Benjamin Lannon

Select a theme. Click on the overlay or the button again to exit

Setting up HTTPS in Tailscale in my home network

Posted on:

Over the 2nd half of this year, I have been transitioning from a lot of external services running on public clouds down to a private homelab. That said, I still want to access these services while I'm not at home. A feature I explored over the past few months in my VPN of choice Tailscale is it's HTTPS mode via Let's Encrypt.

Reasoning behind a lot of this is Tailscale is end-to-end encrypted by default, so any traffic between two clients is secure, but if I open a webpage, it thinks it is still unsecure as it is running over HTTP internally. The following goes into how with Tailscale you can generate SSL certs to make sure browsers also see the connection as secure as well.

Initial Setup

Tailscale has a page on it in general here: https://tailscale.com/kb/1153/enabling-https

The key thing is a command on their CLI: tailscale cert. It goes ahead and generates SSL public cert & private key pair for generic for each machine I'm hosting services. As I mentioned it uses Let's Encrypt to generate the certs (so certs need to be renewed every 90 days)

On clients that aren't exposing resources to the network, nothing needed to be done given using Let's Encrypt chain which all modern systems trust automatically.

Synology

With my NAS, I both added the Tailscale package available from Package Center in the Admin dashboard to get it in my VPN network. Following, you set up a scheduled task to run tailscale configure synology-cert which is a Synology specific wrapper around tailscale cert that then throws the certs in the proper directory so you can see the certs within the Synology Admin dashboard. on the in security page. you then can flip it to be either the default / enable it on an app-by-app basis.

For container-manager apps I have on my NAS (currently right now just a Jellyfin instance), I reverse proxy them out on a different port behind the HTTPS endpoint.

Home Assistant

Here's the plugin to get Tailscale set up on a HA installation: hassio-addons/addon-tailscale - GitHub

I followed the following YouTube tutorial from the official Tailscale channel: Remotely access Home Assistant via Tailscale for free! to then set up the reverse proxy option as a setting on this plugin. Behind the scenes it runs tailscale cert for you and then setup a reverse-proxy using the certs generated.

Kubernetes

Last of all, on one of my machines I have a single-node Kubernetes cluster within Docker Desktop. As part of the NGINX Ingress Controller, I just expose port 443 and then point it to a tls kubernetes secret which has the keypair created by running tailscale cert on my server. From there, anything exposed via that ingress is secure via https.

Conclusion

From all of this, I've gotten the majority of my services accessible on my private VPN such that no matter if I am home or not, I can still access all of the services mentioned above.