<aside> ✅
This post discusses my setup, which allows me to access my Traefik HTTPS upgraded services over the Tailscale mesh as if I were at home. To achieve this, I use Tailscale’s “subnet router” and DNS at Cloudflare, pointing to a private IP. Traefik hosts and HomePage entries are propagated by Docker labels.
</aside>
Revision: 20250323-0 (init: 20250323)
Detailing my setup during a recent “https://www.reddit.com/r/selfhosted/comments/1imobmz/comment/mcabxlu/” conversation made me realize it would be good to discuss it further…
This post is not a complete guide, and rely on a few previous posts for more in-depth instructions.
This setup relies on Tailscale. I have been a user of Tailscale since 2021. Over the years, I have recommended it to a few dozen friends :) I published a post on GitHub about "localhost-only Linux Desktop in a container on Unraid accessed over a non-root ssh tunnel and adding Tailscale to add a Zero Conf VPN over Wireguard" which was shared on Tailscale's blog in March 2022 and have been a "Friend of Tailscale" for a while. Since then, my home lab setup has significantly grown, and Tailscale is still the easiest way to get back into my lab when traveling.
If you are curious about the tool, check their "Why Tailscale".
The tl;dr of this post can be described in the following image, for which we have discussed every component in previous posts.
If you are looking for further details on the different components of this diagram, refer to the individual posts with setup instructions:
“Traefik Proxy” includes a description of the setup using a wildcard for the domain (*.example.com) with CloudFlare as the dnsChallenge provider and traefik-kop (with the redis provider) to add HTTPS URLs configured on remote systems to Traefik dynamically.
“UNRAID Installation” has a Tailscale entry (in the Plugins section)
“Post-Steps: Ubuntu 24.04 Desktop” has a section detailing the installation of Tailscale on a Ubuntu system.
“Setting up NVIDIA docker & podman (Ubuntu 24.04)” explains how to configure the NVIDIA container runtime.
“Dockge” details the setup for supporting docker compose stacks, including the ComfyUI-NVIDIA-Docker stack.
“HomePage: Services Dashboard” describes the dashboard that displays the added service to a dashboard dynamically.
For a primer, see "How Tailscale works".
Mesh networking is a network topology where devices (nodes) connect directly to each other, forming a decentralized network structure without relying on a central hub. This allows for multiple data transmission paths, increased reliability, and self-healing capabilities, as nodes can route traffic through alternate paths if one connection fails. Tailscale creates a peer-to-peer mesh network (called a tailnet) rather than routing all traffic through a central server. Tailscale uses NAT Traversal for direct connections between devices —even behind firewalls or NATs— using techniques like hole punching.
A Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a public network. It allows users to send and receive data as if they were directly connected to the private network it connects to.
WireGuard is a modern VPN protocol known for its simplicity, speed, and robust security. It leverages state-of-the-art cryptography, such as ChaCha20 for encryption and Poly1305 for authentication, making it highly efficient and secure. Its strengths include direct Linux kernel integration, fast performance, and low latency due to its operation over UDP.
Tailscale is a mesh VPN that allows devices to connect securely and directly to each other using a combination of direct and relayed connections. It leverages the WireGuard protocol for encryption and Designated Encrypted Relay for Packets (DERP) servers for situations where direct connections are impossible (”these fill the same role as TURN servers in the ICE standard, except they use HTTPS streams and WireGuard keys”). Tailscale uses DERP servers as relay points when direct connections between devices cannot be established. These servers are crucial for maintaining network connectivity that blocks direct UDP traffic or has strict firewalls.
Tailscale uses existing identity providers (like Google, Microsoft, GitHub,...) for authentication, eliminating the need for separate credentials. Its MagicDNS feature allows devices to be addressed by name rather than IP address within the tailnet.
Tailscale's traffic routing is designed to be efficient and scalable. It uses a hybrid model with a centralized control plane for key management and policy enforcement. In contrast, the data plane operates in a mesh topology, allowing devices to communicate directly with each other whenever possible.
Tailscale's Regional Routing feature helps scale traffic globally by directing clients to the nearest available infrastructure, ensuring low latency and high availability.
Tailscale adds features to its product, making it very friendly for the home lab enthusiast. It was recently featured as integrated with the latest stable release of Unraid (7.0); see https://unraid.net/tailscale for more details.
For this post, let me introduce two more features:
In this setup, when we are at an alternate location and want to connect to a service within our home lab, we rely on the tailnet NAT traversal to reach the subnet router, which allows it to access the reverse proxy configured to redirect the calling client to the destination URL.
For this to function:
10.20.30.40 to access the 10.20.30.0/24 subnet.example.com domain. Here, Traefik is configured to answer the *.example.com subdomains. Because we prefer auto-discovery of new services, the providers: section recognizes local docker labels and traefik-kop provided redisentries. We have configured Traefik to handle all requests to subdomains within the primary domain with a wildcard certificate. The Let's Encrypt ledger contains a single .example.com certificate, not one per service. Using the docker labels, it is possible to propagate the Traefik and Homepage configurations to the services and limit the use of static configuration files in favor of dynamic configurations.example.com, we have an A entry in Cloudflare that redirects every (.example.com) DNS name to the 10.20.30.40 private IP of our Traefik service (Unraid bound).Following the earlier picture:
When the laptop requests https://comfy.example.com/, the local DNS client tries to understand who controls the example.com domain. This will query Cloudflare. Unless a specific entry exists within the DNS table, the DNS resolution will return the value of 10.20.30.40. This value is a private IP that can not be reached unless you are within the LAN.
Because the laptop is authenticated within the user's Tailnet and the Unraid server acts as a subnet router for the 10.20.30.0/24 subnet, the computer can communicate over Wireguard to the Unraid server at IP 10.20.30.40.
The request was for an HTTPS service; as such, it is for 10.20.30.40:443, and Traefik on the Unraid server handles that request.
The Ubuntu box at 10.20.30.50 runs Dockge and has started the ComfyUI-Nvidia-Docker and configured both the Homepage and Traefik labels (that are propagated to the Traefik server using the Redis provider by Traefik-kop
Since the requested URL exists, Traefik upgrades the requested connection to HTTPS for the service on the Ubuntu box on the port used by the ComfyUI service.
Because of this, the connection to the https://comfy.example.com service on the Ubuntu server (at 10.20.30.50) within the LAN is possible, and the content within the already encrypted Wireguard tunnel is also HTTPS encrypted.
Table of Content