HOWTO: Host a Service privately on TrueNAS with a valid SSL Certificate

DarkGhost · December 10, 2024, 4:20pm

I have made it as far as entering the commands into the Tailscale shell, all successful. Running “Tailscale serve status” shows everything is setup correctly (as I gathered from the comments). I did have to change the Nginx user and group IDs to “0” (root) to get Nginx to deploy.

My issue is that when I then enter my TrueNAS server’s Tailscale IP (100.xx.xxx.xx) I get “This site can’t be reached” with “ERR_CONNECTION_RESET”.

At one point, if I entered the Tailscale IP with the Nginx port “100.xx.xxx.xx:30021” I would get the “It’s Working” page from Nginx. Though just trying that again I get “ERR_CONNECTION_REFUSED”. I tried changing the TrueNAS web UI ports to “880” and “8443” with no change.

I feel I must be missing something or I have something else set up incorrectly that is affecting it. Any help would be greatly appreciated.

Thank you.

DarkGhost · December 10, 2024, 4:28pm

Edit: It was actually using the TrueNAS server’s lan IP with the Nginx port (192.168.0.xx:30021) that got me to the “It’s Working” page from Nginx. Not the Tailscale IP. With the Tailsscale IP and port 30021 I get “ERR_CONNECTION_REFUSED”.

kris · December 10, 2024, 4:30pm

Did you check the option for “host networking” on the Tailscale app? That needs to be enabled.

DarkGhost · December 10, 2024, 4:33pm

Yep, that was it. Thank you so much!

DarkGhost · December 10, 2024, 4:35pm

I guess that’s what happens when I have “dark mode” enabled every where, I miss a small detail.

DarkGhost · December 10, 2024, 7:32pm

Don’t mean to be a both, I finished following this lovely guide (very well written, thank you for that), and the only issue now it that I get a “connection reset” error when attempting to access sub domain (“home.mysite.xxx”). Everything seems to be set, I even bought a cheap domain at Cloudflare. Got the API token setup. Everything I have looks like what should be my version of what you illustrated. Again it’s probably one little setting I forgot to check off.

Any thoughts?

Much thanks.

kris · December 11, 2024, 12:57pm

What sub-domain DNS entries did you make on Cloudflare? Are they pointing to your TailScale IP properly, and are you accessing it from a client with Tailscale setup and active?

kris · December 11, 2024, 12:59pm

Also, on the Cloudflare side, did you disable their Proxy and use DNS only?

DarkGhost · December 12, 2024, 9:30am

I made an “A” DNS sub domain, pointing to the tailscale IP for my TrueNAS server and accessed from a device (tried multiple) that is connected to my Tailnet. the Cloudflare proxy setting is disabled, it wouldn’t let me save the DNS entry unless it was unselected.

DarkGhost · December 12, 2024, 9:44am

Would I by chance need to change the Nameservers in the TrueNAS global network configuration to Cloudflare DNS servers? They are currently using the Quad9 servers I set in my router.

DarkGhost · December 12, 2024, 10:46am

I figured it out. I started up Nginx again and noticed it had changed the 443 port it used from the standard 30022 to 30017 for whatever reason. I re-did the Tailscale commands (both just to be sure) and now it works flawlessly!

Thank you for the help and for the great tutorial.

kris · December 12, 2024, 12:57pm

That is strange, but glad you caught it! Enjoy the new setup

DarkGhost · December 12, 2024, 1:54pm

Oh I’m loving it. I was also able to get my own instance of Vaultwarden up and running. I’m happy

vttnguyen · December 12, 2024, 9:58pm

Could you please provide the full syntax?
Do you have to keep the /bin/sh in the command line

vttnguyen · December 12, 2024, 10:02pm

I got it worked now with those taiscale shell command.

Zaid_Abdalkarim · December 20, 2024, 6:18pm

This is amazing! One question, do I need to buy a Domain name or can I just use the one that Tailscale gives me?

kris · December 20, 2024, 8:01pm

Custom domain is probably easier to remember (and cheap!), but if you can use TS hosts and control DNS from there, then have at it

jim99487 · February 2, 2025, 9:59pm

Thanks so much for this great work @kris.

Though I’ve run a what is now Truenas Core server for around 10 years, it’s always been a very basic set up and I’ve never managed to tackle SSL properly.

I bit the bullet and changed over to Scale last week and have found deploying both Plex and Navidrome an absolute breeze, but what I have stuck my head in the sand about is exactly what your article covers, that I want to be able to securely access my server from outside me local network.

Before I jump in, I have afew idiot questions:

If we’re using Tailscale and Cloudflare to make this happen, what happens if their services go down, or indeed if there is no internet at all. Can I still log in on the local network without any extra fuss?
Will my existing NFS & SMB shares be affected?
Will I still be advised to get an SSL certificat for my local network (I’ve alway had trouble with this)?

Thanks in advance.

kris · February 3, 2025, 2:47pm

You’d need to modify your setup a bit, and setup Tailscale as a subnet router for your local network… I did that on mine, and then modified the individual app DNS to point to the local subnet static IP hosting nginx-proxy-manager locally. This means locally I can have some services that I can reach without being on Tailscale when on my home network.

Does not impact NFS/SMB

You also do not need to get a local SSL cert, Nginx proxy manager handles creating and updating these working with Cloudflare.

jim99487 · February 3, 2025, 4:37pm

OK, this looks great, thanks. I’ve had a quick look again at this thread, and the one on the tailscale site ‘subnets#install-the-tailscale-client’ (an not yet allowed to post links), and it looks to me as if I sort out the subnet just after I’ve installed tailscale and before deploying the NPM.

This is all a bit beyond me atm, but won’t be by the time I’ve worked it out.

SCALE is looking great for me so far. Apps in CORE were always tricky.

Will report back any idiot issues I create on the way through.