nuc/.artifacts/2026-02-01_21-35_tailscale-funnel-https.md

Tailscale Funnel - HTTPS for NUC Services

Date: 2026-02-01 21:35 Context: Using Tailscale Funnel to expose NUC services with automatic HTTPS

Why Tailscale Funnel?

Method	Pros	Cons
Tailscale Funnel	No ports on router, auto HTTPS, handles dynamic IP	Limited to 3 ports
Cloudflare Tunnel	Many features, DDoS protection	Spanish ISPs block shared IPs during LaLiga
Port forwarding	Full control	Exposes router, needs DDNS, manual certs

Key advantage: Tailscale Funnel works even when Cloudflare IPs are blocked by ISPs.

Tailscale Container

# Container name (managed by Coolify)
tailscale-posgwooww0s0c0okssooc4gw

# Execute commands in container
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale <command>"

Funnel Basics

Supported Ports (ONLY these work)

• 443 - Default HTTPS
• 8443 - Alternate HTTPS
• 10000 - Third option

Any other port will fail with an error.

Public URL

https://nuc-tailscale.tail58f5ad.ts.net[:port]

Commands

Check Current Status

ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel status"

Expose a Service (Background)

# Port 443 (default) - expose Homepage
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg http://192.168.1.3:3000"

# Port 8443 - expose Vaultwarden
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg --https=8443 http://192.168.1.3:8222"

# Port 10000 - expose another service
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg --https=10000 http://192.168.1.3:8080"

Stop a Funnel

# Stop port 443
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --https=443 off"

# Stop port 8443
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --https=8443 off"

Reset All Funnels

ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel reset"

Current Configuration

https://nuc-tailscale.tail58f5ad.ts.net (port 443)
└── / → http://127.0.0.1:3000 (Homepage)

https://nuc-tailscale.tail58f5ad.ts.net:8443
└── / → http://192.168.1.3:8222 (Vaultwarden)

Important Notes

Use Host IP, Not localhost

When proxying to services outside the Tailscale container:

# WRONG - localhost refers to inside the container
http://localhost:8222

# CORRECT - use NUC's actual IP
http://192.168.1.3:8222

# ALSO WORKS - if on same Docker network
http://host.docker.internal:8222  # May not resolve in all containers

Persistence

Funnels configured with --bg persist until:

• Manually stopped
• Container restart
• Tailscale logout

For true persistence across container restarts, add to Coolify's container startup or use a cron job.

Services Requiring HTTPS

Some services need HTTPS to function (Web Crypto API):

• Vaultwarden/Bitwarden - Password encryption
• WebAuthn/Passkeys - Authentication
• Service Workers - PWA features
• Geolocation API - Location access

Quick Reference

Service	Local URL	Funnel Command	Public URL
Homepage	http://192.168.1.3:3000	funnel --bg http://192.168.1.3:3000	https://nuc-tailscale.tail58f5ad.ts.net
Vaultwarden	http://192.168.1.3:8222	funnel --bg --https=8443 http://192.168.1.3:8222	https://nuc-tailscale.tail58f5ad.ts.net:8443

Troubleshooting

"invalid port"

Only ports 443, 8443, 10000 are allowed for Funnel.

"connection refused"

• Service not running on target port
• Wrong IP (use 192.168.1.3, not localhost)
• Firewall blocking connection

Funnel not accessible

# Check if Funnel is enabled on Tailscale admin
# https://login.tailscale.com/admin/machines

# Verify funnel status
ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel status"

Related

• Tailscale Admin: https://login.tailscale.com/admin/machines
• CLAUDE.md: Public Access & Security Architecture section
• Vaultwarden credentials: .artifacts/2026-02-01_21-25_vaultwarden-credentials.md