A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web services, and online tools.
Exposing to public with tailscale (headscale). Is it possible?
Need Help
I have a proxmox instance with my homelab and nextcloud. I also have a VPS, with NPM installed via docker. I already own a domain poiniting to my VPS. I installed headscale via docker on a VPS and tailscale client within LXC on my homelab and that works.
My question is:
Is it possible to expose my homelab services (eg nextcloud) to public by somehow connecting NPM container with tailscale network?
P.S. Cloudflare tunnel not an option until I gave up
Sort by:
Best
Open comment sort options
Best
Top
New
Controversial
Old
Q&A
You could by just having the network used for NPM as the tailscale network/container.
The container should be for tailscale not headscale containr, headscae is just the controler server.
Thanks, that’s an important point
It is possible to use a VPS as a forward point and it's actually common practice for situations where your home server is behind ISP NAT. But setting up Headscale can be overkill if you only use it for this.
Normally, if you only need to forward one port you would use a SSH tunnel, which is readily available on any Linux VPS. This discussion has a ton of information about setting up proxying with SSH tunnel.
If you need to forward an entire network interface (multiple ports which vary) you would set up a VPN, which nowadays is usually WireGuard because it's included with the Linux kernel and somewhat easier to set up than OpenVPN.
If you intend to use Headscale/Tailscale for other things you can of course use them as the VPN for this.
You can also use Tailscale Funnels to have a public entry point directly to your home server through the NAT (no VPS needed) but please be aware that you can't use your own domain (have to use their .ts.net subdomains) and they intercept TLS connections (and so does CloudFlare).
You don't necessarily have to put NPM on the VPS. You can chain proxies. You can have a simple proxy (caddy, if you're familiar with that) running directly on the VPS (no container) and forwarding connections into the tunnel, and set up NPM at home.
I would point out too, as this is self-hosted, there are a whole bunch you can self-host and are open source - https://github.com/anderspitman/awesome-tunneling. I will advocate for zrok.io as I work on its parent project, OpenZiti. zrok is open source and has a free SaaS too.
Thanks for your explanation, and those linked thread is great to see other solutions. I plan to use tailscale just to reuse the function of private access to my services an publicly-available ones via the same technology
Not sure about how this would be done in headscale specifically since I don’t use that.
In normal hosted Tailscale, the move here would be to advertise your 192.168.0.20/32 as a route from your Tailscale client, set up forwarding such as with a site to site VPN, and then have NPM basically forward to 192.168.0.20 in the back. I think there’s probably a missing Tailscale client on your VPS side that would then accept the route, but again, I don’t know if headscale would act as a client in this case.
But in short, should be doable.
I do this with Wireguard on the VPS acting as the endpoint, it routes my desired ports to my home system (a QEMU VM running on KVM on a laptop) which runs Wireguard to establish the VPN.
Put NPM and Headscale on the same Docker network.
Try FRP(fast reverse proxy) instead
A