Create a VPN Gateway with Tailscale and Pantavisor on a Raspberry Pi 3

Many people maintain a home network to connect and share a growing number of devices and personal data. But accessing our private network securely from anywhere can be challenging without the correct tools. VPN solutions that are robust and simple to use have not been not widely available until recently.

Tailscale is a “zero-config” VPN network that solves many of the problems just described. It offers excellent security with an easy to use workflow that doesn’t involve complex configuration files or firewall rules. With Tailscale you can securely access your private network from anywhere on a wide variety of architectures and device types.

Over the next two posts, Sergio Marin (@highercomve) Pantacor engineer takes us through a step by step Youtube tutorial on how to set up a VPN using a Raspberry Pi 3 as a Tailscale gateway configured and managed with Pantacor container technology. In this first post, we’ll describe how to set up a Raspberry Pi as a Tailscale gateway for your network with Pantavisor and Pantacor Hub. In part 2, we’ll expand the network to include many more devices and show you how to manage an entire fleet of devices using our SaaS Pantacor Fleet.

What’s Sergio Marin running on his network?

The diagram below is a sketch of Sergio’s home network. He currently runs a server with Plex and Samba installed that allow him to share and manage his videos and images. The media server is connected to an ISP router. In addition there is a PC and the Raspberry Pi 3 also on the network. Of course, all of these devices also reach the Internet, but are separated by a firewall.



What you will achieve with a Tailscale VPN

Once everything is configured and running, the end result is that you will be able to access your network over the Internet through a VPN using your Raspberry Pi as the gateway.  Once the VPN is in place, you will be able to securely access your home network through a hotspot on your laptop or smartphone and any other device that installs the Tailscale VPN client.



Tutorial summary

To complete this tutorial, follow these steps. We describe each of these in detail in videos and throughout this post:

  • Install the Pantavisor PVR command line interface (cli)
  • Create an account at
  • Setup your Raspberry Pi with Pantavisor on Pantacor Hub
  • Create an account at Tailscale
  • Create an API token for your devices
  • Install and configure Tailscale with Pantavisor
  • Connect to your home network via the Tailscale VPN client

Install PVR CLI

PVR is the command line interface and utility for Pantavisor. At a high level, PVR offers a git-like experience to manage and update the device state revisions that can be cloned and posted so they can be accessed remotely through Pantacor Hub.

Download the binary that matches your architecture:

Install PVR onto Linux or a Mac by downloading and adding the binary to your $PATH:

tar xvzf pvr-012.linux.amd64.tar.gz
mkdir -p ~/bin
cp pvr ~/bin/pvr
chmod +x ~/bin/pvr
export PATH=$PATH:~/bin

For Windows, unzip the binary and place it in a user accessible directory that can run executables (C:\Users\YOURUSER).

For more information on what the PVR cli can do for you, see Sergio’s video:


Signing up to Pantacor Hub

Pantacor Hub is an open source device state management system. You can think of it as a cross between an image sharing repository for apps and devices as well as a device system revision repository. With the hub you can share images and device data between team members or other users. It manages transactional revisions of the device state for over the air updates across device fleets. You can also use it to configure device and application meta-data through its easy to use graphical UI.

There are two different ways to create a Pantacor Hub account:

1. Create an account from the command line with the PVR cli with:

 pvr register -e -u john123 -p 123

2. Or you sign up on the web at


Setting up your Raspberry Pi with Pantavisor on Pantacor Hub

Now that you have PVR installed, and you have an account at Pantacor Hub, it’s time to flash your device with a pre-installed image of Pantavisor, connect to the Hub and configure the device.

1. Download the image with Pantavisor for a Raspberry Pi 3:




This dialog also allows you to set up a Wifi connection if you need to for your device. However, if you are using a regular cable to connect the Internet to your Raspberry, then you can omit this step.

Note: When you download an image from Pantacor Hub, the image bakes in your user credentials.  This means that when the image starts, it will already be claimed by you and available in Pantacor Hub. To download an image without credentials baked into it, see Pantavisor Initial Images.

2. After you’ve downloaded and extracted the image file, write the image onto your micro-sd card with theRaspberry Pi Imager.Select your operating system, your SD card and then write the image to the sd-card.




Once the card is flashed, remove it from your laptop and insert it in your Raspberry Pi and then plug in the Internet and power cables for your Raspberry Pi.

3. Return to the Hub UI and check to see that your device has appeared in the dashboard.

4. Click on a device to view it’s properties and configuration parameters that include the following sections: summary data, components and device meta-data.  The components are running in containers and include the following:

For a detailed explanation on what these containers are running, how they are set up and how to build your own containers for Pantacor Hub, see this explanation:



5. After you’ve flashed the device and it has completed the initial boot sequence, you’re ready to install and configure Tailscale. First create an account over on the Tailscale website and generate a key token. The token is used by the Raspberry Pi to identify it as a gateway. Generate the keys at Settings  → Keys within Tailscale.

If you need help with this, see this explanation:



6. Configure Tailscale by cloning the device url from Pantacor Hub onto your laptop:




7. Then go to the command line and type:

pvr clone [cloned-url] [folder-name]


- [cloned-url] is the URL you copied from Pantacor Hub
- [folder-name] is the folder you created for the container definition

8. Once the device data is downloaded to your laptop, install the Tailscale container with:

pvr app add --from tailscale


[source of tailscale container:branch:name of app] this Tailscale container is built to read the meta-data from Pantacor Hub in Sergio’s GitLab registery. That container is located in the master branch of GitLab’s container registry. Note that you can use a regular Docker container and download it from Dockerhub as well.

9. Next add the Tailscale container (or the change) to Pantavisor’s revision history with:

pvr add .
pvr commit

10. Post the revision with a commit message to Pantacor Hub with:

pvr post -m ‘add base tailscale container’

11. Now you’re ready to enable Tailscale on the device in Pantacor Hub. Add an entry to the metadata section of the device on Pantacor Hub by selecting: the device and then the Configuration command from the menu.

Add the following to the metadata:

tailscale.enabled and then true

For more information on the configuration settings for the Tailscale container and how to specify the gateway, see the rest of this video here:


Final Thoughts

In this tutorial, we showed you how to download a Tailscale client container onto your Raspberry Pi 3 and configure it as a gateway for your home network.

For more information on Pantavisor see our how to guides at