Note that in some circumstances, certain Operating Systems (Windows and Android) might not resolve these CNAMEs correctly. See this ongoing GitHub issue for more information if you run into issues. github.com/tailscale/tailscale/issues/7650
@@MrLurker101 please read “GNU/Linux distributions” then, or as I've recently taken to calling it, GNU plus Linux. Android isn’t based on another OS, it’s its own OS. it just happens to use the same kernel as GNU/Linux which isn’t relevant here as this a userspace issue as far as I can tell.
I really appreciate the way you explain things. You do such a great job of explaining these things in a way that gives detail in a way that makes sense to people with a range of technical detail. I have a pretty strong technical background but it still bothers me when companies do the whole “step 1, draw some circles. Step 2, draw the rest of the owl” kind of tutorials. There aren’t enough people on the internet with positive feedback so I wanted to make sure to take a moment for it on this. Please keep these coming and keep up the good work, I for one really appreciate it.
@@TailscaleHonestly, little tid bits like that would make for some good technical content. Just like "10 things that make sense when using Tailscale". I just got started playing around with TS around Christmas and my current "solution" was that I registered my coredns server as a node on the tailnet and I serve a different view if the DNS query comes from within the tailnet. Then the hostnames get resolved to the actual tailnet IPs of the node, otherwise the local network address. I mean it works, but just using CNAMEs is so much easier lol
This concept just suddenly became clear. Thank you for the instructions on how to do this. Was unhappy exposing certain services to the entire internet, but this video has clarified how this can be avoided. Nicely done.
This is perfect! I was just about to do this with immich, tailscale, and a reverse proxy, but I had no idea how to set it up. It's like this video was explicitly made for me!
I use to have cloudflare as my DNS server. Now I host my own technitium DNS server, and I configured tailscale to enforce that as the DNS server. In technitium I am using the split dns app, which allows me resolving to both tailscale and my lan IPs, depending where the client is connecting from. Works great.
Thanks Alex, thanks Tailscale! I got into Tailscale from listening to the "Self-Hosted"-Podcast (which I still listen to and enjoy very much!) and have been using it for ~1 year, but using it more like a traditional VPN (host to host, between my home-automation server, my pi-hole rasp. etc.). So as my autumn learning project I have decided to a) do from docker to podman and b) spin up pods, or rather services/apps that are in containers&pods - so that they become accessible on my tailnet, independently of the underlying host. SO just wanted to say that this video was just what I needed ! Have a good one!
Brilliant. I've used tailscale for a family jellyfin server for our movies and shows, image syncing with photosync so it syncs my photos and videos from my phone to my hard drive from anywhere. Then I have a mini pc with a big 12TB hard drive connected with tailscale for personal cloud storage, accessible from any device. I use CX file explorer from my android phone and tablet to access my files on it. It has an upfront outlay but much much cheaper than any cloud storage (and larger). Plus I've got some other apps I'm experimenting with. Really brilliant piece of software. I've never come across something so practical and intuitive for networking devices.
Great video, this is what i do as well but i use nginx proxy manager as a reverse proxy. Overall works great exposing my docker containers but there is something I would like to do, is there any way to grant permission to a user only for one port? So i dont have tp grant them access to every system i have on my side. This would be better for security as well in case their device is somehow compromised
As I listened to you describe a reverse proxy (I've also struggled with how to think of them). I just had the thought. A normal proxy is where you go from one to many (think a system behind a proxy server that goes to many web sites or services). Which makes it simple to think of its reverse as going from many to one (think of many remote end users hitting a service behind a proxy). Doesn't really matter how the underlying tech makes that work, if you just think of it this way.
Alex! to my knowledge, every person is asking about caddy configuration thing, which is ofcourse unclear to us all and not able to accomplish what is demonstrated in the video
Video's like this were very much needed, nice one 👍 Really pleased to see Immich getting more attention - I haven't had a successful install using TrueNAS Scale, but I'm definitely keen to try it again very soon. Just about domains, but here in the UK I found OVH, super cheap. I've only used it for a casual use, but the ovh domain itself is very cheap. ...and after years of listening to Alex's podcasts, funny to actually see what he looks like!
What's the difference between using Caddy and a custom domain, vs just connecting to the service using the tailscale full domain and IP port? And how is that different from using a Funnel? Is there a way to share a service (like Plex) that is behind CGNAT without needing to share the caddy instance, if someone's device that may not have a native tailscale client (like Fire TV)?
