Selfhosted services with TailScale = WIN

Just want to plug TailScale for being awesome.

I’ve been dabbling in hosting some services from my home Unraid server. My standard setup was:

  • Domain from AWS Route53 with an entry that points all my subdomains to a CNAME record registered in DuckDNS. So www.mydomain.com, nextcloud.mydomain.com etc. all point to mydomain.duckdns.org.
  • DuckDNS to ensure mydomain.duckdns.org points to my current public IP, as my ISP changes this fairly regularly.
  • SWAG - manages Let’sEncrypt certificates for subdomains and proxies subdomain requests to the appropriate service host (other containers mostly).

This setup requires port forwarding ports 80 and 443 on my router to my Unraid server. I actually bought a new router because my old one didn’t allow port forwarding for these two ports. It’s been working great, all the photos from my phone syncs to Nextcloud, I’m hosting my own blog etc. It’s been fun. However, I’ve been pretty uncomfortable with port-forwarding my home connection, mostly because my router firmware isn’t going to get updates. I’d prefer a port-scan of my public IP to return nothing.

Now with TailScale, I can replicate the experience without needing ANY port forwarding. My new setup looks like this:

  • Tiny $5 USD Linode instance (thanks linode credits). This instance can be small because it doesn’t do much:
    • Runs DuckDNS as a cronjob so now mydomain.duckdns.org points to that instance instead of my home public IP.
    • Container running SWAG with exactly the same docker-compose config as the one that use to run on my Unraid server.
    • Ports 80 and 443 opened up in Linode Firewall, all other traffic is dropped.
    • TailScale authenticated to my own network
  • Unraid server:
    • dsmith44’s community application for tailscale - adds my Unraid server to the tailscale network.
  • nginx proxy conf changes:
    • On the linode instance, I changed all my configs to reflect the change in routing. Instead of relaying traffic to the internal port of the container, it relays the traffic to the port exposed on the Unraid server’s IP on my tailscale network (which remains stable regardless of my public IP).

I’ve disabled all port forwarding on my router and can access all my services as normal. There is a slight (<30ms) increase in latency to my services, but that’s okay for my usage. Do note that since all the traffic is relayed, this might not be ideal if you use services that consume huge amounts of data a month. Linode’s traffic limits are way more generous than AWS though so good on them.

This setup is very well suited to my specific requirements, but I wanted to share it in case someone else wanted to try it out. If you haven’t been able to do home hosting because you are on a network where you can’t port-forward the required 80 and 443 (e.g. campus networks), this might also work for you.

7 Likes

Tailscale and Zerotier are fantastic products for situations like this.

1 Like

Just as an eli5, is tailscale just an easy way to set up a wireguard tunnel/link?

I heard about it on the last couple self hosted, and 2.5 admins, but not delved yet.
Sounds good, whatever it is

Yes and.

It sets up up wireguard links peer to peer for clients, while the server does the auth and tells the clients where the other clients are. It also does some stuff with DNS (if enabled), so you can setup custom DNS servers.

Tailscale downsides:

  • Userland wireguard, so lower bandwidth (or higher cpu) than kernel wireguard.
  • Proprietary server, although an almost feature complete open source replacement is in development. Headscale
  • Proprietary source windows and mac GUIs (on windows it is the tray icon and installer mostly that are closed AFAIK)
  • IOS client cannot be pointed to a custom server, android client requires a custom build.
  • AFAIK, they do the “Visual Studio Code”/“vscode” thing, where the released binaries are under their EULA, but the source code is fully or partially open source (depending on platform). Shouldn’t stop someone else from building third party binaries that are still under an open source license.

Tailscale upsides:

  • Wireguard based tunnels, not a custom vpn-ish protocol
  • Not completely ready, but some cool stuff with DNS, like support for split-horizion DNS
  • Really really easy to setup. Install client, tailscale up, copy the url and login via a browser, done.
6 Likes

Great didn’t know about headscale, nice.

I have some clients with Synologys on Unifi networks and I’ve started using Tailscale there since there’s no native support for wireguard in Unifi and none other than Tailscale on Synology. I don’t love asking clients to spend money on subscriptions, but they’ve all seemed happy with it.

1 Like