Https, Tailscale and maybe Nginx, how can I make it work

My situation. Running Truenas now for almost a year. For my home and small buisiness. Left M365 for Nextcloud (running on Truenas), Thunderbird and LibreOffice. A lot is going fine, and I’m learning with my backgroud of being a technician but not having an education in ICT. Several months ago I made a second Truenas system setup for backup, this one is in my mother’s place.

Now the networking. I’m at the point that Tailscale is running and the truenas default certificatie is not valid anymore. I want to build on my security to make all my traffic go by https. Bothe the Truinass systems are behind a router with an ip-address that might change. So I know that I have to set up a Dynamic DNS, I did once with my Asus router. Also, I have Nginx running because lost of information on this subject, go about Tailscale with Nginx. I wanted to have a look inside Nginx. Then I set up Tailscale itself to work with https and installed Truenas and the desktop and laptop with certificates.

My questions:

  1. Is a Dynamic DNS the same as a reverse proxy (Nginx)?
  2. Do I have to setup Nginx to get my Nextcloud to work with a valid certificate?
  3. Tailscale makes it’s own IP’s for all the computers, those are all secure (https) communication lines. Can I make that work for, let’s say, Nextcloud to be secure as well? How?
  4. I have my own domain which I run my website on. Do I have to make a subdomain from that point to my truenasses? I don’t border having a nice url, the Tailscale (ugly) url’s work for me as well.
  5. So my basic question is whether I can make a route to https-secure my network travel with Tailscale alone, or that I have to set up the Nginx reverse proxy. And how.

Hi – Since you are using Tailscale with your own domain, you can set your DNS to have records like:

Host: myapp.mydomain.com
Record type: CNAME
Target: mytruenas.mytailnet.ts.net

On your truenas, run a reverse proxy that has the certificate for myapp.mydomain.com. caddy is an alternative to nginx that is more modern and will automatically get Let’s Encrypt certificates.

1 Like

Thank you @Evan123 for your reply. Still struggling with whether I should setup a reverse proxy. Basic I only want to approach my devices (desktop, laptop, android telephone, Truenas) with Tailscale, and I do now. This I made HTTPS on the Tailscale side of things. But I wonder how if there is a possibility to point to a secure https connection to nextcloud. My feeling is that, when using a subdomain pointing to my Truenas, things are not becoming more save since everyone can take a look how good my security is.

Or am I mistaken and due to the fact that I’m using Tailscale I’m safe with or without HTTPS? How can I point mytainet.ts.net to approach Nextcloud for instance?

I think it is worth starting with something small and simple and then as you understand how it works you can do something more fancy.

When you run Tailscale as a TrueNAS app, whatever is running on your TrueNAS is available over Tailscale on the Tailscale IP (the 100.* IP that Tailscale uses, or an equivalent IPv6 prefix) or using the Tailscale hostname (nodename.mytailnet.ts.net, where nodename is what you setup in the Tailscale app configuration), unless you do something to prevent this. This includes the TrueNAS web UI, SMB shares, and container with exposed ports.

When you deploy Nextcloud, without doing anything special (no reverse proxy required) it will be available over Tailscale too on the same port that is used when accessing from your home network. If you use the TrueNAS app for Nextcloud and don’t change the defaults, the Nextcloud TrueNAS app uses port 30027, so that would make it available on:

* http://truenas-home-LAN-real-IP-address:30027 when at home
* http://truenas.mytailnet.ts.net:30027 when connected home via Tailscale
* http://truenas-tailscale-ip:30027 when connected home via Tailscale

You mentioned you also had your own domain, and if so you could also make this work:

* http://truenas.mydomain.com:30027

with reachability as above depending on whether you point truenas.mydomain.com at your home LAN or Tailscale.