I have the same question, to me the the direct funnel with the tailnet's fqdn open to internet makes more sense as in it is only for personal use and no one really cares what the actual domain is, right? Were you able to find any other solid difference from what I just stated?
The way I’ve setup this is, bind9 running on same device I’ve Tailscale and traefik. Using tailnet ip as custom dns on the shared tailnet. Works like charm
Can someone help me understand why we would use Caddy once we're on Tailscale? Is it necessary to resolve the requested subdomain to the correct port on the origin server?
Did you use a CNAme or A record? I could only get it to with an A record entry with the Tailscale node ip in it for a value. When I tried CNAME with Tailscale dns name I couldn’t get it to work.
@@uidx-bob Ah! thank you for this comment. Same thing, had to use an A record with the IP address to get it work. Using a CNAME with the Tailscale FQDN was not connecting for me.
There's a GitHub issue where you can track the status of this long running feature request. It's a surprisingly intricate thing to do right, so for now you'll have to "make do" with the "workaround" shown in the video. github.com/tailscale/tailscale/issues/4221
A very severe problem is the latency Tailscale turning from idle state to direct connecting. Based on the fundamental behavior of Tailscale, client will firstly try to create a connection over DERP. After a faster, direct connection is created, the Tailscale tunnel turns into direct. This process needs several seconds and I believe the latency would influence the quality of service or user experience. If there is an option which enable keeping alive, this problem could be mitigated.
I use this same setup but will actually expose a few things directly to the internet instead. Me and wife have massive battery problems with tailscale on android which is just not worth it. Eats like 20 percent of battery per day. Will expose home assistant directly through caddy and mutual tls when coming from outside network.
@Tailscale this is all really good stuff! Is there a way to build a Cloudflare tunnel with our tailscale domain ? I want to expose both TCP and UDP ports but funnel only allows TCP exposure
Hi Alex.. I followed your video and set up my Jellyfin server through Tailscale and everything works well if connected via Tailscale client. But when I try to connect to it locally through Pihole as local DNS pointing to my Caddy internal IP address it connect when using Firefox or any other browser but it won't connect via Swiftfin or Infuse App on Iphone or Ipad. Can you please advise me how to correct this cause I don't want to connect locally via Tailscale and want to use the same domain name to connect to Jellyfin remotely (Tailscale) or locally.
Technically it isn't _required_ for node sharing, but doing it this way means only sharing one node with relatives or friends. Caddy at this time is require for custom domain support as Tailscale itself only supports the `ts.net` names we generate for you.
Excellent tutorial! I was able to get this working running everything on my Raspberry PI - but I've run into one problem: my Windows machine can't resolve the DNS of my routes correctly but my Linux ones can. When I try to run NSLookup on windows the magicdns daemon tells me that my domain (reachable from Linux boxes in my tailnet) is a non-existent domain. Any ideas what that could be about?
When sharing a node such as caddy to a friend using this method, do they access content directly (as in peer-to-peer) or does it go via Tailscale relays? I just wondered if there would be any bandwidth or speed limitations using this method?
Hi Alex, how can I add a caddy node to my tailnet as shown in this video? Can it be the same as the Ubuntu one...? Still confuse about this. Also what is the best channel/way to ask beginner questions about Tailscale? Thanks a lot!
I have a question and I don't know where to ask it....hahahaha, so the only thing I don't get from tailscale... Say I have 2 nodes, each of them behind NAT. How does my traffic flows when I choose one as exit node? All my traffic goes to tailscale servers and back and forth to the nodes? Or is there a way to bond the 2 connections together once the conversion is written in each table on the home routers, and therefore tail scale is just used for the "handshake"?
Ok, so if I’m not wrong… Tailscale server is only used during the handshake ( exchange of WireGuard profile) right? From that point on, via NAT-T the communication is done directly NAT to NAT, right? For what I have read, there is an special udp/4500 always open that manages this NAT routing problem, right?
Thank you so much for this walk through! I have everything working with one exception. If I add a new entry to caddy, it will not get a cert from letsencrypt for that service unless I issue "tailscale down" and restart caddy. Restarting caddy with tailscale still connected results in not getting a cert. With tailscale down, It then grabs the cert and I can "talescale up" and everything works. Any advice on how to fix that?
