Raspberry Pi Zero 2 W as a Tailscale Wake-on-LAN gateway
Hardware: Raspberry Pi Zero 2 W | Architecture: Tailscale (L3) + UpSnap (L2 Magic Packet) | Goal: securely wake a home PC from the internet
Architecture
Remote device (phone / laptop)
│
│ Tailscale encrypted tunnel
▼
Raspberry Pi Zero 2 W (always-on)
│
│ UpSnap sends Magic Packet
▼
Home router (L2 broadcast)
│
▼
PC NIC (wakes the host)
Why the Pi is needed: Tailscale operates at OSI L3 (network layer), while a WoL Magic Packet is an L2 (data link layer) broadcast. Tailscale can't emit one directly, so an always-on device inside the LAN has to send it on Tailscale's behalf.
Why the Pi Zero 2 W:
- Idle power consumption around 0.4 W — roughly NT$12 per year in electricity
- Cheap (about NT$700)
- Quad-core ARM Cortex-A53 at 1 GHz + 512 MB RAM — more than enough for Tailscale + UpSnap
- Wi-Fi is fine — the WoL broadcast goes through the router to the wired PC
Hardware
- Raspberry Pi Zero 2 W (2W is enough — no need for 2WH)
- microSD card (8 GB+, A1 or A2 class recommended)
- USB-C power supply (5 V 2.5 A)
- A PC on the same LAN that supports Wake-on-LAN
Step 1: Flash the OS
- Download and install Raspberry Pi Imager
- Pick Raspberry Pi OS Lite (64-bit)
- It must be 64-bit because the UpSnap binary we'll use later is arm64
- Click the gear icon (advanced settings) before flashing:
- Hostname:
upsnap(or whatever you prefer) - Enable SSH (password or SSH key, either works)
- Set Wi-Fi SSID and password
- Set username and password (examples below use
jeff) - Set locale and keyboard (zh-TW, Asia/Taipei)
- Hostname:
- After flashing, insert the card into the Pi and power it on
- Wait 1–2 minutes for the Pi to join Wi-Fi
Step 2: SSH into the Pi
# Or by IP: ssh [email protected]
Once in, update the system:
sudo apt update && sudo apt upgrade -y
Step 3: Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
Open the URL it prints in your browser and log in — the Pi will join your tailnet.
Check the Tailscale IP:
tailscale ip -4
Step 4: Download the UpSnap binary
⚠️ Don't download or unzip with
sudo— it'll cause permission issues later.
# Switch to home directory
cd ~
# Find the latest version at:
# https://github.com/seriousm4x/UpSnap/releases
# Look for a file named like upsnap_X.X.X_linux_arm64.zip
# Example: version 5.3.2 (replace with the actual latest)
wget https://github.com/seriousm4x/UpSnap/releases/download/5.3.2/upsnap_5.3.2_linux_arm64.zip
# Unzip (if unzip isn't installed: sudo apt install unzip -y)
unzip upsnap_5.3.2_linux_arm64.zip
chmod +x upsnap
Confirm the file is owned by the current user (not root):
ls -la ~/upsnap
# Should show: -rwxr-xr-x 1 jeff jeff ...
Step 5: Set capabilities and test the launch
# Grant the ability to send raw packets (one-off)
sudo setcap cap_net_raw=+ep ./upsnap
# Install nmap (so UpSnap can scan the network for devices)
sudo apt install nmap -y
# Test launch
./upsnap serve --http=0.0.0.0:8090
Open http://<Pi-LAN-IP>:8090 or http://upsnap.local:8090 in a browser and create the admin account.
Once you confirm you can log in, stop it with Ctrl+C.
Step 6: Make it a systemd service (autostart on boot)
sudo nano /etc/systemd/system/upsnap.service
Paste in the following (make sure User and the paths match your environment):
[Unit]
Description=UpSnap Wake-on-LAN
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=jeff
WorkingDirectory=/home/jeff
ExecStart=/home/jeff/upsnap serve --http=0.0.0.0:8090
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
Enable the service:
sudo systemctl daemon-reload
sudo systemctl enable --now upsnap
sudo systemctl status upsnap
active (running) means it's working.
