Tailscale is such a killer solution. We have the enterprise license for work and it eliminated so many time consuming tasks. At home it's running on my Apple TV acting as a subnet router - probably the most set-and-forget and low power solution out there.
For my jellyfin server I set up a ssh tunnel to an Oracle Cloud instance via a cobbled-together autossh docker service. I'm pretty proud of it, and I learned how to make docker containers in the process. This setup looks a lot cleaner though.
it would be great to include headscale in this video, paid tailscale is not necessary when you are using hosted stuff ;) thanks for the video! very useful to see the nginx proxy manager
THANK YOU for this. I setup Cloud Flare tunnels before realizing their limits on media types. Very easy to follow, and plus you gave me an excuse to spin up a Linode VPS and play around with it!
This is exactly what I've been doing for 3 years but using zero tier works great I have Zerotier installed on my router and it acts as a bridge so I don't have to install the client on any of my home devices. Only my router.
Depending on the use case, both Cloudflare tunnel and tailscale are viable options. Cloudflare is nice for simple sites like overseer or home assistant, but I would definitely use tailscale for services like jellyfin and Plex!
I've gotten around a shared external IPv4 by using the IPv6 that was unique and then do a NAT from the ipv4 of my external server to the ipv6 of my home system.
Using netbird instead of tailscale because it is completely open source and it can completely be self hosted. I'm still thinking about how I can make it so that the Nginx Proxy Manager web interface (port 81) can only be accessed via the private tunnel and not via the Internet. Shouldn't really be a problem. This would mean that it would no longer be a tragedy that Nginx does not support MFA.
Pro tip: Just don't use nginx proxymanager if you care about security. They don't have security policies and there have been really bad cases in the past where critical vulnerabilities have just been ignored. It's basically a one man org, which isn't necessarily bad, but there is also no one reviewing the PRs and the maintainer commits directly. Don't get fooled by the huge amount of stars, they don't mean anything.
@@munroegarrett I've read the same thing so I am using HAProxy in pfsense instead. Also can use tailscale in pfsense. I am not bashing the devs of Nginx Proxy Manager as they have a very small number of maintainers and not alot of time to fix the issues.
hey , I religiously followed this setup but when I try to reach the service on my server behind cg nat I get a 502 bad gateway. any idea what I could have possibly messed up?
Im a bit confused was the issue with cloudflare tunnels the limitations on video streaming or privacy because right now with this arent you just trusting a different company like american cloud access to your tailscale vpn that comes directly in to your home? You are basically just trusting american cloud instead of cloudflare and by that logic alot more as cloudflare can see only whats being shared on that tunnel?
I like the zero trust access controls, they are super convenient. Alternatively just use Tailscale alone with advertised routes and as an exit node if you don’t have public facing services and you don’t need Cloudflare at all
Great video :) . But can you please explain to me whats the difference with Cloudflared and Tailscale is? Cloudflared you can just install in docker and then you can publish all your internal service from one place via Cloudfare. Wont Cloudflared work behind CGNAT? I know that you have file upload limits with 100MB pr. file if you use cloudflare proxy to your WAN IP. As I understand correctly you still use Cloudflare as DNS and from there to the vps. Still you will have the file upload limits right since you have your DNS via Cloudflare? Keep posting your great videos :)
Just a dumb question since I really can't seem to understand anything when talking about networks / protocols etc what if I already have a static ip? i want to use Cloudflare as a DNS to use a domain name, but then point to my home network that has a static IP, but want to be sure i have encription should i spun up Tailscale as well from one container to others or what? i tried many times reading and trying to understand but i keep faiing to get any grasp
As far as I know, you should be able to use nginx on your own network and use that to encrypt your services, similar to how he did it, just installing it on a raspberry pi or VM on your own network. Just make sure you are comfortable with port forwarding.
This way you're still opening things up to the internet, like with the normal reverse proxy, but you'll be hiding your IP from your DNS records. Adding a layer of privacy. With just Tailscale, you'd need to setup Tailscale on the server, and each client. It would be more secure, but not feasible for every use case. For me, this method fits my needs perfectly… can't believe I didn't already consider it.
If you put it at a friend’s house, would your media have to pass through their home to serve, and thus be limited by their upstream bandwidth? I have decent upstream but have cgnat. My parents do not, but have a public ip.