For a certain definition of “secure” this is “secure” without using https. Your communication with TrueNAS over Tailscale is always encrypted end-to-end between your client device and TrueNAS. You will get complaints from your browser about submitting passwords over an unencrypted connection because your browser does not know that you are using Tailscale. If you are happy with that then you can stop here. A lot of people stop here.

Once you have the above working, if you want to make nicer URLs like:

* http://nextcloud.mydomain.com
* http://nextcloud.mytailnet.ts.net

or if you want to add HTTPS, you can do these with more advanced configurations. After you have Nextcloud working with a basic Tailscale configuration and you know what you want to do next, please feel welcome to come back to ask for more guidance.

Hi @Evan123. Not being a native speaker of English makes it difficult from me to express my feelings. But I give it a go. I’m very grateful that someone is willing to help and support me in what I’m doing. Willing to write more than one line to help. It makes me want to help other people working with open source software as well. Support them. But I’m not that handy yet. In the past, I helped with translation op open source software, might be that I’m picking up that again. Really many, many thanks for your help, it means a lot for me and in a way I’m overwhelmed by your extensive reaction and support.

Now for the technical part. It is a big switch that I’m making and I recognize you saying that I have to make small steps. I’m trying to already. I have Tailscale running and the communication with all different devices is what I expect from it. I don’t need fancy url’s, mostly I don’t need them after setting for instance my Nextcloud app on my android (e/os) phone. The place I work on my Truenas computers is at home. I don’t have enough knowledge to decide whether not using https is keeping my files and systems safe for hacking. Now that I think of that, is there a Truenas scanning tool to point me at the risks I’m taking?

The next version of Scale will have a new way of handling certificates, maybe from Lets Encrypt. So I think I am going to wait for that, and see if that is working for me.

You are very welcome! :slight_smile:

To answer your security question you need to:

  • understand how the technology works
  • decide on your threat model – what are you worried about, and what are you not worried about?

I will try to explain, but you might find it clearer to ask an AI to explain in your primary language.

At a high level, HTTPS will:

  • Protect your communications with encryption so that no one can see or change your communications, from your browser all the way to the web service or reverse proxy on the server.
  • Verify the identity of the server, so that you are sure you are communicating with your TrueNAS, and not a malicious server. There are a few ways you could be sent to a malicious server. For example, if the attacker controls DNS then when you ask for truenas.mydomain.com they could return a malicious IP address.

Tailscale also provides these in a different way:

  • Tailscale creates an encrypted network tunnel from the network interface of your device to the network interface on the server. Everything sent through the tunnel is encrypted. No one looking outside the tunnel – including Tailscale – can see or change the traffic that you send.
  • Tailscale’s encrypted tunnels also ensure that you are communicating with your TrueNAS, and not a malicious server. Tailscale also has its own DNS for tailnet.ts.net (MagicDNS) that an outside attacker cannot influence.
  • These only apply when accessed over Tailscale. HTTPS provides these in all situations, even for accessing from your local LAN. You can also choose to always use Tailscale even at home. I do that because it’s easier for me to just always use Tailscale.

Both HTTPS and Tailscale have ways that an administrator or someone who has compromised your device can see encrypted traffic. With Tailscale, you can see and change the unencrypted traffic from your browser before it goes into the encrypted tunnel. With HTTPS you can install a malicious certificate authority certificate that allows you to intercept communications.

Both HTTPS and Tailscale use a trusted service provider that you need to trust in order to maintain security. For HTTPS, a certification authority could issue a certificate for truenas.mydomain.com to someone else to make a malicious server, and it happens once in a while that a certification authority gets caught doing this. For Tailscale, the Tailscale company can add devices to your Tailnet without your permission, although there is a way to mitigate this (Tailnet lock) if you trust how Tailscale is designed.

Once you understand how Tailscale and HTTPS work, you need to decide whether the way Tailscale works is OK for your threat model, or if you want more assurance – maybe using both Tailscale and HTTPS, or looking at other controls that Tailscale provides like ACLs. Only you can decide whether you are happy.

