What’s in a name? In Tailscale’s case, everything.

Currently in Alpha status, Tailscale’s new “funnel” feature is very similar to other projects that aim to provide global access to internally-run services in a secure manner, like Cloudflared. It’s exactly what you might assume it is: it funnels traffic from the Internet to your service running on a host that has Tailscale installed. Like everything Tailscale creates, it has a liberal sprinkling of magic dust that makes it very powerful, secure, and yet easy to implement.

Funnels can be used to proxy any type of TCP traffic to a tailnet node. This specific guide describes how you can use it with Home Assistant, a home automation platform. These instructions are identical for most other services following a similar pattern.

You’ll need to be invited to the alpha release so you can create funnels. Read and click the link at the bottom of Tailscale’s blog announcing the release.

Once you’re invited to the alpha, you can set up the Tailscale side of the funnel by following these steps:

  1. Upgrade the Tailscale software on your Home Assistant machine to v1.33.257 or later.

  2. Turn on HTTPS certificates in your Tailscale admin page if it’s not already enabled.

  3. Open the Tailscale ACL editor and add a new policy allowing for the use of funnel. Because I am the only user of my tailnet, I’m allowing myself the ability to funnel. If you have multiple users, you can group them here and allow only specific users this capability. Here’s my configuration (which is effectively the same as in the docs):

	"Groups": {
		"group:can-funnel": [
			"me@domain.com",
		],
	},
	"nodeAttrs": [
		{
			"target": ["group:can-funnel"],
			"attr":   ["funnel"],
		},
	],
  1. On the Home Assisant node, where Tailscale has already been upgraded to v1.33.257 or later, run:
# tailscale serve funnel on
  1. Tell Tailscale to proxy traffic to the Home Assistant port:
# tailscale serve / proxy 8123

If you are terminating TLS on your Home Assistant instance itself, and wish to continue that pattern, use a TCP forwarding option instead, which defaults to not terminate TLS:

# tailscale serve tcp 8123

…but do know that you must access the Tailscale funnel using your tailnet DNS, so you’ll have a certificate mismatch unless you pull the Tailscale certificate using tailscale cert <domain>.

At this point, the Tailscale configuration is complete. Tailscale’s systems will create a public-facing DNS entry for your tailnet host. You can see what your tailnet name is, and customize the subdomain, on the DNS page within the admin portal. You can verify this by checking for resolution on a public DNS server, like this:

$ host host.clever-name.ts.net
host.clever-name.ts.net has address 100.x.x.x
$ host host.clever-name.ts.net 9.9.9.9
Using domain server:
Name: 9.9.9.9
Address: 9.9.9.9#53
Aliases:

host.clever-name.ts.net has address 209.177.145.137
host.clever-name.ts.net has IPv6 address 2607:f740:f::684

Notice that your internal tailnet will still resolve the hostname to its Tailscale address, but now you have an externally-available host (a proxy) that Tailscale operates, handling traffic for your host. In my case, it took a few minutes for the public DNS entry to populate, so have patience.

The final step is to tell Home Assistant that you’ll be using a proxy. Because Tailscale will handle TLS termination, you do not need to pull certificates from Tailscale or change any settings that will impact existing HomeAssistant UI functionality.

  1. Edit your Home Assistant configuration.yaml and add (or edit) a http: block as shown. There are many options for the http: configuration, but only two entries are required to make this work:
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1

This tells Home Assistant to accept connections proxied from localhost, which is what you’re doing: connections arrive to Tailscale via their funnel nodes, and proxy between Tailscale and Home Assistant.

  1. Restart Home Assistant.

Now that you’ve configured HomeAssistant to accept proxied traffic, and Tailscale to funnel Internet traffic to your tailnet host down to your Home Assistant instance, you can access its UI remotely by accessing https://host.clever-name.ts.net/ from anywhere on the Internet.

It goes without saying that you should take great care exposing any service to the Internet, especially home automation products. The pattern of having a public-access URL is handy especially for mobile Home Assistant apps that can be configured to use different URLs based on WiFi network, and is how the official Nabu Casa external-access feature works.

If you currently use Nabu Casa’s remote UI access, you can leave it enabled or disable it: nothing in this guide changes how that access functions, and it can be used in parallel if you desire.

Finally, an appeal: if you end up using this method to access your Home Assistant instance, consider subscribing to Nabu Casa anyway. It’s cheap and helps support open-source software development. Plus, if you ever decide you don’t want to use Tailscale’s solution you’ll have a fall-back method for external access.