HOWTO: Host a Service privately on TrueNAS with a valid SSL Certificate

So you want to securely host services on your TrueNAS? Without opening ports on your router and still having easy to remember valid domains with SSL certificates? If so, this guide may be for you. There are many ways to accomplish this, but in this guide we’ll be leveraging the following:

• TrueNAS SCALE
• Cloudflare Managed Domain DNS
• Tailscale App
• Nginx Proxy Manager App

When finished, you will be able to quickly add new services through the Cloudflare DNS Management and Nginx Proxy Manager (NPM) app, that are fully accessible to your Tailscale-connected devices as https://service.mydomain.com

NOTE:

In my example I use Cloudflare for DNS and Let’s Encrypt certificate generation. However this process will work equally well with any other provider that Nginx Proxy Manager can use for Let’s Encrypt DNS Challenges. Adjust to fit your specific provider accordingly.

Ready to begin? Let’s dive in.

Create your Tailscale Account.

Navigate to the Tailscale website and setup your account to get started. Once you have an account created, navigate to Settings → Personal Settings → Keys and click on “Generate auth key”

image942×435 73.9 KB

Keep the defaults settings on the key, optionally you can make the key “Reusable” if you want to use it for more than one Tailscale auth. I.E. in the case of setting up two TrueNAS systems. Once the key has been generated, go ahead and save it and proceed over to your TrueNAS UI to continue with the setup.

Setup Tailscale on TrueNAS:

Next up, browse to the Apps catalog on TrueNAS and locate the Tailscale Application.

image711×437 35.3 KB

Start an installation of Tailscale. Copy your previously saved Auth Key into the field in the wizard, and change the hostname if you like (For easier identification on your Tailscale management account). You can keep the rest of the Tailscale setting as their defaults.

image493×622 21.5 KB

Once Tailscale is successfully deployed, you will see it listed as Running, and if you browse to your Machines in the Tailscale management UI, you will see the new TrueNAS listed there as well.

Deploying Nginx Proxy Manager

Next up, we will be deploying Nginx Proxy Manager on the TrueNAS system. Follow the same process to locate NPM in the App catalog, and click Install. You won’t need to change any of the default App settings for NPM, so click Install again to take the defaults and allow it to deploy.

One the application is running, you can click the “Web UI” button to log into the NPM Web Interface, and setup your own username / password.

NOTE: The default username / password is:

admin@example.com
changeme

Once you have your credentials setup, you can close NPM and we’ll circle back to that in a moment. For now lets move on.

Stitching it together

Now that you have Tailscale and NPM setup, we have a few steps to do in order to stitch things together so that you can host services in NPM properly for your other local web applications. We will next be setting up Tailscale to forward http and https traffic via its IP over to the NPM application, where we can next setup domains, certs and proxy hosts.

To continue, open up the TrueNAS UI and navigate to the Tailscale App (which should still be running)

Under the “Workloads” widget, locate the Shell button and click it to launch a shell inside the Tailscale Container. Run the following commands to forward port 80 and port 443 over to the NPM Service:

# tailscale serve –bg –tcp 80 localhost:30021
# tailscale serve –bg –tcp 443 localhost:30022

These commands will set up Tailscale to automatically forward http and https traffic arriving on its local addresses to the corresponding http and https ports that Nginx Proxy Manager is waiting for requests on. These settings are persistent and will survive reboots or upgrades of Tailscale. This only needs to be done once.

Lastly before you close the session, run the command tailscale ip to get the IPv4 and IPv6 address of your local connection. Write those down somewhere, we will use them in subsequent steps.

To confirm this worked, on a device connected to your Tailscale network you can open a browser session to http://<tailscale ip>. You should see a “It’s Working” message which is being served by Nginx Proxy Manager. If so, then congratulations you are ready to proceed to the next steps.

Adding a new Host, Cert and Service

Now that all the initial setup is finished, you can easily add new services to NPM which your other Tailscale devices can access securely over https. To do so, follow these steps for as many services as you need.

Step 1: Create a DNS Record:

If you are using Cloudflare, browse to your DNS Records page and create a new A (IPv4) or AAAA (IPv6) records for your desired service name that point to the IPs you saved from the “tailscale ip” command previously. When you have done this properly you should have a record that looks like “myservice.mydomain.com → 100.XXX.XXX.XXX”.

Step 2: Add Proxy Host to NPM

With DNS properly created, you can next log into the Nginx Proxy Manager WebUI and start adding your proxy hosts and SSL certs.

Navigate to Hosts → Proxy Hosts and click Add Proxy Host.

image495×556 34 KB

On the pop-up window, add the domain name, IP address and Forward port of the service you wish to proxy traffic for. If the service is hosted on the same TrueNAS, you can use the TrueNAS IP/Port combination here, or you can point at services hosted on other IP addresses on your network.

Example:
You are running Immich on your TrueNAS. Clicking the WebUI button for Immich in TrueNAS shows it using http://192.168.10.10:30041 (The TrueNAS IP and Port number for Immich). You’d enter a forward IP of 192.168.10.10 and Port of 30041.

image487×982 86.9 KB

Next switch to the SSL tab and select the option to Request a new SSL Certificate. With most Apps you will want to set Force SSL to be enabled. Lastly select Use a DNS Challenge and pick your provider. In this case Cloudflare. Update the dns_cloudflare_api_token= to use your correct key.