Update: I am not trying to reverse proxy to anything using magic DNS. None of my services are directly connected to tailscale. I was able to fix the issue by issuing "tailscale set --accept-dns=false". Caddy is now able to get certs with tailscale running. If someone can tell me what I may have boogered up in tailscale in terms of DNS to cause this failure, I am all ears!! LOL
I want to have specific website to go though tailscale not whole domain or sub domains. do you have anything to configure same? I tried but https isn't working
Not sure if anyone will answer after 8 months. But, what's the difference between doing this VS. Just adding an "A record" of the domain in Cloudflare with IP server of the node and including CF DNS in Tailscale? Seems to be doing the same? (at least to me watching this video)
Wow I follow this and do "caddy reload --config /etc/caddy/Caddyfile" But all way get errors. Error: adapting config using caddyfile: /etc/caddy/Caddyfile:9: unrecognized directive: reverse_Proxy so I put a # before that then run the command again. and get this error: Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': getting module named 'dns.providers.cloudflare': module not registered: dns.providers.cloudflare, at /etc/caddy/Caddyfile:4 import chain ['/etc/caddy/Caddyfile:10 (import cloudflare)'] Been at this about a week now. Just want to get my own domain and then with https. Got CloudFlare as my domain name and put the A record as the tailscale 100 ip. So I can to to my domain name but not https. Can you pay your to help maybe make a log in for you to get it working?
The only part I can't figure, is the caddy server listening at the address of the tailnet right? Or is it listening at all the interfaces, like 0.0.0.0:80? Although, if caddy is listening at 0.0.0.0, then tailscale wouldn't even be required 😵
Caddy in this example is running as an LXC container meaning it is a standalone node on the Tailnet. In this example, Caddy is listening on 0.0.0.0 in the LXC container. Tailscale is required for remote devices to be able to resolve the CNAME and route the traffic to Caddy.
Great video! I was trying to follow the instruction but currently stuck on finding the cloudflair tls dns key. Could you tell me where I would find that cloudflair dashboard ? thank you
Can you comment on what I’d use in place of my Tailnet name if I was trying to configure this via Headscale? Would the IP of my Tailscale LXC do the trick?
Great video, i was looking to replace my cloudflare vpn with tailscale, and this video opened my eyes. Just to confirm, the cname record you created in Cloudflare is only accessible over the tailscale network, correct? If so, can anyone using the tailscale network DNS resolve that cname?
If you want to use the provided tailnet domain it’s as easy as that. You only need to add the extra complexity if you want to use an external custom domain.
Each device in your tailnet makes a best attempt at NAT traversal for establishing direct connections. So I would imagine that because there’s no middle man in that situation, performance would be better as you arent proxying all traffic via someone else.
I think one difference is with tunnel, you still open your service to the public, but with Tailscale, only people who joined your telnet can access the service.
I believe one advantage this solution has over cloudflare tunnels is when you use cloudflare tunnels your terminating at the cloudflare managed proxy. At that point you are exposing your traffic.
To my understanding, any nameserver would do it, so you could use GoDaddy. They aren't using CF proxying for those CNAME records in this video, so CF is just providing some fast nameservers (I think direct access disables most other CF features).
Thanks for the video. But I don't understand everything. 1- What is *rdu, do I have to use it? 2- where do I get the Cloudflare token. I can't find it on my account.
*rdu is just a wildcard and a name it could be anything *.self, *.nounderstanding, *.moreexplinationplease *.seriouslyyourgithubdocsarntcomplete. you get the idea and good question about the Cloudflare token, it feels important yet we have no info on it....
@@patrickskillin1798at least you have a sense of humor! I’ll get the docs a bit more polished back in the office tomorrow for you, and I’ll add a little more info on the api token. 😅
Why do you use a public domain that redirects to the private Tailnet domain? Wouldn't it work just the same without a public domain by using the private Tailnet domain directly? Also, it's one piece less of metadata leaked to the public internet, and saves domain costs, management and configuration. EDIT: The answer is yes, as written in another comment "If you want to use the provided tailnet domain it’s as easy as that. You only need to add the extra complexity if you want to use an external custom domain". ua-cam.com/video/Vt4PDUXB_fg/v-deo.html&lc=UgyF1gVItm8tYaCAzXF4AaABAg.A2dSWwSEgRmA2eAoSMFLFW
While this is very nice, I can't imagine any relative bothering... It's hard enough to get people to click on a Google photos link. Creating an account, installing tailscale, then clicking on the link, then installing the app but not clicking on the link anymore... I understand the logic, but real talk most people over 40 barely know how to send an email.
