I’ve been using the glinet comet kvm for my homelab and have no complaints. Their cloud is optional and I don’t use it. The built in tailscale client does what I need it to. I use it with their ATX power accessory to manage physical power on/off when needed.
Given that these things have bare metal access, keeping them off of the public internet seems wise no matter what though.
Keeping these kind of management devices off the Internet seems prudent. But how do you do that and still get Tailscale to work? Assign the device to a separate vlan that is restricted to only talk to Tailscale? Otherwise, if the device is on your regular network, it will still be connected to the internet.
Use Tailscale subnet routing.
Untrusted devices can sit on a separate VLAN or get WAN blocked, you can still reach them internally, and from any other device on Tailscale. You just need to expose the subnet via Tailscale subnet routing.
Yes that is how you arrange how the device can be reached through Tailscale.
What I was wondering was: In order to get the device to talk to Tailscale to be able to reach it you need to give it access to the internet to reach Tailscale. But now I understand your answer and it is to let the device sit somewhere in an enclosed network and then through another trusted Tailscale node route any traffic to it using subnet routing. Thanks!