So, I'm a somewhat (some might say very) late convert to Tailscale, and the powerful virtual networking arrangements it facilitates. Some of that is because I've been using various traditional VPN providers, and also because,until recently, I hadn't needed to access my home lab remotely, as I didn't have a home lab to access.

Well, the times be a-changing, and now it's not a question of how I get Tailscale installed, but more of "how many of my devices have I missed off?" See, I might mostly understand networking, DNS, and domains, and how they duct-tape themselves together into what appears as the internet. But that doesn't mean I actually enjoy doing it, such as the complex dance of changing settings in multiple places and ensuring every octet is in the right place.

Don't get me wrong, I love the learning, and the feeling of it working after (sometimes) hours of frustration, but I also have other priorities. My home lab won't run itself, and the more time I spend networking, the less time I can do fun experiments. That's where Tailscale comes in, and more specifically, Tailscale Funnel.

This intrinsic part of Tailscale's MagicDNS means I can test self-hosted services from a public URL without setting up the domain records or anything else network-related I would rather not be doing, so I can focus on the service and getting it working. They're fantastic, and the best part is they don't take long to use.

5 They're simple

A one-line command gives me access

I've used a ton of different ways to access my home lab's running services from outside my home network, and most are either VPN solutions that make my device act as if it's at home, reverse proxies to handle passing the data packets through my networking equipment, or a hybrid of the two. Some are complicated to set up, others less so, but they all involve additional steps to get running.

Tailscale Funnel doesn't. Getting Tailscale installed is quick, and setting up a Funnel to expose a self-hosted app is as simple as a single line in a terminal window.

tailscale funnel [port]

That's all it takes to get the service port connected to the external port, an associated DNS record, and a tailnet URL for easy access. It might take a few minutes for DNS records to propagate, but that's as fast as the nameservers can go. No editing YAML files, no syntax or port mapping to remember (or mistype!), just one command that can also use different ports for internal and external if you need them to be that way.

4 They're secure

End-to-end encryption is key

Connecting to my self-hosted apps is easy enough when I'm at home, except for having to deal with self-signed certificates for HTTPS use. However, those self-signed certificates can be an issue when trying to make those apps available outside my house, such as through a properly secured reverse proxy. It's not that it's impossible, but it does require a few more steps to verify the trusted cert, and also some financial outlay.

But as soon as a Tailscale Funnel is initiated, Tailscale gives you a real DNS subdomain, which means you get a certificate provisioned from Tailscale's trust level and therefore automatically trusted by your web browser. It's still a Let's Encrypt self-signed certificate, but you don't have to get your domain, set up a VPS, and point your domain registrar to that to get trusted certificates; it just works. Again, let me reiterate that I hate dealing with the annoyances of DNS, and having something do it all for me seamlessly is near-magical.

When the Funnel URL is used, it sets up a TCP proxy between the associated app and the device on which the URL was clicked. It's fully encrypted and never decrypts the traffic between public devices and your device. The only part of the link that is unencrypted is between the Tailscale server in my home and the app I'm accessing, just as if I was at home.

3 No need for port forwarding

The fewer open ports from my home lab the better

I'm always wary about leaving ports open to the internet, and so should anyone in this day and age. It's all too easy to set up automated IP scans to identify open ports for future probing, and properly securing them is a significant challenge. If you can port forward in the first place, ISPs often limit this ability, especially on specific ports (port 25 for SMTP is very commonly blocked). That's why I usually don't bother and use something like Pangolin that uses NAT traversal methods to avoid needing any open ports or firewall configuration.

Tailscale Funnels technically do open a port, but only to your tailnet, and not the publicly scannable internet. With an HTTPS-secured URL to access my apps, I don't have to worry about automated attacks or any number of other issues that having a permanently open port on my firewall could pose. I don't even have to worry about changing DNS records. Plus, I don't have to do port forwarding, which I'm glad about every time I set up a Funnel.

2 Creative use cases

What if you could make one service, many?

Funnels are powerful as a simple reverse proxy, enabling one self-hosted service to be easily used from a shareable URL. You could use multiple Funnels to access everything in your home lab, but there's a more elegant way that was staring me in the face all this time. The funnel command also supports TCP forwarding, and that means you can set it up to forward to Caddy, or any other locally hosted reverse proxy.

The beauty of this is that the usually annoying to secure part of the reverse proxy never leaves your local network, so there's a significantly reduced attack surface. The only ingress comes through a secure Tailscale URL, so having an authentication provider on your reverse proxy locks out anyone you don't want. It also means you can access apps, services, folders, and other resources that might not be on your tailnet, without having to install the Tailnet client on each one.

1 Easy access for non-Tailscale users

Your family and friends will thank you

So far, every feature I love about Tailscale Funnel has been for personal benefit. But since Funnels are great for sharing your self-hosted services with trusted friends and family members, there's one intrinsic feature that benefits them most. We've all likely experienced pushback when trying to move to self-hosted alternatives, as they can sometimes be more challenging to connect to than the subscriptions they're replacing.

Nobody wants to type in IP addresses or SSH connection details. It's more effort than using SSO to access the service. However, they can, and will, all click on a link (even when we try to prevent them from doing so), making that Tailscale Funnel URL an invaluable part of your strategy. Not everyone wants to learn how things work, but if the barrier to entry is removed, they'll gladly listen to why it's a better fit for their needs.

I might switch to using Tailscale Funnel permanently to save the headaches of DNS and proxies

I've seen the light at the end of the funnel, and Tailscale is about to be one of the first things I install whenever I put a new home lab service or experiment into play. I've always said to focus on what you love in your home lab, and either pay for or outsource the things you don't. And you know what I don't love? Setting up DNS records, port forwards, reverse proxies, and everything else necessary to use self-hosted tools outside my network while staying secure. Tailscale Funnel does all the hard work for me, allowing me to focus on trying new tools and services, which is really what I love about home labbing.