What about Okta or OpenID Connect (OIDC) for your identity provider? Or consider self-hosting with Headscale? Tailscale argues "By design, Tailscale is not an identity provider-there are no Tailscale passwords. Using an identity provider is not only more secure than email and password, but it allows us to automatically rotate connection encryption keys, follow security policies set by your team (for example, MFA), and more."
what a bummer.... too much work. i upload my photos on google drive, right click and copy the link. anyone can watch it. i cant send my relatives with no cpmputer a video tutorial. they dont even know how to turn on a pc. way too complicated. this should be something i install on my NAS and then i generate 1 link to share for whomever has this link.
Note that in some circumstances, certain Operating Systems (Windows and Android) might not resolve these CNAMEs correctly. See this ongoing GitHub issue for more information if you run into issues.
github.com/tailscale/tailscale/issues/7650
Another reason to use Linux then 🎉
@@Batwam0 Android is based on what os?
@@MrLurker101 please read “GNU/Linux distributions” then, or as I've recently taken to calling it, GNU plus Linux.
Android isn’t based on another OS, it’s its own OS. it just happens to use the same kernel as GNU/Linux which isn’t relevant here as this a userspace issue as far as I can tell.
@@Batwam0 I noticed this issue on my Debian 12 systems and FreeBSD 14 as well.
I noticed this on windows 11, debian 12, and FreeBSD 14.
I really appreciate the way you explain things. You do such a great job of explaining these things in a way that gives detail in a way that makes sense to people with a range of technical detail. I have a pretty strong technical background but it still bothers me when companies do the whole “step 1, draw some circles. Step 2, draw the rest of the owl” kind of tutorials. There aren’t enough people on the internet with positive feedback so I wanted to make sure to take a moment for it on this. Please keep these coming and keep up the good work, I for one really appreciate it.
Thanks for teaching me how to draw an owl.
O.O
Setting a CNAME record in Cloudflare to an FQDN on the tailnet felt like a switch in my brain just clicked and everything made sense.
What would you have done if the whole video was 17 seconds long just saying that? :)
@@TailscaleHonestly, little tid bits like that would make for some good technical content. Just like "10 things that make sense when using Tailscale".
I just got started playing around with TS around Christmas and my current "solution" was that I registered my coredns server as a node on the tailnet and I serve a different view if the DNS query comes from within the tailnet. Then the hostnames get resolved to the actual tailnet IPs of the node, otherwise the local network address. I mean it works, but just using CNAMEs is so much easier lol
@@Tailscalehe is an idiot you have made a good video and I was using unraid with cloudflared tunnel now I know the importance of getting tailscale
@@Tailscalesounds like a good idea for a UA-cam short
Ditto
This concept just suddenly became clear. Thank you for the instructions on how to do this. Was unhappy exposing certain services to the entire internet, but this video has clarified how this can be avoided. Nicely done.
This is perfect! I was just about to do this with immich, tailscale, and a reverse proxy, but I had no idea how to set it up. It's like this video was explicitly made for me!
I use to have cloudflare as my DNS server. Now I host my own technitium DNS server, and I configured tailscale to enforce that as the DNS server. In technitium I am using the split dns app, which allows me resolving to both tailscale and my lan IPs, depending where the client is connecting from. Works great.
Oh wow! Is it possible to share with a tutorial how you did it?
Nice is the split DNS function natively built into technitium? Did you follow a guide or just figure it out?
Another BANGER from Alex. It is always a great time to learn more about Tailscale.
Hey! Idk what’s more awesome at this point, your content or your product. Mad kudos! Thank you so much!!
Thanks Alex, thanks Tailscale! I got into Tailscale from listening to the "Self-Hosted"-Podcast (which I still listen to and enjoy very much!) and have been using it for ~1 year, but using it more like a traditional VPN (host to host, between my home-automation server, my pi-hole rasp. etc.). So as my autumn learning project I have decided to a) do from docker to podman and b) spin up pods, or rather services/apps that are in containers&pods - so that they become accessible on my tailnet, independently of the underlying host. SO just wanted to say that this video was just what I needed ! Have a good one!
Awesome to hear! -Alex
Brilliant. I've used tailscale for a family jellyfin server for our movies and shows, image syncing with photosync so it syncs my photos and videos from my phone to my hard drive from anywhere. Then I have a mini pc with a big 12TB hard drive connected with tailscale for personal cloud storage, accessible from any device. I use CX file explorer from my android phone and tablet to access my files on it.
It has an upfront outlay but much much cheaper than any cloud storage (and larger). Plus I've got some other apps I'm experimenting with.
Really brilliant piece of software. I've never come across something so practical and intuitive for networking devices.
