Tailscale Serve
What is Tailscale?
Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard protocol, which means only devices on your private network can communicate with each other.
Using Tailscale Serve as a Reverse Proxy for autobrr
Tailscale Serve1 can be used as a reverse proxy for autobrr, providing a secure and easy way to access your autobrr instance from anywhere in your Tailnet2. This setup also includes automatic HTTPS certification for your subdomain.
Prerequisites
Before setting up Tailscale Serve for autobrr, ensure that:
- You have a Tailscale account
- HTTPS is enabled for your Tailnet in the Tailscale admin console.
- MagicDNS3 is enabled in your Tailnet settings. This allows you to use custom subdomains.
Docker Compose Setup
Here's an example Docker Compose configuration that sets up autobrr as a Tailscale node in your Tailnet with its own LetsEncrypt4 certified subdomain:
services:
autobrr:
container_name: autobrr
image: ghcr.io/autobrr/autobrr:latest
restart: unless-stopped
user: 1000:1000
environment:
- TZ=${TZ}
volumes:
- ${BASE_DOCKER_DATA_PATH}/autobrr/config:/config
network_mode: service:autobrr-ts
depends_on:
- autobrr-ts
autobrr-ts:
image: tailscale/tailscale:latest
container_name: autobrr-ts
hostname: autobrr
environment:
- TS_AUTHKEY=${TS_AUTHKEY}
- TS_EXTRA_ARGS=${TS_EXTRA_ARGS}
- TS_STATE_DIR=${TS_STATE_DIR}
- TS_SERVE_CONFIG=/config/autobrr.json
- TZ=${TZ}
volumes:
- tailscale-data-autobrr:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun
- ${BASE_DOCKER_DATA_PATH}/config:/config
cap_add:
- net_admin
- sys_module
restart: unless-stopped
volumes:
tailscale-data-autobrr:
driver: local
Setting Up
- Create a
config/autobrr.jsonfile in your project directory with the Tailscale Serve configuration for autobrr
{
"TCP": {
"443": {
"HTTPS": true
}
},
"Web": {
"${TS_CERT_DOMAIN}:443": {
"Handlers": {
"/": {
"Proxy": "http://127.0.0.1:7474"
}
}
}
},
"AllowFunnel": {
"${TS_CERT_DOMAIN}:443": false
}
}
There is no need to set environment variable for TS_CERT_DOMAIN. It pulls that directly from your account.
-
Generate a Tailscale auth key
- Go to the Tailscale Admin Console
- Click on "Generate auth key"
-
Set up the required environment variables in a
.envfile
BASE_DOCKER_DATA_PATH=/path/to/your/docker/data
TZ=UTC
TS_AUTHKEY=tskey-auth-adKJA23Skjhad-ASDoiqQoas1dQWda41sohi
TS_EXTRA_ARGS=--advertise-tags=tag:container --reset
TS_STATE_DIR=/var/lib/tailscale
- Run
docker compose up -dto start the services
Once running, your autobrr instance will be accessible through your Tailnet using the configured subdomain with HTTPS enabled.
You need to approve this node before it can be accessed. You can do so in your Admin Console here: https://login.tailscale.com/admin/machines
Benefits
- Secure access to your autobrr instance from anywhere in your Tailnet
- Automatic HTTPS certification for your subdomain
- No need for port forwarding or complex firewall rules
Tips
Expose to the Wide Internet
If you want to expose your autobrr instance to be available outside your Tailnet, you need to:
-
Set
AllowFunnel: truein/config/autobrr.json:"AllowFunnel": {
"${TS_CERT_DOMAIN}:443": true
} -
Add this to your policy in your Access Controls:
"nodeAttrs": [
{"target": ["tag:container"], "attr": ["funnel"]},
],
Ensure you have a strong and unique password for autobrr when doing this. Funnel is only needed if you want access to autobrr from a device that is not connected to your Tailnet.
Troubleshooting
If you encounter issues:
- Check the Tailscale logs:
docker logs autobrr-ts - Verify that MagicDNS and HTTPS are enabled in your Tailnet settings
- Ensure the
TS_AUTHKEYis valid and has not expired
A great video by Alex Kretzschmar talking about Tailscale in Docker:
Conclusion
Using Tailscale Serve as a reverse proxy for autobrr provides a secure and convenient way to access your instance from anywhere. It simplifies the setup process and provides automatic HTTPS certification.
Footnotes
-
Read more about Tailscale Serve in the official docs: https://tailscale.com/kb/1242/tailscale-serve ↩
-
A Tailnet is your private network created by Tailscale, encompassing all your devices and users. ↩
-
MagicDNS is a Tailscale feature that automatically gives DNS names to the devices on your network, making them easier to access. ↩
-
Let's Encrypt is a free, automated, and open Certificate Authority providing trusted certificates for HTTPS encryption. ↩