HI. I thought this was also to overcome the upload limit, but instead the request body size limit applies to requests that go through the Cloudflare proxy/CDN, regardless of whether the client is connected to Zero Trust. So in Upload even by applying this beautiful configuration of yours, unfortunately it remains at 100MB.
is it still working for you with tailscale version 1.66.0? Since updating i cant reach my pages anymore but pinging my servers is working normally. **okay i see they added "--stateful-filtering=false" and using this on my VPS fixed my problem
the hardware limitations of the raspberry pi zero restrict the speeds of the service but i thought the goal of this was to do one better than cloudflare tunnels by having no imposed limitations on bandwidth? i guess it is implied one can use faster hardware with the same setup?
Yeah I did show what the speeds looked like hosting on small LXC container on my server, much faster. The raspberry pi was basically like "hey look you can run tailscale on anything".
If I am correct, this can be done without cloudflare? As long as your domain name provider has their own DNS? Or is cloudflare an integral part of this?
Didnt quite catch why this over Cloudflare tunnels? CF tunnel have functions like Geoblocking, WAF, SSO, etc. Does Tailscale? Or why this instead of Wireguard tunnel?
Tailscale is just a nice interface and uses Wireguard anyway plus I can just connect my personal machines to everything with the Tailscale client. Cloudflare tunnels are still great but with this you don’t have to worry about bandwidth limits (if you aren’t proxying via CF DNS).
No need for any of this port or monthly cost stuff. Either host the DNS server yourself or add the ip from tailscale to cloudflare for your services. (The IP should be the VM or LXC you have both Tailscale and NPM/Traefik installed on.) Only devices approved on your tailnet can access the services. Nothings 'exposed' and even publicly posting your IP makes no difference as no one can access it unless i approve your device beforehand. :)
Well it’s very unlikely that you’d use Tailscale or a tiny vps for anything that’s to be publicly accessible but you could try with split dns. If I want a family member to be able to access something I have running in my homelab I will invite them to Tailscale and use the ACL to give their device access to that one resource. If they try on another machine it will ask me for approval. Hosting the DNS yourself allows more magic to happen so much so that my family hasn’t even realised how much goes on in the background. They don’t even need Tailscale installed or connected once inside our LAN and if outside they connect to Tailscale and everything continues to work. 😊
SSH would be a tcp tunnel, which isn't all that great in many situations. Also SSH is a user process, rather than a kernel process, so higher in the stack and maybe competing with other resources more. I've done both, SSH has it's place as temporary or roving needs may dictate (i.e. permit some non-business vendor entity a specific type of access), but you'd really prefer something that's "bolted on" lower in the kernel stack for infrastructure needs. You'll also need to build/write something to keep SSH running, and explore the timeout and keepalive options to get something that's more reliable and recoverable. It's doable, but you'd probably like something else better.
But you have trust your externel server security where the tailscale client is running, keep the system up to date, install security fixes, upgrade to the next lts release, if there is one. Hardining the System, so that no hackers or other can enter the server. If so, your local services or local network in you homelab are open to the world, isn't it? And exposing NPM Admin Interface to the public is very critical. So, nice tutorial, but i trust more in cloudflare applications with access restriction in combination with tunnels....
What about tailscale funnel ? I know it has limitations still you can use it right ? any other cheaper solutions like I got the over all I got the over all I idea have been using it for months. Cant afford static ip which is 3$ a month My isp provides Needs to open ort for plex and torrenting cant on my static ip even if i am able to afford as it would be illegal need some otherway around like a cheap vps dmca ignored to do what you did or any other ideas ? Dont say seedbox.@@RaidOwl
Hey Brett (small squeaky voice/head), if you are already using a VPS, why don't you run your own HeadScale server on it? Then you don't even need a TailScale account.
Hetzner is not really useful for plex in this case as they are banning pledx server hosted on their ip, so mainly this is for huge traffic for file serve or a media server Hetzner kind of defeats the purpose lowand box vps seems way to go
![BRASIL vs. URUGUAY [1-1] | RESUMEN | ELIMINATORIAS SUDAMERICANAS | FECHA 12](http://i.ytimg.com/vi/-hWBAuxF1eY/mqdefault.jpg)
![Jack Harlow - Hello Miss Johnson [Official Music Video]](http://i.ytimg.com/vi/Q86_nlRoIGw/mqdefault.jpg)
Tailscale is such a killer solution. We have the enterprise license for work and it eliminated so many time consuming tasks. At home it's running on my Apple TV acting as a subnet router - probably the most set-and-forget and low power solution out there.
To top this, we can self-host Tailscale server with Headscale open-source project.
