertise-routes=

Once this is done, any client computer on the same TailScale VPN can connect to any address in the 192.168.73.x network, and WFVIEW will run perfectly.

Now, let's say for example you are using RemoteRig Boxes.   This would work exactly the same way, except you would want to expose BOTH subnets:

tailscale up --advertise-routes=,

Avoid subnet Collisions!

If your local LAN is on subnet 192.168.1.x, and you connect it with another computer with the same subnet, 192.168.1.x, you won't be able to get to the far end, as the address will resolve to the LOCAL subnet and not the far end!   Before exposing the subnets, ensure they are unique among your user community.   The way I do this is use something like 192.168.73.x as the station LAN.  Normally, this would not collide with any connected user subnet.

In the Windows client, you can turn visibility of subnets on and off using the ... (three-dot) menu to the right of a endpoint in the administrator.

In the free tier of TailScale, two subnets are allowed.  This should be perfect for most Amateur remote sitations.

It works!

I've used TailScale to remote to ZF from W1 without any issues, with great performance.

Please go for it, and discuss your experiences on the Remote Contesting forum, or any of the remote groups on Facebook!


Popular posts from this blog

Introducing CATMapper: A Windows Utility to Map VFO Functionality between Radios!

  Many types of remote solutions offer only an on-screen VFO (Icom, Yaesu, Flex applications come to mind.)   However, many of us own some type of HF radio that has CAT computer control. What if you could use the hardware VFO (tuning knobs) from an existing radio to control the VFO on a  virtual radio's control panel? I tested this concept out in ARRL DX SSB this year, using an Elecraft K3/0 Mini and the Flex SmartSDR! It worked quite well (despite some initial bugs). The program uses VE3NEA'S OmniRig application, which does the heavy lifting of all the CAT commands for various radios.   How does it work?   Simply ensure the radio you are controlling with, and the radio you want to control both have COM port connectivity.  Then, start CATMapper, go to the File menu, and choose "Configure..." from the menu.  In the OmniRig dialog, configure each radio (Rig1 and Rig2), specifying baud rates, etc.  I recommend a 150mS poll time for smooth operation. Once you press the OK

Automation in Amateur Radio: RS-232 for local and remote applications

 If you are a modern radio ham, you deal much with the RS-232 Serial standard. High-Frequency ham gear has had a computer interface since at least the 1990s.    The common name for this interface is Computer-Aided Transceiver -- CAT -- a term coined by Yaesu I believe.      Using the CAT interface, one can read or change the frequency of the radio, change bands, and adjust the majority of controls found on the faceplate of the radio. CAT is a "staple", and the minimum level of automation for both local and remote control of an amateur station.   Some modern radios use USB (The Universal Serial Bus) for CAT.   USB is bit harder to automate in remote situations, but not impossible. Beyond CAT control of the radio, there is control of other auxiliary components in the station -- amplifiers, rotators, antenna switches, and keying mechanisms for CW/PTT. RS-232 and the modern Windows computer In order to interface your radio or other peripheral to your PC, be it a laptop or desktop