Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f453f302ae5595c3fc11280ec10a1882f247bb8
homelab-optimized/docs/troubleshooting/internet-outage-access.md
Gitea Mirror Bot 1f453f302a
Some checks failed
Documentation / Deploy to GitHub Pages (push) Has been cancelled
Details
Documentation / Build Docusaurus (push) Has been cancelled
Details
Sanitized mirror from private repository - 2026-04-05 10:10:45 UTC
2026-04-05 10:10:45 +00:00

9.8 KiB
Raw Blame History

Accessing the Homelab During an Internet Outage

When your internet goes down, the homelab keeps running. This guide covers exactly how to reach each service via LAN or Tailscale (which uses peer-to-peer WireGuard — it continues working between nodes that already have keys exchanged, even without the coordination server).

Quick Reference — What Still Works

Category Services Access Method
Streaming Plex, Jellyfin, Audiobookshelf LAN IP or Tailscale IP
Media mgmt Sonarr, Radarr, SABnzbd, Prowlarr LAN IP or Tailscale IP
Photos Immich (Atlantis + Calypso) LAN IP or Tailscale IP
Documents Paperless-NGX LAN IP or Tailscale IP
Passwords Vaultwarden LAN IP or Tailscale IP
Files Seafile, Syncthing LAN IP or Tailscale IP
Notes Joplin, BookStack LAN IP or Tailscale IP
Git/CI Gitea, Portainer LAN IP or Tailscale IP
Monitoring Grafana, Prometheus, Uptime Kuma LAN IP or Tailscale IP
Home Auto Home Assistant LAN IP or Tailscale IP
Dashboard Homarr LAN IP or Tailscale IP
Finance Actual Budget LAN IP or Tailscale IP
Comms Mattermost, Matrix (local rooms) LAN IP or Tailscale IP
Auth Authentik SSO LAN IP or Tailscale IP (fully local)

What does NOT work without internet:

  • New downloads (Sonarr/Radarr can't search indexers, SABnzbd can't download)
  • Invidious, Piped, Redlib (they ARE the internet)
  • YourSpotify, ProtonMail Bridge
  • External access via *.vish.gg domains (Cloudflare proxy down)
  • iOS push notifications via ntfy (ntfy.sh upstream unavailable)
  • AI tagging in Hoarder (OpenAI API)

Access Methods

Method 1 — LAN (same network as Atlantis/Calypso)

You must be physically connected to the home network (Ethernet or WiFi).

Host LAN IP Notes
Atlantis 192.168.0.200 Primary NAS — most services
Calypso 192.168.0.250 Secondary NAS — Gitea, Authentik, Paperless, Immich
Homelab VM 192.168.0.X Check router DHCP — runs monitoring, Mattermost
Concord NUC 192.168.0.X Check router DHCP
Pi-5 192.168.0.66 Uptime Kuma, Glances
Guava (TrueNAS) 192.168.0.100 NAS shares
Home Assistant 192.168.12.202 (behind MT3000) HA Green

Method 2 — Tailscale / Headscale (any network, any location)

Tailscale uses WireGuard peer-to-peer. Once nodes have exchanged keys, they communicate directly without needing the coordination server (headscale on Calypso). An internet outage does not break existing Tailscale sessions.

Host Tailscale IP SSH Alias
Atlantis 100.83.230.112 atlantis
Calypso 100.103.48.78 calypso
Homelab VM 100.67.40.126 homelab-vm
Concord NUC 100.72.55.21 nuc
Pi-5 100.77.151.40 pi-5
Guava 100.75.252.64 guava
Moon 100.64.0.6 moon
Setillo 100.125.0.20 setillo
Seattle VPS 100.82.197.124 seattle-tailscale

MagicDNS also works on Tailscale: atlantis.tail.vish.gg, calypso.tail.vish.gg, etc.

Note: If headscale itself needs to restart during an outage, it will now start fine (fixed 2026-03-16 — only_start_if_oidc_is_available: false). Existing node sessions survive a headscale restart indefinitely.

Service Access Cheatsheet

Portainer (container management)

LAN:       http://192.168.0.200:10000
Tailscale: http://100.83.230.112:10000
Public:    https://pt.vish.gg  ← requires internet

Gitea (code repos, CI/CD)

LAN:       http://192.168.0.250:3052
Tailscale: http://100.103.48.78:3052  or  http://calypso.tail.vish.gg:3052
Public:    https://git.vish.gg  ← requires internet (Cloudflare proxy)

GitOps still works during outage — Portainer pulls from git.vish.gg which resolves to Calypso on LAN.