@@nghiainthecloud yes headscale is great too if you don't mind the extra management effort.
I just have a pigeon carry a usb stick to the server. A bit of a hassle to setup but at least I don't have to deal with cg nat!
This is the optimal way
Jeff Geerling would agree
Oh your latency must suck! Also, error correction would be a royal pain in the ass too huh?
@@kwithAnd there are Hawks out there that try to DoS you!
Kkk
For my jellyfin server I set up a ssh tunnel to an Oracle Cloud instance via a cobbled-together autossh docker service. I'm pretty proud of it, and I learned how to make docker containers in the process.
This setup looks a lot cleaner though.
Shhh. Don't talk about OCI always free tier. He has $43/mo VPS sponsors.
@@NetBandit70only our savior owl reads the comments.
@@NetBandit70OCI is $hit. My instances were destroyed 3 times without any reason.
I use RatHole on one of my OCI instance
Lol idgaf what you use but they give me credits so I use them
Been using tailscale within my lab for a bit over a year. Solid bit of kit.
Big tru
it would be great to include headscale in this video, paid tailscale is not necessary when you are using hosted stuff ;) thanks for the video! very useful to see the nginx proxy manager
THANK YOU for this. I setup Cloud Flare tunnels before realizing their limits on media types. Very easy to follow, and plus you gave me an excuse to spin up a Linode VPS and play around with it!
this was a good evolution - rproxy over wireguard to nginx from apache works well - fairly basic after you wrap your brain around it
This is exactly what I've been doing for 3 years but using zero tier works great
I have Zerotier installed on my router and it acts as a bridge so I don't have to install the client on any of my home devices. Only my router.
Same here nothing compares
for years i was abusing torrent trackers as a "stun server" for home vpn until zerotier.
Great video! This is something that I want to look into for work so it is good timing.
Depending on the use case, both Cloudflare tunnel and tailscale are viable options. Cloudflare is nice for simple sites like overseer or home assistant, but I would definitely use tailscale for services like jellyfin and Plex!
Yes Tailscale funnel works behind CGNAT; but for free, the ports are limited: 443 & 10000
Lol those vps prices are insane nowadays. You can get dedicated servers with raid 1 for that money wtf.
I did try this a few weeks ago. Transfer speeds are not great as compared to cloudflare tunnels behind cgnat
Shucks. Were you using a VPS? Maybe their speeds aren’t good.
Make sure your tailscale is able to negotiate a direct connection without going through a relay.
@@GrishTechhow to do that
@@GrishTech it can’t behind cgnat
ill try this thanks@@GrishTech
I've gotten around a shared external IPv4 by using the IPv6 that was unique and then do a NAT from the ipv4 of my external server to the ipv6 of my home system.
Using netbird instead of tailscale because it is completely open source and it can completely be self hosted. I'm still thinking about how I can make it so that the Nginx Proxy Manager web interface (port 81) can only be accessed via the private tunnel and not via the Internet. Shouldn't really be a problem. This would mean that it would no longer be a tragedy that Nginx does not support MFA.
Pro tip: Just don't use nginx proxymanager if you care about security. They don't have security policies and there have been really bad cases in the past where critical vulnerabilities have just been ignored.
It's basically a one man org, which isn't necessarily bad, but there is also no one reviewing the PRs and the maintainer commits directly. Don't get fooled by the huge amount of stars, they don't mean anything.
Yeah. Exposing NPM makes me dubious of the setup
Every time I hear the tic tac commercial I think about my wife thinking about me
Any luck on setting up Nextcloud Talk thought Cloudflare and NPM?
Why are you not using Linode ? What is the differences?
What are you saying at the end to be careful about regarding network of the cloud provider? Which kind of fees? Thanks!
Thank you so much for this
Can we use this for other protocols such as RDP, SMB, FTP, I mean for full local network access?
nah. Why give third party all possible access to you traffic? Just use raw wireguard.
American cloud i also expensive, and why didn't you have NPM local with tailscale installed, instead of public
thank you. this is so helpful, so great
Get Out of my head! I had the same plan to build this on my Weekend 😂
What about security concerns relating to Nginx Proxy Manager?
There are security concerns anytime you open services to the outside world. Do you have a specific concern in mind?
There have been multiple CVEs and my understanding is that it took a considerable amount of time (> 1 year) to address them.
Was that not on the management page? I hope you do not open that to the internet.
nah its closed@
@@munroegarrett I've read the same thing so I am using HAProxy in pfsense instead. Also can use tailscale in pfsense.