For a non-security problem: when you run Tailscale without HTTPS, your browser will not know that it is working over an encrypted tunnel. It may give you warnings about sending passwords etc. to an unencrypted site. New web functionality also often requires HTTPS; for example modern versions of HTTP (HTTP/2 and HTTP/3) both require HTTPS. So, at some point you may wish to add HTTPS for non-security reasons. You can always add a reverse proxy for HTTPS once you are confident with Tailscale and container networking.

I had heard the TrueNAS Tech Talk where Let’s Encrypt support was mentioned. I think that is only for the TrueNAS web user interface. You will almost certainly need a separate reverse proxy to do certificates for applications. Caddy can use Let’s Encrypt, and Caddy can get certificates for Tailscale node as well.

I hope that helps. :slight_smile:

1 Like

Hi @Evan123. I’m running into new problems, where I thought I found a solution. I have a problem with making a secure (https) connection. Tailscale is still my way of making things secure. Running it as an app on Truenas, with Nextcloud, all on the same machine. On all of my machines I installed the Tailscale (Lets encrypt) certificates in order to let the Tailscale network talk secure with each other. The problem is that the connection I make from a browser or with Nextcloud to set-up a connection is never secure (https) at the end. As an example, in my browser I fill in the Tailscale url, no matter if it’s the Tailscale name (in my case “truenas”) or the Tailscale ip number (100…..). The result is always that the connection is insecure. And when I look at the reason, I find that the iXsystems certificate is not valid. So I’m pionting to Tailscale, but in the end I’m back with (I persume) local IP (192.168.*.*) and the certificate that belongs to that IP.

Also in Tailscale dashboard the endpoints listed for “truenas” are so strange, all with a portnumber that I don’t recognize: 35747. Most in IP range 127… Why can’t I see any familiar numbers like my Nextcloud IP:port.

I’m asking myself if Tailscale is configured correct. When I go to Truenas/Network/Interfaces there is only one interface and that is 192.168. . . /24. Should there also be an interface for the Tailscale Full domain? I read that there should be a “tailscale0” interface, why don’t I have that in my Truenas. Is Tailscale installed right, I ask myself. Should I configure a Funnel, or anything else, in Tailscale? I really don’t know where to begin. I started off with my problem in not being able to connect to Nextcloud (it will connect only with a secure connection), but now I know that my problem is in between Truenas/Tailscale. That is something. Any ideas to invesitgate or try?

If you go to https://100.x.y.z or https://truenas.tailabc.ts.net and are getting the default TrueNAS iXsystems certificate then it’s because port 443 on the server is bound by the TrueNAS GUI and is listening on all interfaces including the Tailscale interface. As a result Nextcloud can’t also bind to port 443.

You can address this in several ways:

  1. Run Nextcloud on a port other than 443 and access it at https://truenas.tailabc.ts.net:port.
  2. Move the TrueNAS GUI to another port so that you can use port 443 for Nextcloud. You can do this under System→General Settings.
  3. Look at a more advanced configuration with caddy-tailscale.

You are seeing strange addresses and port numbers for Tailscale for several reasons:

  1. By default when Tailscale on Linux picks a random port. You can set a fixed port via environment variable e.g. TS_TAILSCALED_EXTRA_ARGS=–port=41641
  2. When going out your Internet connection it is being NAT’d and the externally-visible port will be different again. This is expected, but check that in the Tailscale web UI under Client Connectivity that it is showing: Varies: No. If not, you should fix your NAT to be an Endpoint Independent NAT. Endpoint Independent NAT ensures that the internal port is consistently translated to the same external port, regardless of the destination.
  3. I think you meant you are seeing endpoints in range 172.x and not 127.x. The 172.x are your container network interfaces. Tailscale when running with host networking sees all the container interfaces and reports them to Tailscale as valid endpoints. This is expected and you can ignore these extra endpoints.