Do you have redundancy on that local 12TB? I'd hate for you to lose data if a hard drive crashes.
Noob here. How did you do that with jellyfin?
Great video, this is what i do as well but i use nginx proxy manager as a reverse proxy. Overall works great exposing my docker containers but there is something I would like to do, is there any way to grant permission to a user only for one port? So i dont have tp grant them access to every system i have on my side. This would be better for security as well in case their device is somehow compromised
As I listened to you describe a reverse proxy (I've also struggled with how to think of them).
I just had the thought.
A normal proxy is where you go from one to many (think a system behind a proxy server that goes to many web sites or services).
Which makes it simple to think of its reverse as going from many to one (think of many remote end users hitting a service behind a proxy).
Doesn't really matter how the underlying tech makes that work, if you just think of it this way.
Can't tell you how much I love tailscale!
Great video! It would be great if you could do a tutorial for Tailscale ACLs
Great suggestion!
Alex! to my knowledge, every person is asking about caddy configuration thing, which is ofcourse unclear to us all and not able to accomplish what is demonstrated in the video
Why not use the Funnel part of tailscale? Or did it not exist when this video was made?
I always learn something new with Sir Alex. Thanks!
Video's like this were very much needed, nice one 👍
Really pleased to see Immich getting more attention - I haven't had a successful install using TrueNAS Scale, but I'm definitely keen to try it again very soon.
Just about domains, but here in the UK I found OVH, super cheap. I've only used it for a casual use, but the ovh domain itself is very cheap.
...and after years of listening to Alex's podcasts, funny to actually see what he looks like!
What's the difference between using Caddy and a custom domain, vs just connecting to the service using the tailscale full domain and IP port? And how is that different from using a Funnel? Is there a way to share a service (like Plex) that is behind CGNAT without needing to share the caddy instance, if someone's device that may not have a native tailscale client (like Fire TV)?
I have the same question, to me the the direct funnel with the tailnet's fqdn open to internet makes more sense as in it is only for personal use and no one really cares what the actual domain is, right?
Were you able to find any other solid difference from what I just stated?
The way I’ve setup this is, bind9 running on same device I’ve Tailscale and traefik. Using tailnet ip as custom dns on the shared tailnet. Works like charm
There are good vides and there are great ones!
And then, there is this!
Great work Alex, keep raising that👙bar!
@Tailscale But how does caddy show up on Tailscale's machines list to begin with? That's the missing piece I'm not finding instructions for...
You'd have a VM or container running Caddy and authenticated to your Tailnet.
Can someone help me understand why we would use Caddy once we're on Tailscale? Is it necessary to resolve the requested subdomain to the correct port on the origin server?
I think you need to do this if you are accessing specific ports, as you are not port forwarding.
It would be great if you also show how to setup a custom domain with a caddy. Somehow i'm unable to set up the caddy with cloudflare configuration.
same here and requested Alex to do a video of caddy configuration.
Very interesting video I have tested it with My own domain and was working perfectly
Did you use a CNAme or A record? I could only get it to with an A record entry with the Tailscale node ip in it for a value. When I tried CNAME with Tailscale dns name I couldn’t get it to work.
CNAME was not working I use A record instead and works fine sorry that I didn't mention that before @@uidx-bob
@@uidx-bob Ah! thank you for this comment. Same thing, had to use an A record with the IP address to get it work. Using a CNAME with the Tailscale FQDN was not connecting for me.
@@Zylont which ipv4 address to use? public ipv4 of the localhost machine or ipv4 of tailscale (telnet)
Really looking forward to finally be able to use my own domain as my Tailnet domain. Any ETA on that?
There's a GitHub issue where you can track the status of this long running feature request. It's a surprisingly intricate thing to do right, so for now you'll have to "make do" with the "workaround" shown in the video.
github.com/tailscale/tailscale/issues/4221
A very severe problem is the latency Tailscale turning from idle state to direct connecting. Based on the fundamental behavior of Tailscale, client will firstly try to create a connection over DERP. After a faster, direct connection is created, the Tailscale tunnel turns into direct. This process needs several seconds and I believe the latency would influence the quality of service or user experience. If there is an option which enable keeping alive, this problem could be mitigated.
Nice video . What if tailscale offered a tunnel option to avoid the extra steps and extra applications
Would be helpful if you went through Caddy installation & setup
Your wish is my command. Future vid coming up on that. -Alex
@@Tailscale Thankyou Alex. trying to read all the comments. looking forward for it
@@Tailscale any update on this. ive spent a whole two days trying to get this to work but i'm struggling with the caddy configuration
Hi great video good explanation!!!