I am not bashing the devs of Nginx Proxy Manager as they have a very small number of maintainers and not alot of time to fix the issues.
hey , I religiously followed this setup but when I try to reach the service on my server behind cg nat I get a 502 bad gateway. any idea what I could have possibly messed up?
Im a bit confused was the issue with cloudflare tunnels the limitations on video streaming or privacy because right now with this arent you just trusting a different company like american cloud access to your tailscale vpn that comes directly in to your home? You are basically just trusting american cloud instead of cloudflare and by that logic alot more as cloudflare can see only whats being shared on that tunnel?
You’re gonna have to trust somebody at some point if you’re publicly exposing stuff
I like the zero trust access controls, they are super convenient. Alternatively just use Tailscale alone with advertised routes and as an exit node if you don’t have public facing services and you don’t need Cloudflare at all
Just use rathole, much faster and won't need tailscale
Rathole is only a reverse proxy like npm and can not connect a subnet via VPN like tailscale the hole point of the video is to bypass a cgnat
Gotta love that old CGNAT.
If we knew what it stood for. Cheers
Cool Guys Never Act Tough
Can't Get Network Access. Thanks
This is the way.
Can somebody explain a use case where I need to go through all this?
No headscale?
Not today
Great video :) . But can you please explain to me whats the difference with Cloudflared and Tailscale is? Cloudflared you can just install in docker and then you can publish all your internal service from one place via Cloudfare. Wont Cloudflared work behind CGNAT? I know that you have file upload limits with 100MB pr. file if you use cloudflare proxy to your WAN IP. As I understand correctly you still use Cloudflare as DNS and from there to the vps. Still you will have the file upload limits right since you have your DNS via Cloudflare? Keep posting your great videos :)
Just a dumb question since I really can't seem to understand anything when talking about networks / protocols etc
what if I already have a static ip?
i want to use Cloudflare as a DNS to use a domain name, but then point to my home network that has a static IP, but want to be sure i have encription
should i spun up Tailscale as well from one container to others or what?
i tried many times reading and trying to understand but i keep faiing to get any grasp
As far as I know, you should be able to use nginx on your own network and use that to encrypt your services, similar to how he did it, just installing it on a raspberry pi or VM on your own network. Just make sure you are comfortable with port forwarding.
Why add a VPS and all this complication vs just using Tailscale alone?
I mean…you need somewhere to host the Tailscale client
@@RaidOwljust use their Tailscale Funnel feature
You could also host a wireguard VPN or OpenVPN for more restrictive networks.
This way you're still opening things up to the internet, like with the normal reverse proxy, but you'll be hiding your IP from your DNS records. Adding a layer of privacy. With just Tailscale, you'd need to setup Tailscale on the server, and each client. It would be more secure, but not feasible for every use case. For me, this method fits my needs perfectly… can't believe I didn't already consider it.
Wireguard is secure enough to be exposed on the VPS
Nice, Video if i using firewall can i route traffic from it?
Depends on what you wanna do 🤷🏻♂️
If you put it at a friend’s house, would your media have to pass through their home to serve, and thus be limited by their upstream bandwidth? I have decent upstream but have cgnat. My parents do not, but have a public ip.
Yeah you’ll be limited by their bandwidth
HI. I thought this was also to overcome the upload limit, but instead the request body size limit applies to requests that go through the Cloudflare proxy/CDN, regardless of whether the client is connected to Zero Trust. So in Upload even by applying this beautiful configuration of yours, unfortunately it remains at 100MB.
is it still working for you with tailscale version 1.66.0? Since updating i cant reach my pages anymore but pinging my servers is working normally. **okay i see they added "--stateful-filtering=false" and using this on my VPS fixed my problem
Very applicable for me.
the hardware limitations of the raspberry pi zero restrict the speeds of the service but i thought the goal of this was to do one better than cloudflare tunnels by having no imposed limitations on bandwidth? i guess it is implied one can use faster hardware with the same setup?
Yeah I did show what the speeds looked like hosting on small LXC container on my server, much faster. The raspberry pi was basically like "hey look you can run tailscale on anything".
Do I need to purchase a domain name to do this?
Yes
I'm not on CG Nat but my ISP blocks.port 80 and 443 meaning I cannot do the DNS challenge for reverse proxy. What are my options?
If you can't expose 80 and 443, then you literally have to use a tunnel. Whether it's Tailscale or Cloud flare, that's up to you.
