Tailscale + PicoClaw for private homelab AI

Tailscale builds an encrypted mesh between your devices. Use it when PicoClaw should answer only on your private tailnet—for example a Pi running Ollama plus PicoClaw, reachable from your laptop without exposing ports to the public internet.

1. Common pattern

  • Install Tailscale on the PicoClaw host, your dev machine, and optional exit nodes.
  • Bind PicoClaw or your reverse proxy to the Tailscale IP or 0.0.0.0 with firewall rules limited to the tailnet.
  • Call webhooks and APIs using MagicDNS names like pi.tailnet-name.ts.net.

2. Split LLM traffic

Often the model server runs on a GPU box while PicoClaw runs on a Pi. Tailscale gives both sides stable addresses for OpenAI-compatible backends.

3. When you still need the public web

For SaaS webhooks (Telegram, Discord, GitHub), you still need a routable URL—use Cloudflare Tunnel or nginx on a VPS.

4. Next steps