In previous guides we configured NGINX proxy manager, and NGINX proxy hosts to provide nice clean URLs with HTTPS to all our services. We also set up Tailscale to access these services from the outside world. It’s almost perfect, there’s only 1 problem. We can only use the clean URLs and HTTPS certificates when we access our services from our home network. If we try accessing them over Tailscale with the custom domains, there is an error, and the service cannot be accessed. Adding a new service is also tedious. You need to install Tailscale on each individual LXC or VM you want to access, which can make things harder when, for example, you want to share 4 services with your non-techie friends without having to send out 4 Tailscale invites.
Today, we will fix that! So you can have elegant, clean URLs served with HTTPS, securely accessible from anywhere in the world with your own VPN network. Adding new services will also be a breeze. NGINX will become our one central dashboard for accessing all our services.
You probably see where I’m going with this. But, here’s a diagram to clarify what we are going to set up:
Let’s begin!
Requirements:
- Proxmox fully installed and configured and access to GUI
- A Tailscale account
- Tailscale installed on your laptop (or computer you will be using to access these remote services).
- Basic knowledge of the terminal (opening, saving files etc.)
- Basic Proxmox container knowledge (downloading LXC templates, setting up containers etc)
Setting up NGINX and obtaining certificates:
Follow this guide to set up NGINX on Alpine Linux and this guide to obtain certificates for all your services. Once done, come back here and continue with the Tailscale installation.
Setting up Tailscale:
In this guide we covered setting up Tailscale on Debian Linux. It will also work on Ubuntu. Our NGINX Proxy Manager is running on Alpine however, and the installation process is slightly different because of how Alpine manages packages.
Access to /dev/net/tun:
Tailscale needs access to /dev/net/tun . By default this is not allowed on Proxmox so we will configure that first.
Note the container ID in the gui and on the proxmox host open the LXC configuration file with nano /etc/pve/lxc/xxx.conf . Then add the following lines at the bottom of the configuration file:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dirSave, exit and reboot the container.
Add community repository:
First install nano (or any other text editor of your choice)
apk install nanoThen open the repositories file with nano /etc/apk/repositories and add the following line at the bottom.
@edge_community https://dl-cdn.alpinelinux.org/alpine/edge/communitySave the file and run apk update
Install Tailscale from community repository
apk add tailscale@edge_communityConfigure it to run automatically on startup
rc-update add tailscale
rc-service tailscale startStart Tailscale
tailscale upYou should be greeted with an Authentication link which you can copy and paste into your browser and add the NGINX node to your Tailscale network (a.k.a. Tailnet). Now the hard part is done and there is just one more step to go!
Linking Tailscale to NGINX:
Here is where the magic happens and it is really simple. Go to the Tailscale admin panel, and note down the Tailscale provided IP address of your NGINX server.
Remember how we added a DNS entry to DuckDNS to get our https certificates? Well, all we need to do now is change that DNS entry from the IP address of our server to the Tailscale provided IP address. And voila!
Pull out your laptop and make sure you are connected to your Tailscale network. Enter the URL of one of your services and it should pop up! That’s it! No port forwarding, DDNS updating or any of that required. Only you, and the people you share your Node with can access it over the internet.
Adding a service:
Adding a service is as simple as configuring a new NGINX proxy host as seen in the guide here. Once done, it will automatically become accessible over Tailscale.
Sharing a service:
You can share a service with anyone else by giving them an invite link to your NGINX node from the Tailscale admin console.
Credit:
The following sources were helpful to me and may help you with debugging if a problem arises.
Disclaimer:
This is not a guide for setup in production or business environments. Make sure all services you expose are properly secured before exposing them to the internet, even when using a VPN.
I am not an IT professional. I am not tech support. I am a college student with a server. You are ultimately responsible for any commands you run on your system.
If you have any questions, leave a comment. Enjoy!