🚀 Challenge: Tailscale Funnel with a Custom Domain + Nginx Proxy Manager. Mission Impossible?

[Milor123]

Guyys!!

I'm reaching out with a challenge that's been racking my brain, but I'm convinced that if a solution exists, I'll find it here.

My goal is to securely expose several self-hosted services (like Immich, Home Assistant, etc.) using the magic of Tailscale Funnel in combination with my own custom domain, while managing everything through Nginx Proxy Manager (NPM).

I know the obvious alternative might be Cloudflare Tunnels, but I really like the Tailscale ecosystem and its simplicity, and I would love to keep my setup as "Tailscale-native" as possible.

---

My Environment (The Setup 🤓)

• Operating System: Windows 11 with WSL2.
• Virtualization: Docker Desktop.
• Key Services:
  • immich (Docker Container)
  • nginx-proxy-manager (Docker Container)
• Network Condition: I'm behind a CGNAT, so I cannot open ports on my router. This is precisely why I love Tailscale!
• Domain: I own a custom domain, let's call it example.top, which is managed through Cloudflare as my DNS provider.

---

The Ideal Architecture (The Dream ✨)

What I'm trying to achieve is the following traffic flow to access my photo service:

External User → https://photos.example.top → Cloudflare DNS → Tailscale Funnel Servers → My Windows 11 PC → Nginx Proxy Manager (Docker) → Immich (Docker)

And so on for other subdomains like drive.example.top, home.example.top, etc.

---

What I've Tried (Step-by-Step 🛠️)

I've followed a setup that, in theory, seems perfectly logical. Here are the detailed steps:

1. Docker and Services are Up and Running

I have my NPM and Immich containers running smoothly on the same Docker network. NPM is configured to expose ports 80, 443, and 81 on my host.

# Simplified NPM docker-compose.yml
services:
  npm:
    image: 'jc21/nginx-proxy-manager:latest'
    ports:
      - '80:80'
      - '443:443'
      - '81:81'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

2. DNS Configuration in Cloudflare

In my Cloudflare dashboard, I've created a CNAME record for my photos subdomain, pointing to the unique URL provided by Tailscale Funnel.

• Type: CNAME
• Name: photos
• Content: desktop-dnvumg.example.top...ts.net (my Funnel URL)
• Proxy Status: DNS Only (Gray Cloud). My understanding is that this is crucial for traffic to go directly to Tailscale's servers without Cloudflare's interference.

3. Nginx Proxy Manager (NPM) Configuration

Inside NPM, I've set up a Proxy Host to handle the request:

• Domain Names: photos.example.top
• Scheme: http
• Forward Hostname / IP: host.docker.internal (so NPM can find the Immich container)
• Forward Port: 2283 (the Immich port)
• SSL Tab: I've successfully requested a Let's Encrypt SSL certificate using the DNS Challenge with my Cloudflare API. The certificate for photos.example.top is generated and installed correctly in NPM. ✅

4. Activating Tailscale Funnel

Finally, in my Windows terminal, I've enabled the Funnel to redirect incoming traffic to port 443, where NPM is listening for HTTPS connections.

tailscale funnel --bg 80 (I've tried many things with 80)
tailscale funnel --bg 443 (recently try with 443 but i am not sure, it not work or i am idiot xD)

---

The Problem - The Brick Wall 🧱

When I try to access https://photos.example.top from an external network, the browser returns an ERR_CONNECTION_CLOSED error almost instantly.

• Key Symptom: There are absolutely no logs in Nginx Proxy Manager. No access logs, no error logs. This leads me to believe the traffic isn't even reaching my machine.
• Sanity Check: If I modify my hosts file on another PC on my local network to point photos.example.top to the IP of my Docker PC, it works perfectly! This confirms that the NPM -> Immich chain and the SSL certificate within NPM are correct.

---

My Hypothesis 🧐

After extensive testing, my theory is that the problem lies in an SSL certificate mismatch (SSL Handshake Failure) at the Tailscale server level.

1. My browser initiates the connection, requesting to see the site photos.example.top.
2. The request arrives at the Tailscale Funnel ingress server.
3. The Tailscale server presents its own certificate, which is valid only for *.ts.net, not for example.top.
4. Since the requested domain name (SNI) doesn't match the presented certificate, the SSL handshake fails, and Tailscale abruptly closes the connection before it can forward the traffic to my NPM instance.

---

The Big Question for the Community 🙋‍♂️

1. Is my hypothesis correct? Is this a fundamental, current limitation of Tailscale Funnel?
2. Is there any "trick," hidden flag, or advanced configuration that would allow Tailscale Funnel to work with custom domains? Perhaps a way to make it "ignore" SSL termination and just pass through the raw TCP traffic?
3. I've noticed that tailscale serve has more options. Could there be a combination with serve that might achieve this?
4. Has anyone successfully built a similar architecture without resorting to an intermediary VPS or Cloudflare Tunnels?

I truly believe in Funnel's potential to simplify self-hosting for everyone, and being able to use a custom domain would be the cherry on top.

I'm grateful in advance for any ideas, clues, or even a well-explained "it can't be done, and here's why." Thanks for reading this far!

Cheers.

[reviaro]

I'm doing the exactly same thing. No luck so far
update: gave up tailscale and i setup using cloudfare tunnel https://www.youtube.com/watch?v=TB2bnASgJV4&t=417s