Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

unRAID 7.0 - replace reverse proxy with tailscale intergration?

Featured Replies

Hello all, question if it is feasible to replace reverse proxy with tailscale to access/share containers remotely.

 

Currently following spaceinvader one's "Master Tailscale on Unraid Pt 2: Docker Integration & SWAG Reverse Proxy" to set up my machine and dockers.

So cloudflare dns points to tailscale IP (SWAG with tailscale IP) -> SWAG (for reverse proxy) -> containers (nextcloud, emby, calibre, etc)

 

Does it mean I can do away with SWAG entirely? After installing Tailscale in all the appropriate Docker container containers:

tailscale machine addresses (ip/ts.net) -> individual containers

(cloudflare dns could be used to create a preferred domain name)

 

Is there any drawbacks with forgoing reverse proxy? additionally, do I then have to use tailscale serve for these containers?

 

Thank you in advance for your assistance

 

Solved by bmartino1

  • Community Expert
  • Solution

the reason for tailscale is to use a tailscale VPn to connect to your reverse proxy with the use or need to portforward your SAWG to the public internet.

Yes you don't need tailscale in that setup, but this would require you to port froward. Most ISP have moved towards CGNAT. you would need a public IP that is not CGNAT to use your public IP as the "SWAG" reverser proxy


Lets Review:
 

Understanding Your Current Setup

You are using:

SWAG as a reverse proxy: To route traffic from a domain to specific containers (e.g., Nextcloud, Emby).

Tailscale: To create a secure, private VPN mesh network for remote access without opening ports on your router.

Cloudflare DNS: To map a domain name to the Tailscale IP.

 

Key Points to Consider:

Can You Replace SWAG with Tailscale?

Yes, you can eliminate SWAG if Tailscale meets all your needs. With Tailscale, you don't need to expose services directly to the internet, removing the need for a reverse proxy for secure access.

Using Tailscale IPs or Tailscale's built-in domain (e.g., container-name.ts.net) allows direct access to your containers.

 

Drawbacks of Forgoing SWAG

No Centralized Proxy: Without SWAG, each container must independently handle its own HTTPS (via Tailscale’s HTTPS serve feature or container-level SSL/TLS configuration).

Complexity for Custom Domains: While Cloudflare DNS can map a custom domain to a Tailscale IP, managing certificates for HTTPS on custom domains becomes more challenging.

Limited Features: SWAG offers advanced features like URL rewrites, subdomain routing, and security headers. Without it, you’d need to replicate this functionality manually.

 

When to Use Tailscale Serve

If you forgo SWAG, you can use Tailscale's "Serve" feature to map specific HTTP paths to your container services. For example:

tailscale serve /nextcloud http://localhost:8080
tailscale serve /emby http://localhost:8096

This method is simple and works for internal traffic but doesn’t natively support complex configurations like SWAG.

 

Port Forwarding vs. Tailscale

Tailscale removes the need for port forwarding by creating a private network accessible from anywhere.

If your ISP uses CGNAT (Carrier-Grade NAT), Tailscale is a more practical solution since CGNAT prevents direct access via a public IP.

 

Recommendation Based on Your Use Case

 

Use SWAG with Tailscale: If you value SWAG's advanced reverse proxy capabilities, you can keep SWAG behind Tailscale. This setup involves:

Cloudflare DNS -> Tailscale IP -> SWAG -> Containers.

SWAG still handles routing, HTTPS, and other features, but external traffic reaches it securely through Tailscale.

 

Replace SWAG with Tailscale: If your needs are simpler (direct container access), Tailscale can fully replace SWAG:

Cloudflare DNS -> Tailscale IP -> Containers.

Use Tailscale Serve or direct mapping of Tailscale IPs for container access.

  • Author

Thank you for the detailed explanation.

 

Yeah, my ISP uses CGNAT, so Tailscale has been the only reason I have been able to set up remote access at all. Regardless, it seems good practice to use tailscale to access and share the machine, due to tailscale as a VPN and control over individuals who can see or access them.

 

Based on your explanation, dockers such as nextcloud benefit from SWAG (reverse proxy) for the security headers etc, while others like emby, calibre don't really need them (or don't complain about them).

 

Custom Domains is a nice benefit of the current set up, although the tailscale intergration seems to allow us to choose a custom hostname + a relatively human understandable machine address (.ts.net or machine name).

 

For now, I'm leaning to keeping the tailscale swag combo, mainly as it is up and running. Will wait and see if there is any new information that suggest otherwise.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.