1 yr. ago • 92%

Https on tailnet?

What's the easiest way to get https while still using my given tailnet as domain for accessing stuff? The tailscale documentation suggest to download certs to the server and point each service to those certs, but that seems like more work than it should..?

Is a reverse proxy the best option? Or what do people who use tailscale as vpn for their devices use?

I need to point certain services out and accessible to family members, will do this through funnel feature in tailscale, but want https set up before pointing anything out.

Appriciate any suggestions ✨

13 comments

Tailscalar here. Use tailscale serve. It is a reverse proxy inside tailscaled. It will handle HTTPS certificates for you too. As an example, here's a sample HTTP server proxied to both my tailnet via tailscale serve and to the world with Funnel.

Also as far as I know you need to use Serve in order to use Funnel.

13
- This does seem like the easiest option so far, i'll try to play around with this, thanks!
  
  4
  
  No prob! If you run into any problems, feel free to DM me or /u/tailscale@hachyderm.io. We're more than happy to help.
  
  4
The easiest way I found is to use caddy which already has tailscale support and will fetch a certificate for hosts behind your tailnet address.

4
- I might give Caddy a go if the response from @Mara doesn't work for me, thanks!
  
  2

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
SSL	Secure Sockets Layer, for transparent encryption
VPN	Virtual Private Network

[Thread #183 for this sub, first seen 3rd Oct 2023, 10:55] [FAQ] [Full list] [Contact] [Source code]

It's possible to host a dns server for your domain inside your tailnet, and offer dns responses like: yourwebserver.yourdomain.com = tailnetIP

Then using certbot let's encrypt with DNS challenge and api for your public dns provider, you can get a trusted certificate and automatically bind it.

Your tailnet users if they use your internal dns server will resolve your hosted service on your private tailnet ip and the bound certificate name will match the host name and everyone is happy.

There's more than one way though, but that's how I'd do it. If you don't own a domain then you'll need to host your own private certificate authority and install the root authority certificate on each machine if you want them to trust the certificate chain.

If your family can click the "advanced >continue anyway" button then you don't need to do anything but use a locally generated cert.

3
- Note my bias as I work for Big VPN (Tailscale), but I don't think that teaching people to ignore security warnings is a good thing to do. The CA system is kind of a scam in general, but I think that at least in its current implementation it's better for us to encourage people are aware of those errors and what they mean.
  
  As the sacred texts say: self-signed certificates beget the use of curl -k beget the use of self-signed certificates.
  
  5
  
  Yeah I also don’t want my folks to have to “ignore” the warnings either. So will defo have the https set up before giving them access.
  
  2
  
  Yeah I also don't want my folks to have to "ignore" the warnings either. So will defo have the https set up before giving them access.
  
  1
- Yeah I do not have a domain. I did before but for some reason i struggled to wrap my head around reverse proxies and domains. And I prefer to not have to pay for yet another service as I'm just a student :P
  
  1
  
  You can get domains for a few dollars per year. Go to tld-list.com and sort by renewal price.
  
  When I was in school, I used to pay for domains by doing online surveys that paid $1 per survey. Not sure if that's still a thing these days.
  
  2

You've viewed 13 comments.