What’s in a name? In Tailscale’s case, everything.
Currently in Alpha status, Tailscale’s new “funnel” feature is very similar to other projects thataim to provide global access to internally-run services in a secure manner, like Cloudflared. It’s exactly what you might assume it is:it funnels traffic from the Internet to your service running on a host that has Tailscale installed. Like everything Tailscale creates, it has a liberal sprinkling of magic dustthat makes it very powerful, secure, and yet easy to implement.
Funnels can be used to proxy any type of TCP traffic to a tailnet node. This specific guide describes how you can use it with Home Assistant, a home automation platform. Theseinstructions are identical for most other services following a similar pattern.
You’ll need to be invited to the alpha release so you can create funnels. Read and click the link at the bottom of Tailscale’s blog announcing the release.
Once you’re invited to the alpha, you can set up the Tailscale side of the funnel by following these steps:
Upgrade the Tailscale software on your Home Assistant machine to v1.33.257 or later.
Turn on HTTPS certificates in your Tailscale admin page if it’s not already enabled.
Open the Tailscale ACL editor and add a new policy allowing for the use of funnel. Because I am the only user ofmy tailnet, I’m allowing myself the ability to funnel. If you have multiple users, you can group them here and allow only specific users this capability. Here’smy configuration (which is effectively the same as in the docs):
"Groups": {"group:can-funnel": ["me@domain.com",],},"nodeAttrs": [{"target": ["group:can-funnel"],"attr": ["funnel"],},],- On the Home Assisant node, where Tailscale has already been upgraded to v1.33.257 or later, run:
# tailscale serve funnel on- Tell Tailscale to proxy traffic to the Home Assistant port:
# tailscale serve / proxy 8123If you are terminating TLS on your Home Assistant instance itself, and wish to continue that pattern, use a TCP forwarding optioninstead, which defaults to not terminate TLS:
# tailscale serve tcp 8123…but do know that you must access the Tailscale funnel using your tailnet DNS, so you’ll have a certificate mismatch unless youpull the Tailscale certificate using tailscale cert <domain>.
At this point, the Tailscale configuration is complete. Tailscale’s systems will create a public-facing DNS entry for your tailnet host. You cansee what your tailnet name is, and customize the subdomain, on the DNS page within the admin portal. You can verifythis by checking for resolution on a public DNS server, like this:
$ host host.clever-name.ts.nethost.clever-name.ts.net has address 100.x.x.x$ host host.clever-name.ts.net 9.9.9.9Using domain server:Name: 9.9.9.9Address: 9.9.9.9#53Aliases:host.clever-name.ts.net has address 209.177.145.137host.clever-name.ts.net has IPv6 address 2607:f740:f::684Notice that your internal tailnet will still resolve the hostname to its Tailscale address, but now you have an externally-available host (a proxy) thatTailscale operates, handling traffic for your host. In my case, it took a few minutes for the public DNS entry to populate, so have patience.
The final step is to tell Home Assistant that you’ll be using a proxy. Because Tailscale will handle TLS termination, you do not need to pullcertificates from Tailscale or change any settings that will impact existing HomeAssistant UI functionality.
- Edit your Home Assistant
configuration.yamland add (or edit) ahttp:block as shown. There are many options for thehttp:configuration,but only two entries are required to make this work:
http: use_x_forwarded_for: true trusted_proxies: - 127.0.0.1This tells Home Assistant to accept connections proxied from localhost, which is what you’re doing: connections arrive to Tailscale via theirfunnel nodes, and proxy between Tailscale and Home Assistant.
- Restart Home Assistant.
Now that you’ve configured HomeAssistant to accept proxied traffic, and Tailscale to funnel Internet traffic to your tailnet host down to yourHome Assistant instance, you can access its UI remotely by accessing https://host.clever-name.ts.net/ from anywhere on the Internet.
It goes without saying that you should take great care exposing any service to the Internet, especially home automation products. The patternof having a public-access URL is handy especially for mobile Home Assistant apps that can be configured to use different URLs based on WiFi network,and is how the official Nabu Casa external-access feature works.
If you currently use Nabu Casa’s remote UI access, you can leave it enabled or disable it: nothing in this guide changes how that accessfunctions, and it can be used in parallel if you desire.
Finally, an appeal: if you end up using this method to access your Home Assistant instance, consider subscribing to Nabu Casa anyway. It’scheap and helps support open-source software development. Plus, if you ever decide you don’t want to use Tailscale’s solution you’ll have afall-back method for external access.
