It feels like magic to have no open ports on my router and still be able to access all of myself hosted services. Jotting down a few notes here on how I approached this.
First off, my primary server that I self-host all of my services on is always running a VPN so I don’t have tailscale running on that. Instead, I have tailscale running on raspberry pi that only runs nginx (to forward proxy requests to the internal server) and pi-hole.
The Nginx config has about a dozen host names so i use Nginx Proxy Manager running in a docker container on the Raspberry Pi to keep the host forwarding organized. I then setup hostnames on my DNS service (I’m grandfathered in to a free DynDNS account) to forward various hostnames like “music.Myselfhosteddomain.net” to the tailscale IP of my raspberry pi. I also have those same hostnames mapped to the internal IP of my raspberry pi using pi-holes DNS server so I don’t need to run tailscale when at home. This has proved to be a super elegant and easy to manage solution.
The only challenge was getting home assistant to do some forwarding magic which took me a while to sort out in Nginx Proxy Manager because I needed to add some custom fields, and there’s not a whole lot of documentation so posting here in case anyone runs into this issue. Note that I’m using hostnames for the port forwarding (e.g. “home.myselfhosteddomain.com” and not location based forwarding like “server.myselfhosteddomain.com/home_assistant”) so you may need to tackle this differently if doing the latter. I figure I can create limitless hostnames plus it makes managing/saving passwords in keychain a lot easier to just use a different host names for each service.
The other important step is to enable websockets support which you can do through the NPM interface:
I had created SSL certs for most of my hostnames prior to spinning up tailscale but no longer need them as I’m not accessing them through port 443 on the outside any longer so that should save me a little bit of maintenance overhead moving forward.
I spent some time writing personal automations on my iPhone to connect/disconnect from tailscale when I leave the house/connect to my car’s audio (I self host my music library and use play:sub when driving) but then later learned that under tailscale settings there’s a “VPN on Demand” section that may handle this better so I’m still fiddling with this.
Now to create some dashboards!