# Tailscale Funnel - HTTPS for NUC Services **Date:** 2026-02-01 21:35 **Context:** Using Tailscale Funnel to expose NUC services with automatic HTTPS ## Why Tailscale Funnel? | Method | Pros | Cons | |--------|------|------| | **Tailscale Funnel** | No ports on router, auto HTTPS, handles dynamic IP | Limited to 3 ports | | Cloudflare Tunnel | Many features, DDoS protection | Spanish ISPs block shared IPs during LaLiga | | Port forwarding | Full control | Exposes router, needs DDNS, manual certs | **Key advantage:** Tailscale Funnel works even when Cloudflare IPs are blocked by ISPs. ## Tailscale Container ```bash # Container name (managed by Coolify) tailscale-posgwooww0s0c0okssooc4gw # Execute commands in container ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale " ``` ## Funnel Basics ### Supported Ports (ONLY these work) - **443** - Default HTTPS - **8443** - Alternate HTTPS - **10000** - Third option Any other port will fail with an error. ### Public URL ``` https://nuc-tailscale.tail58f5ad.ts.net[:port] ``` ## Commands ### Check Current Status ```bash ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel status" ``` ### Expose a Service (Background) ```bash # Port 443 (default) - expose Homepage ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg http://192.168.1.3:3000" # Port 8443 - expose Vaultwarden ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg --https=8443 http://192.168.1.3:8222" # Port 10000 - expose another service ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg --https=10000 http://192.168.1.3:8080" ``` ### Stop a Funnel ```bash # Stop port 443 ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --https=443 off" # Stop port 8443 ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --https=8443 off" ``` ### Reset All Funnels ```bash ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel reset" ``` ## Current Configuration ``` https://nuc-tailscale.tail58f5ad.ts.net (port 443) └── / → http://127.0.0.1:3000 (Homepage) https://nuc-tailscale.tail58f5ad.ts.net:8443 └── / → http://192.168.1.3:8222 (Vaultwarden) ``` ## Important Notes ### Use Host IP, Not localhost When proxying to services outside the Tailscale container: ```bash # WRONG - localhost refers to inside the container http://localhost:8222 # CORRECT - use NUC's actual IP http://192.168.1.3:8222 # ALSO WORKS - if on same Docker network http://host.docker.internal:8222 # May not resolve in all containers ``` ### Persistence Funnels configured with `--bg` persist until: - Manually stopped - Container restart - Tailscale logout For true persistence across container restarts, add to Coolify's container startup or use a cron job. ### Services Requiring HTTPS Some services need HTTPS to function (Web Crypto API): - **Vaultwarden/Bitwarden** - Password encryption - **WebAuthn/Passkeys** - Authentication - **Service Workers** - PWA features - **Geolocation API** - Location access ## Quick Reference | Service | Local URL | Funnel Command | Public URL | |---------|-----------|----------------|------------| | Homepage | http://192.168.1.3:3000 | `funnel --bg http://192.168.1.3:3000` | https://nuc-tailscale.tail58f5ad.ts.net | | Vaultwarden | http://192.168.1.3:8222 | `funnel --bg --https=8443 http://192.168.1.3:8222` | https://nuc-tailscale.tail58f5ad.ts.net:8443 | ## Troubleshooting ### "invalid port" Only ports 443, 8443, 10000 are allowed for Funnel. ### "connection refused" - Service not running on target port - Wrong IP (use 192.168.1.3, not localhost) - Firewall blocking connection ### Funnel not accessible ```bash # Check if Funnel is enabled on Tailscale admin # https://login.tailscale.com/admin/machines # Verify funnel status ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel status" ``` ## Related - Tailscale Admin: https://login.tailscale.com/admin/machines - CLAUDE.md: Public Access & Security Architecture section - Vaultwarden credentials: `.artifacts/2026-02-01_21-25_vaultwarden-credentials.md`