Since I’ve got my experimentation nodes and self-hosting workstations hooked up to my home network, I can log into them whenever I want to work on a DIY project. However, accessing my home lab setup becomes rather troublesome whenever I need to travel for extended periods of time. While it’s not technically self-hosted, Tailscale is my preferred utility for tinkering with my servers when I’m away from home.
That said, there’s a tiny issue with this setup: although I can access my workstations via Tailscale, I can’t let my friends and family into my home network without giving away my account credentials – and that’s something I absolutely refuse to do. Luckily for me, Tailscale Funnels offer an easy way to solve this issue – all without forcing me to pay a dime!
What are Tailscale Funnels?
And how do they differ from dynamic DNS
When you’re trying to expose local services to external networks, VPNs (self-hosted or otherwise) are the most frequently used utility, and a Tailscale connection operates similarly. What it does is essentially connect your devices in a P2P mesh network using Tailscale servers, allowing any device linked to your account to access your home lab paraphernalia. Tailscale Funnels, on the other hand, grant a URL to your self-hosted arsenal and allow any device on the Internet to access your setup, not just the systems signed in to your Tailscale network.
Then there’s dynamic DNS, which allocates a static domain name to the IP address of your home lab setup. It’s also responsible for updating the public IP addresses of your services, which can change rather frequently, making it a handy utility for folks looking to expose their self-hosted applications to multiple users on external networks. Me? I prefer Tailscale Funnels all the way.
What’s the point of using Tailscale Funnels?
Easier to set up on CGNAT-afflicted networks
One of my biggest complaints about my current ISP is that it locks my network behind a CGNAT. For the uninitiated, Carrier-Grade Network Address Translation is a “facility” that grants the same IPv4 address to multiple users, rather than assigning every client its own IP. Unfortunately, this raises the difficulty in exposing my services to external networks via a self-hosted VPN, as I lack a unique IP address that can route the traffic to and from my home lab.
Meanwhile, Tailscale Funnels use the company’s relay servers as intermediaries. Once a user tries to access the URL associated with my local workstations, the traffic is routed via Tailscale’s relay servers, which then forward the packets to my nodes.
No complex port forwarding or reverse proxy shenanigans, either
In contrast, dynamic DNS requires me to open certain ports on my router, and since my home network has the curse of CGNAT, doing so is borderline impossible. And even if I could enable port-forwarding, I probably wouldn’t, as I’d have to put in a lot of effort into setting up self-signed certificates as well as securing the reverse proxy service. I’d also need to deal with the headache of dealing with a domain registrar – all of which seems too cumbersome when I simply want to share my Nextcloud files with a coding buddy.
Now, don’t get me wrong: Tailscale Funnels have their own security vulnerabilities, though they are a lot safer than a port-forwarded setup created by a novice. However, the traffic between the device accessing the public URL and my local services is encrypted using a TCP proxy. On top of that, the TCP proxy obfuscates my self-hosted app’s IP address, and I can further bolster the security of my “exposed” app by creating distinct users with hardened ACL rules.
Deploying a Tailscale Funnel
A piece of cake, really
Contrary to most network-related applications, Tailscale is extremely easy to set up – and the same can be said about its Funnels. Since I’ve already got Tailscale up and running on my virtual machines, I can simply run the tailscale funnel command followed by the port number I wish to expose.
Soon, Tailscale displays a web UI to enable the Funnel, and that’s pretty much it. The rest of the process – including generating the HTTPS certificates, connecting to the relays, or configuring the DNS records – is handled by Tailscale.
Tailscale Funnels still have some limitations
But in Tailscale’s defense, Funnels are a beta feature
Sadly, Tailscale Funnels aren’t the be-all-and-end-all method for exposing self-hosted applications, as they have their own annoying quirks. For example, Tailscale Funnels can only listen for traffic packets on a limited number of network ports, namely ports 443, 8443, and 10000. Likewise, it can only feature the DNS names in my Tailnet, so I can’t go for a goofy URL for my home lab setup.
But for a service still in beta, Tailscale Funnels is surprisingly robust. So much, in fact, that’s my preferred way to share my self-hosted app stack with my friends and family.