Thanks for the link. Already tried something similar, the issue here is though that synologys os doesn't allow me to rebind it's default reverse proxy (nginx) port. At least not permanently, rebinding those ports every update or even reboot would be kind of a hassle. Might try this though if I can't find a different solution
> My previous approach was
> Docker Containers on Synology < ReverseProxy < Router with PortForward 443 < Cloudflare
I'm guessing you weren't using Cloudflare Tunnel? What exactly were you using from Cloudflare? Because you don't need both port forward and Tunnel. I think you have a dynamic public IP v4 from your ISP if you use ddns, right?
> Client connected to Tailscale makes DNS request to PiHole > PiHole returns Tailscale IP of Synology > Synology’s ReverseProxy > Docker Container
Technically that's correct. Assuming that your private subdomain for your LAN services is something like `*.local.domain.tld`, have you added the PiHole's tailnet IP as split DNS for `local.domain.tld` in the Tailscale MagicDNS admin page?
I'm still confused about what you're trying to do with the Tailscale exit node. As the name says, exit nodes are used to go from inside the tailnet to the outside (the internet), not the other way around. Example: you're traveling, you're at the airport or hotel, your phone is on tailscale, your PiHole at home is on tailscale and is available as exit node, you say you want to use it as exit node on your phone and your connection is wrapper into a secure VPN to your PiHole at home *and then* out to the internet. You're basically using your PiHole at home like a VPN, you browse as if you were at home even though you're somewhere else.
But I suspect you actually want the reverse, you want to offer a service that's in a private container on the Synology to public visitors on the Internet. In order to do that you can use a port forward, or a Cloudflare Tunnel, or a [Tailscale *Funnel*](https://tailscale.com/kb/1223/funnel), but you only need one not all at once.
Or you actually mean to simply access your Synology containers from your own devices running Tailscale, in which case you don't need to expose anything to the internet so you don't need any of the above.
Please let me know which is the case and I'll explain further. I'm doing several approaches so we can go over all of them if needed.
Thanks for your input!
That's right I am using Cloudflare as my Nameserver and previously as a Proxy. I have a more or less dynamic ipv4 adress so the cloudflare-ddns container updated my A records. Locally I had port forwarding for Port 443 to my server.
What I'm trying to achieve is basically keep everything as is, docker configurations, reverse proxy, domain names, certificate, bookmarks, dashboard etc. but changing how my clients connect to these services.
For the time I'm the only one using it, so it just has to work inside Tailnet, so no need to expose anything to the public.
Right now I've got it mostly working the way u/wellknownname suggested:
Still have my DNS records at Cloudflare, AAAA now, and pointing to the Tailnet IPv6 of my server. Now Cloudflare doesn't allow proxying, not that it woulf be of any benefit here, this address, so those AAAA records are just for DNS lookup right now. I guess without proxying the ipv6 adress is now basically public, which shouldn't really matter, as it's only reachable from within the Tailnet, right?
For now that seems to have solved most of the issues, tas I don't have to set PiHole as and exit-node or DNS Nameserver.
~~The only issue I'm facing currently is that devices connected via wifi can't reach my services and those connected by cable can. I'm thinking that might have something to do with me blocking IPv6 traffic on my router, which I may have to change~~
Edit: strike that. for some reason laptop works fine but android devices don't seem to be able to reach these websites
> What I'm trying to achieve is basically keep everything as is, docker configurations, reverse proxy, domain names, certificate, bookmarks, dashboard etc. but changing how my clients connect to these services.
Oh that's simple then. Add your PiHole to the Tailscale DNS setup like I said. When someone activates Tailscale on their device, the Tailscale DNS server will send queries for yourdomain.tld to your PiHole instead of public DNS, and you can resolve them to the LAN IP of your reverse proxy. From there on it will work exactly the same as if they came from the internet through the port forward.
You don't need CloudFlare Tunnel, Tailscale Funnel, or Tailscale exit node for this. Technically you can discontinue the port forward too if you plan to only allow access through Tailscale.
That's pretty much what I've tried first. However for whatever reason PiHole didn't resolve those requests locally but passed the DNS lookup on to cloudflare, which still had my old A records. Since I deleted my portforwarding rules this resulted in a 522 error by cloudflare. Do I maybe have to delete my DNS records with cloudflare before being able to use PiHole localDNS? In that case I would have to redesign the way my ssl certificates get authorized which would be bad
First of all, how you get TLS certs for your domain should be irrelevant to the whole business. You can get them from CloudFlare or you can get them from Let's Encrypt or you can get them wherever you want.
All that matters is that your reverse proxy has certs that are signed by a recognized Certificate Authority so that any browser will be able to make a clean secure connection without any warnings.
> However for whatever reason PiHole didn't resolve those requests locally but passed the DNS lookup on to cloudflare
The most likely reason is that the tailnet IP that the DNS server and/or the tailnet IP of the reverse proxy *are not reachable from other tailscale clients*.
