Running TrueNAS 25.04.2.4 with the latest Tailscale app (userspace disabled). For this example, I have Nginx Proxy Manager and Emby running with “Publish port” mode. My goal is to grant friends access to NPM via Tailscale ACLs and use NPM ACLs with Tailscale IPs (100.64.0.0/10) to control access to the proxy hosts as needed. However, connections from Tailscale come through as a Docker IP (172.16.4.1) when viewing access logs in either NPM or Emby.
Is there any way to have the source Tailscale machine IP be shown instead?
I think the easiest way is to run NPM and tailscale within the same network stack. This allows NPM to listen directly on the VPN interface that tailscale creates. No more traffic routing required between NPM and tailscale.
For emby: Reverse Proxies usually set the HTTP header X-Forwarded-For with the real source ip. Some applications can be configured to use the IP from that header instead of the source ip. For example Jellyfin has a Known proxies setting. I don’t know about emby, you might find an option in the network settings.
Thank you, that is a good idea. I actually found another solution: tailscale set --snat-subnet-routes=false. According to this GitHub thread, that setting has an effect even if you’re not using subnet routes. Once I set that, the Tailscale machine IP shows up as the source IP.
