Using Tailscale to Expose Services

Tailscale is a zero-configuration VPN service based on WireGuard, perfect for securely exposing internal network services.

Why choose Tailscale?

✅ Zero configuration: No need for complex network setup
✅ End-to-end encryption: Based on WireGuard protocol
✅ No public IP required: Supports NAT traversal
✅ Generous free tier: Completely free for personal use
✅ Cross-platform support: Supports all mainstream operating systems

Quick Start

Step 1: Register Tailscale Account

Visit Tailscale official website
Click "Get Started" to register an account
You can use Google, Microsoft or GitHub account to log in

Step 2: Get Authentication Key

Log in to Tailscale management console
Click "Generate auth key"
Configure key options:
- ✅ Reusable: Not recommended to check
Click "Generate key" and copy the key

Security Notice

Auth Key is only displayed once, please save it carefully!

Step 3: Configure Docker Compose

Add or update Tailscale service and Traefik reverse proxy in your docker-compose.yml :

services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    hostname: ${TS_HOSTNAME}
    environment:
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_SOCKET=/var/run/tailscale/tailscaled.sock
    volumes:
      - ./tailscale/state:/var/lib/tailscale:rw
      - ./tailscale/socket:/var/run/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped

  traefik:
    image: traefik:latest
    container_name: traefik
    network_mode: service:tailscale
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./tailscale/state:/var/lib/tailscale:rw
      - ./tailscale/socket:/var/run/tailscale
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --certificatesresolvers.myresolver.tailscale=true
    restart: unless-stopped
    depends_on:
      - tailscale

Step 4: Configure Service Labels

Add Traefik labels for services that need to be exposed:

services:
  teslamateapi:
    # ... other configurations ...
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.teslamateapi.rule=Host(`${TS_HOSTNAME}.${TS_TAILNET_NAME}`) && (Path(`/api`) || PathPrefix(`/api/`))"
      - "traefik.http.routers.teslamateapi.entrypoints=websecure"
      - "traefik.http.routers.teslamateapi.tls=true"
      - "traefik.http.routers.teslamateapi.tls.certresolver=myresolver"
      - "traefik.port=8080"

  teslamate:
    # ... other configurations ...
    labels:
      - "traefik.enable=true"
      - "traefik.port=4000"
      - "traefik.http.routers.teslamate.rule=Host(`${TS_HOSTNAME}.${TS_TAILNET_NAME}`)"
      - "traefik.http.routers.teslamate.entrypoints=websecure"
      - "traefik.http.routers.teslamate.tls=true"
      - "traefik.http.routers.teslamate.tls.certresolver=myresolver"
      - "traefik.http.routers.teslamate-ws.rule=Host(`${TS_HOSTNAME}.${TS_TAILNET_NAME}`) && Path(`/live/websocket`)"
      - "traefik.http.routers.teslamate-ws.entrypoints=websecure"
      - "traefik.http.routers.teslamate-ws.tls="

Step 5: Environment Variable Configuration

Add to .env file:

# Tailscale configuration
TS_HOSTNAME=mytesla                    # Your device name
TS_AUTHKEY=tskey-auth-XXXXX-YYYYY     # Key obtained from step 2
TS_TAILNET_NAME=your-name.ts.net      # Your Tailnet domain

Get Tailnet Domain

You can find your Tailnet domain on the DNS page of Tailscale console.

Step 6: Update Tailscale Node Key Expire Setting

Find your node in tailscale machines, select "Disable key expiry" in settings, otherwise the node will expire and services will become inaccessible.

Step 7: Start Services

# Start services
docker-compose up -d tailscale traefik teslamateapi

# View logs
docker-compose logs -f tailscale

# Check Tailscale status
docker exec tailscale tailscale status

Verify Configuration

1. Check Tailscale Connection

# View device status
docker exec tailscale tailscale status

# Example output:
# 100.64.0.1   mytesla              linux   -
# 100.64.0.2   your-laptop          macOS   -

Browser Access

After confirming the Tailscale connection is working, you can open https://mytesla.your-name.ts.net in your browser from any device connected to your Tailnet to access the services.

2. Test HTTPS Access

First, set up Tailscale on another device:

Install tailscale client on your other device
Connect to your Tailnet
Then test API access from that device:

# Access from any device with Tailscale installed
curl https://mytesla.your-name.ts.net/api/ping

# Should return
{"message": "pong"}

API Verification

The /api/ping endpoint is specifically for verifying that the TeslaMateAPI service is accessible and working correctly. A successful response of {"message": "pong"} indicates the service is functioning properly.

3. Configure in Mytesla

Visit https://mytesla.cc
Go to Settings → TeslaMate
Enter API address: https://mytesla.your-name.ts.net
Click test connection
You can also manually verify by visiting https://mytesla.your-name.ts.net/api/ping in your browser - it should return {"message": "pong"}

Quick Start​

Step 1: Register Tailscale Account​

Step 2: Get Authentication Key​

Step 3: Configure Docker Compose​

Step 4: Configure Service Labels​

Step 5: Environment Variable Configuration​

Step 6: Update Tailscale Node Key Expire Setting​

Step 7: Start Services​

Verify Configuration​

1. Check Tailscale Connection​

2. Test HTTPS Access​

3. Configure in Mytesla​