If I am correct, this can be done without cloudflare? As long as your domain name provider has their own DNS? Or is cloudflare an integral part of this?
You can do it without Cloudflare dns. I just like their free proxy.
I return,
The issue I have with NPM is it can't do TCP or UDP, it's only HTTP/S and Traefik is a mess.
Why did you choose proxied for dns cloudflare ?
Just safer and easier when everything comes in on 443. You can turn it off if you’re doing something that isn’t http/https traffic
Didnt quite catch why this over Cloudflare tunnels? CF tunnel have functions like Geoblocking, WAF, SSO, etc. Does Tailscale? Or why this instead of Wireguard tunnel?
Tailscale is just a nice interface and uses Wireguard anyway plus I can just connect my personal machines to everything with the Tailscale client. Cloudflare tunnels are still great but with this you don’t have to worry about bandwidth limits (if you aren’t proxying via CF DNS).
@@RaidOwl Yeah I agree on this. Its something else than what everyone uses, nice to try something "new"! :)
No need for any of this port or monthly cost stuff. Either host the DNS server yourself or add the ip from tailscale to cloudflare for your services. (The IP should be the VM or LXC you have both Tailscale and NPM/Traefik installed on.) Only devices approved on your tailnet can access the services. Nothings 'exposed' and even publicly posting your IP makes no difference as no one can access it unless i approve your device beforehand. :)
So if you host a Wordpress site you are gonna approve every single public device that wants access?
Well it’s very unlikely that you’d use Tailscale or a tiny vps for anything that’s to be publicly accessible but you could try with split dns. If I want a family member to be able to access something I have running in my homelab I will invite them to Tailscale and use the ACL to give their device access to that one resource. If they try on another machine it will ask me for approval. Hosting the DNS yourself allows more magic to happen so much so that my family hasn’t even realised how much goes on in the background. They don’t even need Tailscale installed or connected once inside our LAN and if outside they connect to Tailscale and everything continues to work. 😊
Do a video with Headscale on a secure vps
Can't this be done by simply using SSH reverse tunneling instead of Tailscale?
Maybe 🤷🏻♂️ try it and let me know
SSH would be a tcp tunnel, which isn't all that great in many situations. Also SSH is a user process, rather than a kernel process, so higher in the stack and maybe competing with other resources more.
I've done both, SSH has it's place as temporary or roving needs may dictate (i.e. permit some non-business vendor entity a specific type of access), but you'd really prefer something that's "bolted on" lower in the kernel stack for infrastructure needs.
You'll also need to build/write something to keep SSH running, and explore the timeout and keepalive options to get something that's more reliable and recoverable. It's doable, but you'd probably like something else better.
You know you are alright and informative. I gave you a like you are welcome
But you need a static ip
i'm getting this error: too many redirects. And the page is not opening. Can anyone help'?
But you have trust your externel server security where the tailscale client is running, keep the system up to date, install security fixes, upgrade to the next lts release, if there is one. Hardining the System, so that no hackers or other can enter the server. If so, your local services or local network in you homelab are open to the world, isn't it? And exposing NPM Admin Interface to the public is very critical. So, nice tutorial, but i trust more in cloudflare applications with access restriction in combination with tunnels....
I have no idea what any of this means.
Why all of this when you can just use Tailscale ?
You gonna have every person in the world install tailscale if you want to host a website?
What about tailscale funnel ? I know it has limitations still you can use it right ?
any other cheaper solutions like I got the over all I got the over all I idea have been using it for months.
Cant afford static ip which is 3$ a month My isp provides
Needs to open ort for plex and torrenting cant on my static ip even if i am able to afford as it would be illegal need some otherway around like a cheap vps dmca ignored to do what you did or any other ideas ?
Dont say seedbox.@@RaidOwl
@@RaidOwl Most people wouldn't host a public website from a home server.
Hey Brett (small squeaky voice/head), if you are already using a VPS, why don't you run your own HeadScale server on it? Then you don't even need a TailScale account.
Howdy! Yeah you can def do that! There are plenty of ways to go about this but I’ve always had good experiences with tailscale
@@RaidOwlTotally, but I think that your little "Hey Brett" interludes are always fun 🙂 And you left one here for the taking ;-)
you haven't try Hetzner. Price...
Hetzner is not really useful for plex in this case as they are banning pledx server hosted on their ip, so mainly this is for huge traffic for file serve or a media server Hetzner kind of defeats the purpose lowand box vps seems way to go
holy crap your right. Thanks for mentioning