Note:
You can create your API token on the Cloudflare management site, just be sure to select the option to Edit zone DNS when creating the token. Save it for later in case you wish to add multiple proxy hosts, you will need to re-enter it each time.

Click Save and NPM will go through the process of creating the proxy and setting up a Let’s Encrypt certificate for the domain name.

That’s it! Assuming everything was successful, it should now be possible to browse to your newly created domain over https with a valid SSL certificate and see your Web App load up.

Final Thoughts:

There are many ways to accomplish the same thing, this is but one solution. Users can also use similar methods with NPM to expose services to the outside world directly (Not something we recommend on TrueNAS in general). You can use other VPN technologies or even alternative Proxy servers. Hopefully this guide provides enough information for you to adapt and find the solution that suits your specific needs the best.

What do I need Tailscale for?
If I set up the NPM to point at immich.mydomain.com, than I can reach immich over https wherever I want. Isn’t that right?

Sure, if you have another VPN solution so you can reach those IP/Hosts on your private network while roaming then yes. Or alternatively you can open a port on your firewall to NPM, but that is much more risky. As I mentioned this is but one way to do this, lots of combinations can work for your specific environment.

For the “privately” part of the subject. Kris is describing a way to host apps, using valid TLS certificates, that doesn’t depend on those apps being exposed to the whole Internet; you’d then use Tailscale to connect to those. If you don’t mind (or actually want to) expose those apps to the whole Internet, the process is simpler, and indeed Tailscale isn’t required (nor is any other VPN service).

Where i am currently struggling is this part: [quote=“kris, post:1, topic:15243”]
Under the “Workloads” widget, locate the Shell button and click it to launch a shell inside the Tailscale Container. Run the following commands to forward port 80 and port 443 over to the NPM Service:

# tailscale serve –bg –tcp 80 localhost:30021
# tailscale serve –bg –tcp 443 localhost:30022

These commands will set up Tailscale to automatically forward http and https traffic arriving on its local addresses to the corresponding http and https ports that Nginx Proxy Manager is waiting for requests on. These settings are persistent and will survive reboots or upgrades of Tailscale. This only needs to be done once.

Lastly before you close the session, run the command tailscale ip to get the IPv4 and IPv6 address of your local connection. Write those down somewhere, we will use them in subsequent steps.

To confirm this worked, on a device connected to your Tailscale network you can open a browser session to http://. You should see a “It’s Working” message which is being served by Nginx Proxy Manager. If so, then congratulations you are ready to proceed to the next steps.
[/quote]

I am not getting any feed back when i enter in the commands, i am not sure if i am supposed to or not. Which in turn will not allow me to check the IP address that is connected.

Great write-up @kris, really nice work

If you ran those commands and it was setup properly, you can confirm with the following command being run inside the tailscale container:

tailscale serve status

You should see something that looks like this:

Hi @kris Thanks for this guide. Does this configuration means that when on my local network I still need to have tailscale running and my data transit through tailscale servers to access my local apps ?

Correct, if you follow my guide exactly, then you will be setting up access to the services through the Tailscale network only.

For my use-case this was intentional, a private network within a network. I have lots of things running that I didn’t want open to anybody who plugged a cable into my local LAN, instead they have to be explicitly authorized to join my Tailscale network first.

Of course if that isn’t your use-case, you can adjust to suit

Just want to point out that these two things are not equivalent. The scenario described here does require tailscale to be running but, except in rare circumstances, data does not pass through tailscale’s servers (and even when it does, it’s end-to-end encrypted). In most cases, tailscale’s servers only coordinate the connections among members of the tailnet.

That is 100% correct. When I’m point to point directly connected, I see pretty much zero speed impact as well even on my local network devices. Thank you for expanding on that Dan!

Thanks to both of you. I’ll try that. I have a WireGuard server with nginx proxy manager and custom dns that works well but fot firewall issue at this office. I’d like to try with tailscale if that can work and this guide will help me!

When I run the command
/ # tailscale serve –bg –tcp 80 localhost:30021
I get the following error:
Error: invalid number of arguments (4) try tailscale serve --help for usage info

When I run the command
/ # tailscale serve status
i get the following message:
No serve config

Okay, I got it, here comes the right command:

tailscale serve --bg tcp=80 tcp://localhost:30021
tailscale serve --bg tcp=443 tcp://localhost:30022

Interesting, the Tailscale I’m running still shows the syntax I provided. What version of Tailscale do you have deployed?

I’m running the latest App-Version:

Name: tailscale
App Version: v1.76.6
Version: 1.1.21

Looks like the commands might have changed these worked for me
“tailscale serve --bg --tcp 80 localhost:30021”
“tailscale serve --bg --tcp 443 localhost:30022”

Is there a chance to reach home assistant, running in a TrueNAS-VM with the Tailscale Add-On installed, over the nginx Proxy Manager?

Okay, got it, works with the IP from the HA-VM for the Forward-IP.

I have the same setup here for my HAOS VM. Glad that works for you as well.