Tried to do the same but didn’t get to work spend hours and still nothing working
I use this same setup but will actually expose a few things directly to the internet instead. Me and wife have massive battery problems with tailscale on android which is just not worth it. Eats like 20 percent of battery per day. Will expose home assistant directly through caddy and mutual tls when coming from outside network.
You also might consider a manual wireguard connection for the two phones rather than tailscale.
@@ultravioletiris6241 does the manual wireguard app for Android use kernel mode ? Is it less battery intensive?
Thanks Alex, I've been wanting to do this for a while. Shame about Android devices though. 🤩
Would you create a tutorial for Traefik as well?
I'm curious what we are going to see if tailscale is not installed and just visit to its url. Does it return no resolve page?
@Tailscale this is all really good stuff! Is there a way to build a Cloudflare tunnel with our tailscale domain ? I want to expose both TCP and UDP ports but funnel only allows TCP exposure
Hi Alex.. I followed your video and set up my Jellyfin server through Tailscale and everything works well if connected via Tailscale client. But when I try to connect to it locally through Pihole as local DNS pointing to my Caddy internal IP address it connect when using Firefox or any other browser but it won't connect via Swiftfin or Infuse App on Iphone or Ipad. Can you please advise me how to correct this cause I don't want to connect locally via Tailscale and want to use the same domain name to connect to Jellyfin remotely (Tailscale) or locally.
Is Caddy required if your remote friend/family member just joins your Tailnet directly? and doesn't setup their own?
Technically it isn't _required_ for node sharing, but doing it this way means only sharing one node with relatives or friends. Caddy at this time is require for custom domain support as Tailscale itself only supports the `ts.net` names we generate for you.
How is this different from a Cloudflare tunnel ?
It’s not on the internet you need a vpn Tailscale to access it. Also with cloudflare tunnels there is a TOS issue streaming plex etc
Excellent tutorial! I was able to get this working running everything on my Raspberry PI - but I've run into one problem: my Windows machine can't resolve the DNS of my routes correctly but my Linux ones can. When I try to run NSLookup on windows the magicdns daemon tells me that my domain (reachable from Linux boxes in my tailnet) is a non-existent domain. Any ideas what that could be about?
When sharing a node such as caddy to a friend using this method, do they access content directly (as in peer-to-peer) or does it go via Tailscale relays? I just wondered if there would be any bandwidth or speed limitations using this method?
Tailscale does its best to establish direct connections whenever possible.
“Tailscale ping node” will tell you what route traffic is taking.
Hi Alex, how can I add a caddy node to my tailnet as shown in this video?
Can it be the same as the Ubuntu one...? Still confuse about this.
Also what is the best channel/way to ask beginner questions about Tailscale?
Thanks a lot!
Come to one of our live streams!
How would you handle SSL cert's with a CNAME? Does tailscale allow to add CNAMEs to certs?
I have a question and I don't know where to ask it....hahahaha, so the only thing I don't get from tailscale... Say I have 2 nodes, each of them behind NAT. How does my traffic flows when I choose one as exit node? All my traffic goes to tailscale servers and back and forth to the nodes? Or is there a way to bond the 2 connections together once the conversion is written in each table on the home routers, and therefore tail scale is just used for the "handshake"?
A bit old, but still at the core of how Tailscale works - this blog post should clear this up for you.
tailscale.com/blog/how-nat-traversal-works
Ok, so if I’m not wrong… Tailscale server is only used during the handshake ( exchange of WireGuard profile) right? From that point on, via NAT-T the communication is done directly NAT to NAT, right? For what I have read, there is an special udp/4500 always open that manages this NAT routing problem, right?
Thank you so much for this walk through! I have everything working with one exception. If I add a new entry to caddy, it will not get a cert from letsencrypt for that service unless I issue "tailscale down" and restart caddy. Restarting caddy with tailscale still connected results in not getting a cert. With tailscale down, It then grabs the cert and I can "talescale up" and everything works. Any advice on how to fix that?
Update: I am not trying to reverse proxy to anything using magic DNS. None of my services are directly connected to tailscale. I was able to fix the issue by issuing "tailscale set --accept-dns=false". Caddy is now able to get certs with tailscale running.
