I can only comment about battery life. It's proportinal to how much tailscale is really being used: If you use tailscale with an "exit node", i.e. all traffic is routed through it and it's working continously, it drains battery. If it's only used for services on your tailnet, e.g. Immich, the impact will be very small.
I have a static route configured on my home's gateway that enables any device on my network to access Tailscale. I have Tailscale turned on my iPhone pretty much all the time anyway, but even if I didn't I'd still be able to access services I have hosted that are only accessible on my tailnet.
i've had tailscale almost permanently enabled for a couple of years at this point and it's never a problem (ios, nextdns with a tailscale specific profile rather than a pihole or something)
It’s obviously not a magical security layer that eliminates all issues related to public Internet exposure, but in my opinion it is good enough for the average home user.
But the way I do access Immich externally is not with Tailscale directly on my phone but involves exposing a caddy instance, running on a $1 VPS, to the internet.
If requests include a specific very long header (which I randomly made up), it then forwards those requests to my real Immich instance, which runs on my NAS. Headers can be configured within the mobile app. It has worked really well for me so far.
Here's some data. Well, technically anecdata, I suppose.
My phone has been powered on but inactive all night; I charged it to 80% before going to bed, then unplugged it and left it where I can reach it from my bed, as is my habit. (I'm in an Asian timezone, in case you hadn't guessed, so it's morning for me while it's evening in America right now). Its battery is now at 73%. The Android battery report says 6% battery usage from Kindle (makes sense, I started reading a book when I woke up), 0.7% from Signal (haven't sent any messages yet today but have received a few), and 0.3% from Tailscale.
So when you're not using the Tailscale network actively, you'll hardly notice the battery drain.
I remember having problems using tailscale vpn 24/7 and pihole on my home network with the phone pointed at the 192.168 address for DNS. Pages would take 5s to resolve and start loading.
Unfortunately, Pihole was less important than Tailscale and I have to put up with mobile ads.
I leave my phone connected 24/7 and don’t notice any downsides. Only have to disable it on some networks when traveling to make awful captive portals work.
I can only comment about battery life. It's proportinal to how much tailscale is really being used: If you use tailscale with an "exit node", i.e. all traffic is routed through it and it's working continously, it drains battery. If it's only used for services on your tailnet, e.g. Immich, the impact will be very small.
I have a static route configured on my home's gateway that enables any device on my network to access Tailscale. I have Tailscale turned on my iPhone pretty much all the time anyway, but even if I didn't I'd still be able to access services I have hosted that are only accessible on my tailnet.
i've had tailscale almost permanently enabled for a couple of years at this point and it's never a problem (ios, nextdns with a tailscale specific profile rather than a pihole or something)
If you are okay with internet exposure on some level, Cloudflare Tunnel is a really fantastic product:
https://developers.cloudflare.com/tunnel/
It’s obviously not a magical security layer that eliminates all issues related to public Internet exposure, but in my opinion it is good enough for the average home user.
Note that Cloudflare Tunnel blocks requests above 100MiB, which makes it impossible to upload long videos. This is being addressed in https://github.com/immich-app/immich/pull/22385
Oh good callout, I had only tried it for not-giant-upload services.
[dead]
Could impact battery usage, possibly?
But the way I do access Immich externally is not with Tailscale directly on my phone but involves exposing a caddy instance, running on a $1 VPS, to the internet.
If requests include a specific very long header (which I randomly made up), it then forwards those requests to my real Immich instance, which runs on my NAS. Headers can be configured within the mobile app. It has worked really well for me so far.
Here's some data. Well, technically anecdata, I suppose.
My phone has been powered on but inactive all night; I charged it to 80% before going to bed, then unplugged it and left it where I can reach it from my bed, as is my habit. (I'm in an Asian timezone, in case you hadn't guessed, so it's morning for me while it's evening in America right now). Its battery is now at 73%. The Android battery report says 6% battery usage from Kindle (makes sense, I started reading a book when I woke up), 0.7% from Signal (haven't sent any messages yet today but have received a few), and 0.3% from Tailscale.
So when you're not using the Tailscale network actively, you'll hardly notice the battery drain.
On an older iPhone, my Settings shows 3% going toward Tailscale.
I remember having problems using tailscale vpn 24/7 and pihole on my home network with the phone pointed at the 192.168 address for DNS. Pages would take 5s to resolve and start loading.
Unfortunately, Pihole was less important than Tailscale and I have to put up with mobile ads.
If you're on Android and don't like mobile ads [Morphe](https://morphe.software/) might be worth a look.
If Tailscale is on, I can't concurrently run a DNS-blocking local VPN, so I see ads in mobile Chrome.
I use nextdns with tailscale.
https://tailscale.com/docs/integrations/nextdns
Put a Pihole container on your homelab which you have the Tailscale exit node on and then set it as the forced Tailnet DNS.
Could host it in the tailnet?
You can but it’s a lot slower.
I leave my phone connected 24/7 and don’t notice any downsides. Only have to disable it on some networks when traveling to make awful captive portals work.
No lots of people including myself do this for homelab access purposes it just works (tm).