Plex

LAN:       http://192.168.0.200:32400/web
Tailscale: http://100.83.230.112:32400/web
Note:      Plex account login may fail (plex.tv unreachable) — use local account

Jellyfin

LAN:       http://192.168.0.200:8096
Tailscale: http://100.83.230.112:8096

Immich (Atlantis)

LAN:       http://192.168.0.200:8212
Tailscale: http://atlantis.tail.vish.gg:8212

Immich (Calypso)

LAN:       http://192.168.0.250:8212
Tailscale: http://calypso.tail.vish.gg:8212

Paperless-NGX

LAN:       http://192.168.0.250:8777
Tailscale: http://100.103.48.78:8777
Public:    https://docs.vish.gg  ← requires internet
SSO:       Still works (Authentik is local)

Vaultwarden

LAN:       http://192.168.0.200:4080
Tailscale: http://100.83.230.112:4080
Public:    https://pw.vish.gg  ← requires internet
Note:      Use local login (password + security key) — SSO still works too

Homarr (dashboard)

LAN:       http://192.168.0.200:7575
Tailscale: http://100.83.230.112:7575
Note:      Use credentials login if SSO is unavailable

Actual Budget

LAN:       http://192.168.0.250:8304
Tailscale: http://100.103.48.78:8304
Public:    https://actual.vish.gg  ← requires internet
Note:      Password login available (OIDC also works since Authentik is local)

Hoarder

Tailscale: http://100.67.40.126:3000  (homelab-vm)
Public:    https://hoarder.thevish.io  ← requires internet

Grafana

LAN:       http://192.168.0.200:3300
Tailscale: http://100.83.230.112:3300
Public:    https://gf.vish.gg  ← requires internet

Authentik SSO

LAN:       http://192.168.0.250:9000
Tailscale: http://100.103.48.78:9000
Public:    https://sso.vish.gg  ← requires internet
Note:      Fully functional locally — all OIDC flows work without internet

Home Assistant

LAN:       http://192.168.12.202:8123  (behind GL-MT3000)
Tailscale: http://homeassistant.tail.vish.gg  (via Tailscale)
Note:      Automations and local devices work; cloud integrations may fail

Guava SMB shares (Windows)

LAN:       \\192.168.0.100\<sharename>
Note:      Credentials stored in Windows Credential Manager
           User: vish  (see Vaultwarden if password needed)

Uptime Kuma

LAN:       http://192.168.0.66:3001  (Pi-5)
Tailscale: http://100.77.151.40:3001

Sonarr / Radarr / Arr suite

LAN:       http://192.168.0.200:<port>
           Sonarr:    8989    Radarr:    7878
           Lidarr:    8686    Prowlarr:  9696
           Bazarr:    6767    SABnzbd:   8880
Tailscale: http://100.83.230.112:<port>
Note:      Can still manage library, mark as watched, etc.
           New downloads fail (no indexer access without internet)

SSH Access During Outage

All hosts have SSH key-based auth. From any machine on LAN or Tailscale:

# Atlantis (Synology DSM)
ssh -p 60000 vish@192.168.0.200        # LAN
ssh atlantis                            # Tailscale (uses ~/.ssh/config)

# Calypso (Synology DSM)
ssh -p 62000 Vish@192.168.0.250        # LAN  (capital V)
ssh calypso                             # Tailscale

# Homelab VM
ssh homelab@100.67.40.126              # Tailscale only (no LAN port forward)

# Concord NUC
ssh nuc                                 # Tailscale

# Pi-5
ssh pi-5                                # Tailscale (vish@100.77.151.40)

# Guava (TrueNAS)
ssh vish@192.168.0.100                 # LAN
ssh guava                               # Tailscale

# Moon (remote)
ssh moon                                # Tailscale only (100.64.0.6)

NPM / Reverse Proxy

NPM runs on Calypso (192.168.0.250, port 81 admin UI). During an internet outage, NPM itself keeps running and continues to proxy internal traffic. SSL certs remain valid for up to 90 days — cert renewal requires internet (Let's Encrypt + Cloudflare DNS).

For LAN access you don't go through NPM at all — use the direct host:port addresses above.

Tailscale Not Working?

If Tailscale connectivity is lost during an outage:

  1. Check if headscale is up on Calypso:

    ssh -p 62000 Vish@192.168.0.250 "sudo /usr/local/bin/docker ps | grep headscale"

  2. Restart headscale if needed (it will start even without internet now):

    ssh -p 62000 Vish@192.168.0.250 "sudo /usr/local/bin/docker restart headscale"

  3. Force re-auth on a node:

    sudo tailscale up --login-server=https://headscale.vish.gg:8443
# headscale.vish.gg resolves via LAN since it's unproxied (direct home IP)

  4. If headscale.vish.gg DNS fails (DDNS not updated yet), use the direct IP:

    sudo tailscale up --login-server=http://192.168.0.250:8080

DDNS / External Access Recovery

When internet comes back after an outage, DDNS updaters on Atlantis automatically update Cloudflare within ~5 minutes. No manual action needed.

If your external IP changed during the outage and you need to update manually:

# Check current external IP
curl https://ipv4.icanhazip.com

# Check what Cloudflare has for a domain
dig +short headscale.vish.gg A

# If they differ, restart the DDNS updater on Atlantis to force immediate update
ssh atlantis "sudo /var/packages/REDACTED_APP_PASSWORD/usr/bin/docker restart \
  dyndns-updater-stack-ddns-vish-unproxied-1 \
  dyndns-updater-stack-ddns-vish-proxied-1 \
  dyndns-updater-stack-ddns-thevish-proxied-1 \
  dyndns-updater-stack-ddns-thevish-unproxied-1"

Related Docs

Last updated: 2026-03-16

Reference in New Issue View Git Blame Copy Permalink