If someone can tell me what I may have boogered up in tailscale in terms of DNS to cause this failure, I am all ears!! LOL
@@Nate-D hmmm - perhaps you might investigate a wildcard for your domain? sorry i didn't find this condition in my testing! -alex
i tried doing the same way but not working. can access immich with tailscale provided domain, but not the cloudflare domain. help please
Thanks for the information. Is there anything else that needs to be in the CaddyFile to make Caddy function correctly? Thx
I'm wondering the same thing. Did you get this working?
I want to have specific website to go though tailscale not whole domain or sub domains. do you have anything to configure same?
I tried but https isn't working
If the caddy/host is running behind cgnat, will it use DERP/relay? Also the client are behind cgnat. Everyone is behind cgnat :'(
Noob question here, but if I'm using Headscale instead, what is my tailnet name?
Not sure if anyone will answer after 8 months. But, what's the difference between doing this VS. Just adding an "A record" of the domain in Cloudflare with IP server of the node and including CF DNS in Tailscale?
Seems to be doing the same? (at least to me watching this video)
It does the same thing you are right. Personal preference as to which route you prefer. Might be some nuance with FQDN stuff though.
@ Ah makes sense. Thanks alot!
Great background!
Nice tutorial as usual 😎👍🏻
Where does that token come from and how do i get mine
It's a Cloudflare API token.
developers.cloudflare.com/fundamentals/api/get-started/create-token/
@@Tailscale yeah i did know that but which permissions do i have to give it
@@pandadev_ anyone have the answer? i gave it all permissions, but i feel like that's overkill for this
How is this different from connecting with a direct tailscale IP address to the exact service just based on the port?
Trying to get my head around doing this with CloudFlare tunnels and TS. Is it possible?
Is it possible to do this with Tailscale running on Docker without using network_mode: host?
The part I can't figure out is how you added caddy as a node. I've been searching for hours/
It's just a machine with caddy and tailscale properly connected to the tailnet. The node is simply called "caddy" for simplicity.
Wow I follow this and do "caddy reload --config /etc/caddy/Caddyfile" But all way get errors.
Error: adapting config using caddyfile: /etc/caddy/Caddyfile:9: unrecognized directive: reverse_Proxy so I put a # before that then run the command again. and get this error:
Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': getting module named 'dns.providers.cloudflare': module not registered: dns.providers.cloudflare, at /etc/caddy/Caddyfile:4 import chain ['/etc/caddy/Caddyfile:10 (import cloudflare)']
Been at this about a week now. Just want to get my own domain and then with https. Got CloudFlare as my domain name and put the A record as the tailscale 100 ip. So I can to to my domain name but not https.
Can you pay your to help maybe make a log in for you to get it working?
do you have a tutorial on setting up a proxima ubutu server?
The only part I can't figure, is the caddy server listening at the address of the tailnet right? Or is it listening at all the interfaces, like 0.0.0.0:80? Although, if caddy is listening at 0.0.0.0, then tailscale wouldn't even be required 😵
Caddy in this example is running as an LXC container meaning it is a standalone node on the Tailnet. In this example, Caddy is listening on 0.0.0.0 in the LXC container. Tailscale is required for remote devices to be able to resolve the CNAME and route the traffic to Caddy.
@@Tailscale I have caddy running in docker on a debian vm. Do I need to adjust for this? I can't get it to work.
Great video! I was trying to follow the instruction but currently stuck on finding the cloudflair tls dns key. Could you tell me where I would find that cloudflair dashboard ? thank you
Never mind I found the inst. on how to get the API key.
Great video, but i think you are omitting quite the rabbithole of getting the cloudflare module into Caddy....
It’s certainly an unusual system. But I wrote an ansible role years ago that handles it for me.
@@Tailscale which permissions does your CF API have? Zone.Zone.Read and Zone.DNS.Edit?
Does this also work if you’re using cloudflare tunnels?
There's a bandwidth limit on cloud flare tunnels you wouldn't be able to stream any media or watch videos etc
Can you comment on what I’d use in place of my Tailnet name if I was trying to configure this via Headscale? Would the IP of my Tailscale LXC do the trick?
You figure this out? Trying to understand the same thing.
Great video, i was looking to replace my cloudflare vpn with tailscale, and this video opened my eyes. Just to confirm, the cname record you created in Cloudflare is only accessible over the tailscale network, correct? If so, can anyone using the tailscale network DNS resolve that cname?
The CNAME itself is public but only routable via Tailscale (and more specifically, your Tailnet).
Dang, saw this twice and still don't get it. Can't the host and the user just use tailscale and be done? What am I missing?
If you want to use the provided tailnet domain it’s as easy as that. You only need to add the extra complexity if you want to use an external custom domain.
