Termius + Tailscale: the personal VPC that made servers fun again

There are infrastructure changes that are technically small but emotionally huge. This is one of them.

The recipe is almost stupidly simple: put the Tailscale agent on every server, let Tailscale create a private WireGuard mesh, and then put those machines into Termius so they are always one click, one tap, or one keyboard shortcut away. That is it. No grand platform migration. No Kubernetes enlightenment. No enterprise network diagram. Just a private address for every machine and a terminal that remembers how to reach each one.

I basically made my own VPC out of all the servers I already had. I can hit any of them through Termius, and it is so good it feels illegal.

The old way was annoying enough that I stopped noticing it

Before this, every server had a little bit of friction attached to it. Which public IP is that one using? Did I lock SSH down to my home address? Am I on the right VPN? Did the firewall rule get copied to the new VPS? Is this service bound to localhost because it should be private, or did I expose it because I needed to debug something at 1 a.m.?

None of those questions are hard. That is why they are dangerous. They are all small enough to tolerate, and they quietly tax every single operation.

Tailscale deletes most of that tax. Each machine joins the tailnet, gets a stable private identity, and becomes reachable from my other trusted devices. Termius then turns the whole thing into a clean cockpit. The result feels less like “remote servers” and more like a private rack that happens to be distributed across providers.

Why Tailscale is the magic layer

Tailscale is built on WireGuard, but the thing I care about day to day is not the cryptographic brochure. It is the operational shape: every node gets a private Tailscale IP, identity is handled through the tailnet, and machines can talk to each other without me hand-rolling tunnels or punching random holes through the internet.

Stable private addressesServers stop being a rotating mess of public IPs and DNS guesses.

Fewer exposed servicesAdmin ports can live behind the tailnet instead of the public internet.

It just follows meLaptop, desktop, phone, VPS, homelab boxes — same private network.

The best infrastructure products make the secure path the lazy path. That is what this does. If SSH over Tailscale is easier than exposing SSH publicly, I will use the safer option every time.

Why Termius completes the loop

Tailscale gives every machine a private route. Termius makes those routes feel like a workspace.

I can save hosts by their tailnet identity, group them by project, keep keys and snippets organized, and jump into the right machine without reassembling context from shell history. Termius is not just “an SSH app” in this setup. It is the control panel for the fleet.

That matters because the network is only half the experience. The other half is whether I actually want to use it. With Termius, the answer is yes. On a laptop it feels polished. On a phone it feels like cheating. I can be away from my desk, open Termius, hit a Tailscale-only host, and fix the thing without making that host public.

The personal VPC pattern

Cloud providers sell VPCs as a primitive: private network, internal addresses, controlled ingress, services that can talk to each other without living naked on the internet. Tailscale gives an indie version of that pattern to a person with a handful of machines.

My version looks something like this:

Sunday, the self-hosted personal AI daemon, running on a VPS with satellites dialing in from my machines.
SQLite databases for the things that should stay simple and local to the app.
Litestream streaming SQLite WAL changes to object storage so the simple database still has serious durability.
Hermes as an agent runtime and operator surface for tools, skills, browser work, scheduled tasks, and desktop context.
Extend.ai in the automation stack for turning document chaos into structured workflows.
Admin dashboards and internal services that do not need to be public just because I need to reach them.

The important part is not that every one of those things is novel. The important part is that they compose. SQLite stays boring. Litestream makes it restorable. Sunday gives me a personal AI I control. Hermes gives me an operator loop. Tailscale gives the machines private reachability. Termius gives me a beautiful way to touch the fleet.

The setup, roughly

The exact commands vary by distro and provider, but the pattern is this:

# on each server curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up # optional: make SSH reachable only through the tailnet # then save the Tailscale host/IP in Termius and connect from there

Once a server is in the tailnet, I add it to Termius using the Tailscale IP or MagicDNS name. I group hosts by project — Sunday, databases, experiments, production boxes — and keep the SSH details there. From then on, the muscle memory is simple: open Termius, pick the host, connect.

Why this feels so good

It feels good because it collapses distance. A VPS in a random region, a box at home, and a machine under my desk all become peers. The network becomes personal instead of infrastructural. I do not have to mentally switch from “local” to “remote” as much; I just move around my own mesh.

It also makes self-hosting feel less fragile. I can run Sunday on a VPS, connect satellites from Macs, keep private admin endpoints private, and still operate everything from wherever I am. That changes what I am willing to build, because the operational overhead drops.

The best part is how unceremonious it is. Install agent. Join tailnet. Save in Termius. Suddenly the whole fleet is right there.

What I would tell someone copying this

Use Tailscale SSH or lock regular SSH down so you are not leaving public access around out of habit.
Name machines clearly. A private network full of mystery hostnames is still a mess.
Use groups in Termius. Treat it like an operations cockpit, not a junk drawer.
Put boring databases on SQLite when you can, then replicate with Litestream if losing the box would hurt.
Keep internal dashboards internal. If only you need it, it probably belongs on the tailnet.

The larger point

I keep coming back to tools that make small systems feel powerful. Hermes, Sunday, SQLite, Litestream, Tailscale, Termius — they all share that quality. They do not require a platform team. They give one person a surprising amount of leverage.

That is the inspiration here: personal infrastructure can feel amazing. Not toy amazing. Actually useful, operationally sane, “I can run my life and projects on this” amazing. Tailscale plus Termius is one of those combinations where the moment it clicks, you wonder why you tolerated anything else.