HOWTO: Host a Service privately on TrueNAS with a valid SSL Certificate

The proper syntax for these commands is:

tailscale serve --bg --tcp 80 tcp://localhost:30021
tailscale serve --bg --tcp 443 tcp://localhost:30022

Thanks, formatting was screwed up. Fixed in the original.

Im using duckdns for the DNS domain, and in the part where you set up the IP and ports, which ones do i need to set?? And also, what how do i test everything is ok??

Thanks for writing this! I have some additional setup notes in case it helps anyone with doing this:

1. In ‘Deploying Nginx Proxy Manager’, if you’re having the app stuck at ‘deploying’, you may need to add the environment variable for S6_STAGE2_HOOK as sed -i $d /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh (more info in Nginx: Hangs for almost 25 minutes at deploying in npm - #2 by HITMAN )

2. In Adding a new Host, Cert and Service, as already mentioned you will want to create a record for each service you’re hosting. Nginx proxy manager is going to complain if you attempt to do multiple services at different ports using the same certificate.

3. In Adding a new Host, Cert and Service → Step 2: Add Proxy Host to NPM, if needed you could set the ‘Forward Hostname/IP’ to the server’s tailscaleIP rather than the lan’s , this could help in situations where you have to use DHCP.

4. In Adding a new Host, Cert and Service → Step 2: Add Proxy Host to NPM, there could be some app-specific settings here depending on what you’re running. Here’s a shortlist of just a few settings to be aware of, you may need to tinker and search a bit for more:

   • Frigate:

     • Proxy Host setting in Nginx Proxy Manager: you may need to set the ‘Scheme’ as HTTPS (not HTTP), otherwise you might get a “400 Bad Request - The plain HTTP request was sent to HTTPS port” error

   • Home Assistant (two important things here)

     • Home Assistant configuration.yaml: you’ll need to edit your configuration.yaml to setup forwarding with specific IPs for access (e.g. your server’s IP, and possibly whatever IP home assistant logs are seeing you login under), see Nginx proxy 502 bad gateway - #8 by Evanc09 - Configuration - Home Assistant Community for more info. Editing the configuration.yaml can be found by going into the home-assistant container shell (found in truenas app settings). Not doing this will result in your logs saying something like ERROR (MainThread) [homeassistant.components.http.forwarded] A request from a reverse proxy was received from <IP-TO-ADD-TO-TRUSTED-PROXIES-IN-CONFIGURATION-YAML>, but your HTTP integration is not set-up for reverse proxies
     • Proxy Host setting in Nginx Proxy Manager: you may need to set the ‘Scheme’ as HTTP (not HTTPS), otherwise you may get a “502 Bad Gateway - openresty” error. You’ll also want to have the ssl certificate setup.

   • Linkding:

     • Proxy Host setting in Nginx Proxy Manager: you may need to set the ‘Scheme’ as HTTP (not HTTPS), otherwise you may get a “502 Bad Gateway - openresty” error. You’ll also want to have the ssl certificate setup.

Hi there, this guide is awesome and exactly what I’m looking for. But I’m reviving this part of the thread because I ran into the same issue and can’t seem to figure out what is going wrong. I think I’ve done everything right but I’m still getting the “connection was reset” error when I try to access the service with my domain. Here’s what I have done so far:

• Set up tailscale account and created auth key for my instance of Truenas Scale (Dragonfish-24.04.2.5 on bare metal)
• Installed tailscale app on truenas with auth key generated through my account on their website and making sure to check the “Host Networking” option
• Deployed Nginx
• In tailscale app shell, forwarded port 80 and 443 to Nginx (confirmed everything is set up correctly with the tailscale serve status command)

Here is where the problem began. When I tried visiting my tailscale IP like you suggest on this step. I got the connection error. I thought I did not forward the ports correctly in the tailscale shell, but then I ran the tailscale serve status command and everything looks like the screenshot you posted. So, I decided to keep going hoping it would work after I finished the other steps.

• Created an A DNS record for my service in Cloudflare pointing to tailscale IP
• Added proxy host to Nginx for my service using my truenas server’s local IP in the “Forward Hostname/IP” field and the port the service is running on in the “Forward Port” field
• Set up SSL certificates in Nginx with cloudflare API token using the Edit Zone DNS template

Despite all of this, when I try to access the service from a device connected to my tailnet, I keep getting the same “The connection was reset” error. I’ve tried multiple devices and browsers and nothing is working. I would appreciate some help. Thank you!

I’ve followed this in full but when trying to add the Proxy Host in Nginx and hitting save it processes for a few seconds and then shows “Internal Error” at the top

I’ve tried a number of suggestions found on web for same error but nothing is resolving it. One suggestion is to forward 80 and 443 on my router to the TrueNAS box but I thought that was what we were avoiding by using this configuration. Am I wrong?

I got this error because my domain was not propagated on the internet dns. I was too fast.

How can make the URL available in local network? I only have a FRITZ!Box.

You need whatever serves DNS for your LAN to respond appropriately. I don’t know if your Fritzbox can do this; if not, you could use a router that isn’t brain-damaged, or you could set up something else to do DNS on your LAN. A Pi-Hole installation is popular for this purpose.

I tried to set up a split dns with the “Technitium DNS Server”. However, as I failed with IPv6 DHCP, I returned to the FRITZ!Box.

btw this

is correct, sir. But it didn’t make any trouble. I will exchange it, when I don’t need VDSL2 supervectoring support anymore.

Fritzbox is a dumb piece of shit (have to use ony myself) I’ve setup blocky for internal dns resolution.

Tailscale forms an excellent secure meshed networked of all your devices that have tailscale installed. If you’re trying access tailscale from your TrueNAS server while on a PC that doesn’t have tailscale running, then you won’t be able to access it and will get a connection error. You can either install tailscale on your PC and any device you want to allow access to your NAS (or setup tailscale as a subnet router), or don’t use tailscale and just use nginx.

I have followed this guide and it worked perfectly. Thank you!

It would be nice to be able to reach the URLs on the local network as well, but I’m having trouble making it work. I suspect it has something to do with Tailscale and NPM being on the same host IP. I tried having NPM on a separate IP, but found that the tailscale serve command only works for localhost.

I run pihole for DNS and it works without NPM and when tailscale is not running.

Have anybody made this work or have suggestions for solutions?

This is really helpful, thanks and will be part of my new set up when I finish the build for my new NAS, I have a couple of first time questions:

1. I assume that network drives from the same NAS mapped onto a PC using tailscale IP addresses and Samba will continue to function as normal rather than getting tangled up in the proxy?
2. I understand that you can also install a Cloudflare tunnel app into TrueNAS which appears to do a similar thing. Is this an either/or choice?
3. Although there is a secure tunnel from Cloudflare, I assume that by using a domain name to access the service, it is still generally only as secure as the password / security protecting the log on and it will be generally available from any device on the web, rather than only those on your tailnet?

Many thanks in advance and apologies if these are obvious questions or covered in the write up

I managed to set HTTPS for my services using tailscale serve.

However the main GUI page does not function properly. I get a “400 Bad Request, The plain HTTP request was sent to HTTPS port” error although I previously run tailscale serve --bg --https=443 443