# Tailscale funnel [TOC] # Overview Tailscale Funnel is an excellent, free way to bypass CGNAT and expose a local service to the public internet. It handles the reverse proxying, TLS certificate provisioning (via Let's Encrypt), and public DNS routing for you. # Steps ## Phase 1: Prepare the Proxmox LXC (Enable TUN) 1. SSH into your **Proxmox Host** (do not enter the container yet). 2. Open the configuration file for your LXC container (ID 101): ```bash nano /etc/pve/lxc/101.conf ``` 3. Add the following two lines to the bottom of the file. This passes the `tun` device from the host to the container (if you are on an older Proxmox 6 setup, use `cgroup` instead of `cgroup2`): ```text lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file ``` 4. Save and exit (`Ctrl+X`, `Y`, `Enter`), then restart the container to apply the changes: ```bash pct restart 101 ``` ## Phase 2: Install and Authenticate Tailscale 1. Enter your LXC container's console: ```bash pct enter 101 ``` 2. Install Tailscale using their automated script: ```bash curl -fsSL https://tailscale.com/install.sh | sh ``` 3. Start Tailscale: ```bash tailscale up ``` 4. Click the link provided in the terminal to authenticate the BookStack node to your Tailscale account. ## Phase 3: Enable Funnel in your Tailscale Admin Console Tailscale disables public Funnels by default for security. You must authorize it in your Tailnet settings. 1. Go to the [Tailscale Admin Console](https://login.tailscale.com/admin) in your web browser. 2. Go to the **DNS** tab and ensure both **MagicDNS** and **HTTPS Certificates** are enabled. 3. Go to the **Access Controls** tab. Scroll down to the `"nodeAttrs"` section (or add it if it's missing) and grant the `funnel` attribute to your devices. It should look like this: ```json "nodeAttrs": [ { "target": ["autogroup:member"], "attr": ["funnel"] } ], ``` 4. Save the Access Controls. ## Phase 4: Start the Tailscale Funnel Back in your LXC container's terminal: 1. Determine the local port BookStack is running on (typically `80` if served via Nginx/Apache without local SSL). 2. Route public internet traffic to that local port, running the process in the background (`--bg`): ```bash tailscale funnel --bg 80 ``` 3. Check the status of your Funnel to get your new public web address: ```bash tailscale funnel status ``` > [!NOTE] > You will see an output with a URL like: `https://your-node.tailnet-name.ts.net`. ## Phase 5: Update BookStack's Configuration BookStack uses absolute URLs for CSS, images, and internal links. If you don't update BookStack to recognize its new public URL, the site will look broken and you won't be able to log in. 1. Navigate to your BookStack directory inside the container (usually `/var/www/bookstack` or `/opt/bookstack`). 2. Edit the `.env` configuration file: ```bash nano .env ``` 3. Find the `APP_URL` variable and update it to exactly match your new Tailscale URL (make sure it starts with `https://` and has no trailing slash): ```text APP_URL=https://your-node.tailnet-name.ts.net ``` 4. Save and exit, then clear BookStack's cache to force the changes: ```bash php artisan config:clear php artisan cache:clear ``` > [!TIP] > For a visual walkthrough of the container preparation steps, [Configuring Tailscale on an unprivileged Proxmox LXC](https://www.youtube.com/watch?v=JC63OGSzTQI) explains how the TUN device passthrough works under the hood.