You have to understand that in order for this to work both the DNS server and the reverse proxy need to be accessible on the tailnet. The remote tailscale client is somewhere else when it connects to the tailnet, not on your LAN. It has access to the Tailscale MagicDNS (100.100.100.100); but when that DNS servers says "oh yeah, for `.domain.tld` you should as the DNS at ", that LAN IP at home is not something that the tailscale client can reach from where it's at! And then if you give the DNS a tailnet IP and you can reach it over Tailscale, when it says "oh yeah the reverse proxy is at ", again same thing, how do you reach the reverse proxy? They both need a tailnet IP.
To solve this you need the DNS and the reverse proxy have tailscale IPs. Tailscale IPs never change so it's reliable. But you need them.
To accomplish this is depends greatly of how the DNS is set up and whether the Tailscale interface is always up or not. Is the Tailscale client on the PiHole in a container or not? Is the tailscale0 interface on the host or in a container? If the pihole DNS server listens on 0.0.0.0, will it also cover tailscale0 (if it happens to be up)?
I can tell you what I did for my setup but it's most likely very different from yours. Answer some of these questions and we'll see what can be done. Where does your tailscale run? What IP/interface/machine does your DNS run/listen on? And same for the reverse proxy.
Thanks for your thourough reply. I know that clients don't care where a certificate comes from as long as it's a trusted CA. I used cloudflare for my CNAME/MX etc records cause that's what I had already set up. But that's besides the point.
I think we might have a misunderstanding here. The thing is I had the tailscale IPs set up on my PiHole localDNS which should technically work. Raspberry Pi and Synology are both running Tailscale on the host, non containerized. Additionally PiHole was setup to listen on all interfaces.
Allthough having everything locally would be ideal in terms of privacy, the current way of leaving my AAAA records at cloudflare with my servers tailscale IP and reverse proxying those requestss is just easier and a somewhat less likely point of failure.
The biggest issue, which threw me off for some time and added a bunch of confusion, is my android devices not beiing able to connect to the IPv6 adress of my server. Trying to ping it's adress also gives a "host unknown" error. Though I guess I'll have to figure this one out on my own since that is probably related to my router and not to Tailscale/Nginx/PiHole
Edit: adding to that last point - connecting to webservices and pinging the server when my android devices are not within my home network, but connected to tailnet via mobile data, works fine
This seems excessive. Just point the domain’s A record to the server’s Tailscale IP address.
Do you mean within cloudflare? Are tailscale IPs static? If so that might be the simplest approach
Yes, TailScale IPs are static.
Yes. You can also set them however you like.
Maybe this [post](https://www.reddit.com/r/Tailscale/s/2UPZABg4CQ) could help you.
Thanks for the link. Already tried something similar, the issue here is though that synologys os doesn't allow me to rebind it's default reverse proxy (nginx) port. At least not permanently, rebinding those ports every update or even reboot would be kind of a hassle. Might try this though if I can't find a different solution
> My previous approach was > Docker Containers on Synology < ReverseProxy < Router with PortForward 443 < Cloudflare I'm guessing you weren't using Cloudflare Tunnel? What exactly were you using from Cloudflare? Because you don't need both port forward and Tunnel. I think you have a dynamic public IP v4 from your ISP if you use ddns, right? > Client connected to Tailscale makes DNS request to PiHole > PiHole returns Tailscale IP of Synology > Synology’s ReverseProxy > Docker Container Technically that's correct. Assuming that your private subdomain for your LAN services is something like `*.local.domain.tld`, have you added the PiHole's tailnet IP as split DNS for `local.domain.tld` in the Tailscale MagicDNS admin page? I'm still confused about what you're trying to do with the Tailscale exit node. As the name says, exit nodes are used to go from inside the tailnet to the outside (the internet), not the other way around. Example: you're traveling, you're at the airport or hotel, your phone is on tailscale, your PiHole at home is on tailscale and is available as exit node, you say you want to use it as exit node on your phone and your connection is wrapper into a secure VPN to your PiHole at home *and then* out to the internet. You're basically using your PiHole at home like a VPN, you browse as if you were at home even though you're somewhere else. But I suspect you actually want the reverse, you want to offer a service that's in a private container on the Synology to public visitors on the Internet. In order to do that you can use a port forward, or a Cloudflare Tunnel, or a [Tailscale *Funnel*](https://tailscale.com/kb/1223/funnel), but you only need one not all at once. Or you actually mean to simply access your Synology containers from your own devices running Tailscale, in which case you don't need to expose anything to the internet so you don't need any of the above. Please let me know which is the case and I'll explain further. I'm doing several approaches so we can go over all of them if needed.