Step 7: Expose over HTTPS with Tailscale Serve (recommended)
This lets you reach UpSnap from anywhere at https://upsnap.<your-tailnet>.ts.net, with no port forwarding and a legitimate TLS certificate.
sudo tailscale serve --bg --https=443 http://localhost:8090
Check status:
tailscale serve status
After that, any device on your tailnet can open the UpSnap UI in a browser.
Step 8: Add the PC in UpSnap
- Log in to the UpSnap web UI
- Click Add device
- Fill in:
- Name: your PC's name
- MAC Address: find it on Windows with
ipconfig /all, or look it up in your router admin UI - IP: the PC's LAN IP (e.g.
192.168.1.100)
- Click Wake to test
PC-side Wake-on-LAN settings (the hard part)
This is where things usually break. The Pi side is rock solid — failures are almost always misconfigured PCs.
BIOS (vendors name these differently — search for these keywords)
- ✅ Enable Wake on LAN / Power On by PCI-E / Resume by PCI-E Device
- ✅ Disable ErP Ready / EuP
- ✅ Disable Deep Sleep / Deep S5
Windows 10/11
Device Manager settings
- Open Device Manager → expand "Network adapters" → right-click your wired NIC → Properties
- Power Management tab:
- ✅ Tick "Allow this device to wake the computer"
- ✅ Tick "Only allow a magic packet to wake the computer"
- Advanced tab (names vary by NIC model):
- Wake on Magic Packet → Enabled
- Wake on Pattern Match → Enabled (optional)
- Energy Efficient Ethernet → Disabled (this blocks WoL on some NICs)
Disable Fast Startup (critical)
If you leave it on, WoL won't work from a full shutdown — only from sleep.
- Control Panel → Power Options
- Click "Choose what the power buttons do"
- Click "Change settings that are currently unavailable"
- Uncheck "Turn on fast startup"
- Save changes
Verification
After the PC sleeps or shuts down, look at the LED on the NIC's RJ45 jack — it should still be lit or blinking slowly (the NIC stays powered to listen for magic packets). If the LED is fully off, the BIOS or NIC settings are wrong and WoL won't work.
Router checks
If the magic packet goes out but the PC doesn't respond, check whether the router is blocking it:
- AP Isolation / Client Isolation: must be off, otherwise wireless devices can't broadcast to wired ones
- IGMP Snooping: can filter broadcasts in some setups — try turning it off
- Mesh systems (Eero, Orbi, Asus AiMesh, etc.) sometimes isolate traffic between nodes
Troubleshooting
Q1: UpSnap fails with attempt to write a readonly database
Cause: pb_data/ is owned by root (usually because it was started with sudo at some point).
# Check ownership
ls -la ~/pb_data
# Restore ownership
sudo chown -R jeff:jeff ~/pb_data
# Or nuke it entirely (the DB only holds config — if you haven't set anything up, just delete it)
rm -rf ~/pb_data
Q2: Magic packet sent but PC doesn't wake
Check in order:
- Is the PC's NIC LED still lit when sleeping? (No → BIOS / NIC settings problem)
- Try a WoL tool on another PC (e.g.
WakeMeOnLan) on the same LAN to rule out PC-side issues - Confirm Pi and PC are on the same subnet (compare
ip aoutput) - Disable AP Isolation on the router
- Check that Fast Startup is disabled on the PC
Q3: Tailscale doesn't autostart after a Pi reboot
sudo systemctl enable tailscaled
sudo systemctl status tailscaled
Q4: Accessing UpSnap directly over LAN
http://upsnap.local:8090
# or
http://<Pi-LAN-IP>:8090
Q5: Upgrading UpSnap
cd ~
sudo systemctl stop upsnap
wget <new-version-download-url>
unzip upsnap_X.X.X_linux_arm64.zip
sudo setcap cap_net_raw=+ep ./upsnap
sudo systemctl start upsnap
Security notes
- Don't expose UpSnap directly to the public internet — its shutdown feature essentially runs shell commands, so a compromise hands an attacker a root shell inside your LAN
- Always go through Tailscale — its zero-trust model ensures only devices you authorise can reach it
- Audit your Tailscale ACLs regularly to make sure no device has more access than it needs