Tailscale funnel [TOC] Overview Tailscale Funnel is an excellent, free way to bypass CGNAT and expose a local service to the public internet. It handles the reverse proxying, TLS certificate provisioning (via Let's Encrypt), and public DNS routing for you. Steps Phase 1: Prepare the Proxmox LXC (Enable TUN) SSH into your Proxmox Host (do not enter the container yet). Open the configuration file for your LXC container (ID 101): nano /etc/pve/lxc/101.conf Add the following two lines to the bottom of the file. This passes the tun device from the host to the container (if you are on an older Proxmox 6 setup, use cgroup instead of cgroup2 ): lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file Save and exit ( Ctrl+X , Y , Enter ), then restart the container to apply the changes: pct restart 101 Phase 2: Install and Authenticate Tailscale Enter your LXC container's console: pct enter 101 Install Tailscale using their automated script: curl -fsSL https://tailscale.com/install.sh | sh Start Tailscale: tailscale up Click the link provided in the terminal to authenticate the BookStack node to your Tailscale account. Phase 3: Enable Funnel in your Tailscale Admin Console Tailscale disables public Funnels by default for security. You must authorize it in your Tailnet settings. Go to the Tailscale Admin Console in your web browser. Go to the DNS tab and ensure both MagicDNS and HTTPS Certificates are enabled. Go to the Access Controls tab. Scroll down to the "nodeAttrs" section (or add it if it's missing) and grant the funnel attribute to your devices. It should look like this: "nodeAttrs": [ { "target": ["autogroup:member"], "attr": ["funnel"] } ], Save the Access Controls. Phase 4: Start the Tailscale Funnel Back in your LXC container's terminal: Determine the local port BookStack is running on (typically 80 if served via Nginx/Apache without local SSL). Route public internet traffic to that local port, running the process in the background ( --bg ): tailscale funnel --bg 80 Check the status of your Funnel to get your new public web address: tailscale funnel status [!NOTE] You will see an output with a URL like: https://your-node.tailnet-name.ts.net . Phase 5: Update BookStack's Configuration BookStack uses absolute URLs for CSS, images, and internal links. If you don't update BookStack to recognize its new public URL, the site will look broken and you won't be able to log in. Navigate to your BookStack directory inside the container (usually /var/www/bookstack or /opt/bookstack ). Edit the .env configuration file: nano .env Find the APP_URL variable and update it to exactly match your new Tailscale URL (make sure it starts with https:// and has no trailing slash): APP_URL=https://your-node.tailnet-name.ts.net Save and exit, then clear BookStack's cache to force the changes: php artisan config:clear php artisan cache:clear [!TIP] For a visual walkthrough of the container preparation steps, Configuring Tailscale on an unprivileged Proxmox LXC explains how the TUN device passthrough works under the hood.