TrueNAS Scale, Nginx Proxy Manager, and DuckDNS Doesn't Play Nice

dreamzboy · October 11, 2025, 6:17am

I’ve been struggling with setting up a Reverse Proxy for the past few days, and I’m about to throw in the towel. As simple as it sounds but in practice, it’s quite difficult to grasp. I’ve scraped all the YouTube videos that I could find, read countless threads, posts, and here I am – at a dead end.

My current setup:

TrueNAS Scale: Dragonfish-24.04.2.5
WebUI HTTP: 99
WebUI HTTPS: 449

Assuming these are my IPs to the TrueNas Scale box.

WAN IP: 102.20.144.124
Interinal IP: 192.168.100.10

Apps:

NextCloud (WebUI: 9001)
Collabora
Jellyfin (WebUI: 30013)
Nginx-Proxy-Manager (WebUI: 30020)

Cloudfare DNS Configuration:

Type	Name	Content	Proxy Status
CNAME	*	maindomain.me	DNS only
CNAME	maindomain.me	subdomain.duckdns.org	DNS only

Duck DNS Configuration:

subdomain.duckdns.org - IP: 102.20.144.124 (WAN IP)

Router (Ubiquiti) Configuration:

Domain Name	Type	IP
nextcloud.maindomain.me	Host (A)	192.168.100.10
jellyfin.maindomain.me	Host (A)	192.168.100.10

Port Forwarding:

NPM HTTP: 80 (WAN) to 30021 (LAN)
NPM HTTPS: 443 (WAN) to 30022 (LAN)

Nginx Configuration:

SSL Certificates: *.subdomain.duckdns.org subdomain.duckdns.org

Proxy Hosts:

Source	Destination	Status
subdomain.duckdns.org	http://192.168.100.10:30020	Online
nextcloud.maindomain.me	http://192.168.100.10:9001	Online
jellyfin.maindomain.me	http://192.168.100.10:30013	Online

I should note that prior to applying these changes, all of the containers are up and running inside TrueNAS Scale. I can access them through Port Forwarding.

The problem that I’m experiencing is that only one of the 3 apps sort of works. I can go to the jellyfin.maindomain.me by clicking host inside the NPM interface; however, I get the “Not Secure” certificate. It’s also insecure when connecting to the host outside of my network. My understanding is that when I access the maindomain.me, it should route to subdomain.duckdns.org with the signed SSL certificate but somehow it didn’t.

As for accessing nextcloud or the NPM host, I just get the “This site can’t be reached”. I tried nextcloud.subdomain.duckdns.org, jellyfin.subdomain.duckdns.org, and just subdomain.duckdns.org and it will show me a page that says “Congratulations. I’ve successfully started the NPM but [I’m] trying to access a host that isn’t setup yet…”

I’m not sure what else to do at this point. I already tried clicking mindlessly as shown in those tutorial videos but without success. Any help is greatly appreciated!

dreamzboy · October 11, 2025, 6:44pm

I fixed the NextCloud issue. I noticed that everytime I clicked on the host from NPM, it redirected to a different URL. I’d set the “Additional Environment Variables” to a different URL inside NextCloud. I removed that option, redeployed, and everything working as it should.

The only 2 problems remain are:

I still get the Certificate Error
Clicking on the subdomain.duckdns.org doesn’t take me to the NPM page.

neofusion · October 12, 2025, 1:15pm

I don’t recommend you do this in Dragonfish 24.04, because the moment you decide to update you will need to redo almost all TrueNAS configuration due to the swap from K3s to Docker that happened in 24.10.

Hopefully you’re using host paths at least, that should make it somewhat easier to reuse the in-app configuration files.

Also, a reverse proxy is not a substitute for using a VPN. Be very careful with regarding what services you expose directly to the outside network.

dreamzboy · October 13, 2025, 6:47pm

Yes. All of my apps are using host paths. I understand that VPN or even Twingate is certainly superior but I don’t think all devices support VPN or Twingate clients if I want to play content from Jellyfin. A reverse proxy is certainly a bit more secure than port forwarding.

swc-phil · October 13, 2025, 7:03pm

What URL do you access? What URL does the certificate have?

I guess the reason is you forwarded 80 to 30021 and 443 to 30022, and there is no forwarding for 30020 (that is used by NPM). Frankly speaking, I don’t think that putting the NPM dashboard to public is a good idea.

Also, why do you want to use duckdns if you own a “proper” domain?

dreamzboy · October 18, 2025, 4:52pm

Thank you for assisting. I’ve finally fixed the issue.

As @swc-phil mentioned, I didn’t need DuckDNS if I already have my own domain name. I didn’t really understand how DNS work. Here’s what I’ve done:

I created 4 records in Cloudfare like so.

Type	Name	Content	Proxy Status
A	maindomain.me	Public IP Address	Proxied
CNAME	*	maindomain.me	Proxied
A	jellyfin	Public IP Address	DNS Only
A	nextcloud	Public IP Address	DNS Only

Fixed the DNS in my Ubiquiti Router.

Domain Name	Type	IP
npm.maindomain.me	A	192.168.100.10
jellyfin.maindomain.me	CNAME	npm.maindomain.me
nextcloud.maindomain.me	CNAME	npm.maindomain.me

NPM SSL Certificate

Added domain maindomain.me and *.maindomain.me
Used Cloudfare DNS Challenge
Inserted the DNS token from Cloudfare

Proxy Hosts:
To determine whether the application is using HTTP or HTTPS, launch it from Truenas, copy the URL, and port into NPM.

Source	Destination
npm.maindomain.me	http://192.168.10.100:30020
jellyfin.maindomain.me	http://192.168.10.100:30013
nextcloud.maindomain.me	http://192.168.10.100:9001

The last step I did was to completely empty the host volume that I created for NPM and start fresh. The residue data inside those folders caused NPM to fail.