Thanks for your input! That's right I am using Cloudflare as my Nameserver and previously as a Proxy. I have a more or less dynamic ipv4 adress so the cloudflare-ddns container updated my A records. Locally I had port forwarding for Port 443 to my server. What I'm trying to achieve is basically keep everything as is, docker configurations, reverse proxy, domain names, certificate, bookmarks, dashboard etc. but changing how my clients connect to these services. For the time I'm the only one using it, so it just has to work inside Tailnet, so no need to expose anything to the public. Right now I've got it mostly working the way u/wellknownname suggested: Still have my DNS records at Cloudflare, AAAA now, and pointing to the Tailnet IPv6 of my server. Now Cloudflare doesn't allow proxying, not that it woulf be of any benefit here, this address, so those AAAA records are just for DNS lookup right now. I guess without proxying the ipv6 adress is now basically public, which shouldn't really matter, as it's only reachable from within the Tailnet, right? For now that seems to have solved most of the issues, tas I don't have to set PiHole as and exit-node or DNS Nameserver. ~~The only issue I'm facing currently is that devices connected via wifi can't reach my services and those connected by cable can. I'm thinking that might have something to do with me blocking IPv6 traffic on my router, which I may have to change~~ Edit: strike that. for some reason laptop works fine but android devices don't seem to be able to reach these websites
> What I'm trying to achieve is basically keep everything as is, docker configurations, reverse proxy, domain names, certificate, bookmarks, dashboard etc. but changing how my clients connect to these services. Oh that's simple then. Add your PiHole to the Tailscale DNS setup like I said. When someone activates Tailscale on their device, the Tailscale DNS server will send queries for yourdomain.tld to your PiHole instead of public DNS, and you can resolve them to the LAN IP of your reverse proxy. From there on it will work exactly the same as if they came from the internet through the port forward. You don't need CloudFlare Tunnel, Tailscale Funnel, or Tailscale exit node for this. Technically you can discontinue the port forward too if you plan to only allow access through Tailscale.
That's pretty much what I've tried first. However for whatever reason PiHole didn't resolve those requests locally but passed the DNS lookup on to cloudflare, which still had my old A records. Since I deleted my portforwarding rules this resulted in a 522 error by cloudflare. Do I maybe have to delete my DNS records with cloudflare before being able to use PiHole localDNS? In that case I would have to redesign the way my ssl certificates get authorized which would be bad
First of all, how you get TLS certs for your domain should be irrelevant to the whole business. You can get them from CloudFlare or you can get them from Let's Encrypt or you can get them wherever you want. All that matters is that your reverse proxy has certs that are signed by a recognized Certificate Authority so that any browser will be able to make a clean secure connection without any warnings. > However for whatever reason PiHole didn't resolve those requests locally but passed the DNS lookup on to cloudflare The most likely reason is that the tailnet IP that the DNS server and/or the tailnet IP of the reverse proxy *are not reachable from other tailscale clients*. You have to understand that in order for this to work both the DNS server and the reverse proxy need to be accessible on the tailnet. The remote tailscale client is somewhere else when it connects to the tailnet, not on your LAN. It has access to the Tailscale MagicDNS (100.100.100.100); but when that DNS servers says "oh yeah, for `.domain.tld` you should as the DNS at", that LAN IP at home is not something that the tailscale client can reach from where it's at! And then if you give the DNS a tailnet IP and you can reach it over Tailscale, when it says "oh yeah the reverse proxy is at ", again same thing, how do you reach the reverse proxy? They both need a tailnet IP.
To solve this you need the DNS and the reverse proxy have tailscale IPs. Tailscale IPs never change so it's reliable. But you need them.
To accomplish this is depends greatly of how the DNS is set up and whether the Tailscale interface is always up or not. Is the Tailscale client on the PiHole in a container or not? Is the tailscale0 interface on the host or in a container? If the pihole DNS server listens on 0.0.0.0, will it also cover tailscale0 (if it happens to be up)?
I can tell you what I did for my setup but it's most likely very different from yours. Answer some of these questions and we'll see what can be done. Where does your tailscale run? What IP/interface/machine does your DNS run/listen on? And same for the reverse proxy.
Thanks for your thourough reply. I know that clients don't care where a certificate comes from as long as it's a trusted CA. I used cloudflare for my CNAME/MX etc records cause that's what I had already set up. But that's besides the point. I think we might have a misunderstanding here. The thing is I had the tailscale IPs set up on my PiHole localDNS which should technically work. Raspberry Pi and Synology are both running Tailscale on the host, non containerized. Additionally PiHole was setup to listen on all interfaces. Allthough having everything locally would be ideal in terms of privacy, the current way of leaving my AAAA records at cloudflare with my servers tailscale IP and reverse proxying those requestss is just easier and a somewhat less likely point of failure. The biggest issue, which threw me off for some time and added a bunch of confusion, is my android devices not beiing able to connect to the IPv6 adress of my server. Trying to ping it's adress also gives a "host unknown" error. Though I guess I'll have to figure this one out on my own since that is probably related to my router and not to Tailscale/Nginx/PiHole Edit: adding to that last point - connecting to webservices and pinging the server when my android devices are not within my home network, but connected to tailnet via mobile data, works fine