Why use Caddy vs. say NGINX reverse proxy server? Is it better?
The Caddy config file is much simpler and you don't need to provide ACME integration yourself like you do with nginx.
Nice. But where is the nix module for this? ;)
PRs welcomed ;)
Really interesting. I have been doing this with cloudflare tunnels. Whats the advantage to do this with tailscale instead?
Each device in your tailnet makes a best attempt at NAT traversal for establishing direct connections. So I would imagine that because there’s no middle man in that situation, performance would be better as you arent proxying all traffic via someone else.
Very interesting. More reading to do! Loving the content!
I think one difference is with tunnel, you still open your service to the public, but with Tailscale, only people who joined your telnet can access the service.
Same here but this actually makes me thing of alternatives. This is why I've been loving Tailscale, makes me re-think my solutions
I believe one advantage this solution has over cloudflare tunnels is when you use cloudflare tunnels your terminating at the cloudflare managed proxy. At that point you are exposing your traffic.
Hi, noob here. So I own my domain at godaddy. Do I need to use cloudflare? Or is it possible to configure the DNS at godaddy?
To my understanding, any nameserver would do it, so you could use GoDaddy. They aren't using CF proxying for those CNAME records in this video, so CF is just providing some fast nameservers (I think direct access disables most other CF features).
Any authoritative DNS server for your domain will do. Cloudflare as shown, is just an example. Godaddy should work but YMMV :angel:
Nice KEF LS50s ;)
cam i do the same with route53 as dns provider???
More than likely yep!
Can i do it on someones TV?
Thanks for the video. But I don't understand everything. 1- What is *rdu, do I have to use it? 2- where do I get the Cloudflare token. I can't find it on my account.
Firstly, you should have a good understand of DNS and its application. CNAME type is the core concept.
*rdu is just a wildcard and a name it could be anything *.self, *.nounderstanding, *.moreexplinationplease *.seriouslyyourgithubdocsarntcomplete. you get the idea
and good question about the Cloudflare token, it feels important yet we have no info on it....
@@littlenewton6 That's helpfull.
@@patrickskillin1798at least you have a sense of humor! I’ll get the docs a bit more polished back in the office tomorrow for you, and I’ll add a little more info on the api token. 😅
Thank you, it is truly appreciated.@@AlexKretzschmar
props you don't pronounce ubuntu as ubantu. thumbs up.
so they need to have tailscale before they can access my website? its not possible without it?
not available for webos
I cannot get this to work for the life of me.
Why do you use a public domain that redirects to the private Tailnet domain? Wouldn't it work just the same without a public domain by using the private Tailnet domain directly? Also, it's one piece less of metadata leaked to the public internet, and saves domain costs, management and configuration.
EDIT: The answer is yes, as written in another comment "If you want to use the provided tailnet domain it’s as easy as that. You only need to add the extra complexity if you want to use an external custom domain". ua-cam.com/video/Vt4PDUXB_fg/v-deo.html&lc=UgyF1gVItm8tYaCAzXF4AaABAg.A2dSWwSEgRmA2eAoSMFLFW
While this is very nice, I can't imagine any relative bothering... It's hard enough to get people to click on a Google photos link. Creating an account, installing tailscale, then clicking on the link, then installing the app but not clicking on the link anymore... I understand the logic, but real talk most people over 40 barely know how to send an email.
40? doubtful. 60 maybe but 40 is way too young.
Whoa! That's a bit ageist! 😂 But you're right, they'd definitely have to be keen and a quite savvy at the other end.
UA-cam short version please? 😊
You know, i appreciate this, but holy crap is caddy ridiculous to install
Why the actual eff can you not make an account with Tailscale without using a big tech account? That's so stupid it's basically offensive.
What about Okta or OpenID Connect (OIDC) for your identity provider?
Or consider self-hosting with Headscale?
Tailscale argues "By design, Tailscale is not an identity provider-there are no Tailscale passwords. Using an identity provider is not only more secure than email and password, but it allows us to automatically rotate connection encryption keys, follow security policies set by your team (for example, MFA), and more."
#unraidmasterrace
what a bummer.... too much work. i upload my photos on google drive, right click and copy the link. anyone can watch it. i cant send my relatives with no cpmputer a video tutorial. they dont even know how to turn on a pc. way too complicated. this should be something i install on my NAS and then i generate 1 link to share for whomever has this link.
Hi, I would like to invite you to do a video issue for our products, how can I contact you?