Ryan Malesevich

amateur runner, data engineer, technology enthusiast, and friend to all dogs

Configure Tailscale and Caddy for your Homelab on TrueNAS

18 July 2026

This post assumes that you have:

Tailscale has been installed on my Homelab since day one. It was only used when connecting from my primary computer through SMB when I was not physically connected to my network. Caddy has always been used as my reverse proxy, but everything was routed through a custom domain name. I put on precautions, but the fact of the matter is that I made my services accessible to the public internet and I am not an expert. With the news of recent foundational models becoming better at finding software vulnerabilities1, I’ve grown more uncomfortable. Finally, I decided to utilize the protections of my Tailnet and move access to the applications on my Homelab through Tailscale.

Setting this up isn’t too complicated. It requires configuring a few settings on the Tailscale Admin Console, configuring Tailscale on your TrueNAS to generate SSL certificates, and then configuring Caddy to act as a reverse proxy through the Tailnet.

Configure the Tailscale Admin Console

Access the DNS on the Tailscale Admin Console and do the following:

  • Make note of your Tailnet DNS name (tailXXXXX.ts.net)
  • Enable MagicDNS
  • Enable HTTPS

Configure Tailscale on your TrueNAS

With MagicDNS enabled, you will be able to access each of your machines through its SERVERNAME as a subdomain of your DNS. Make note of the address for future steps. It will look like SERVERNAME.tailXXXXX.ts.net.

Under normal operation Caddy will handle the SSL certifications if you’re using your own domain. However, with Tailscale we will need to configure the Tailscale application to handle the certificate creation and re-issues and then within Caddy we’ll point to the certificate files. I chose to create a folder that is mounted to both my Tailscale and Caddy applications. It doesn’t really matter where you physically store it on your TrueNAS, but it made more sense for me to create a certs directory in my Caddy Application Data mount.

Create the folder first.

mkdir /mnt/SSDPool/Application_Data/Caddy/certs

Update the Tailscale application by adding a Host Path volume that mounts to the /certs folder and is pointed to the folder created in the previous step.

You’ll create the certification files first manually. Once it’s working, we’ll set it up to run as a daily cron job because Tailscale will not handle the expiration automatically. Open the Shell linked to the Tailscale container and run this command:

cd certs
tailscale cert SERVERNAME.tailXXXX.ts.net

If you see that it generated a Public cert and Private key, then it was successful. This certification will last 90 days.

Configure a Cron Job through the TrueNAS UI through System > Advanced Settings. Add a Cron Job. Give it a Description that you’ll remember, set a time, and set the ‘Run As User’ to root. The TrueNAS Apps are actually run through Docker, but they are given unique names handled by TrueNAS. Regular users are also not allowed to run docker commands, so this is why you need to use root or manually run the commands with sudo. Note the nested docker command as it first looks for the Tailscale Docker name to identify the right container. Replace the SERVERNAME and Tailnet address:

docker exec $(docker ps --format '{{.Names}}' | grep -i tailscale) tailscale cert --cert-file=/certs/SERVERNAME.tailXXXXX.ts.net.crt --key-file=/certs/SERVERNAME.tailXXXXX.ts.net.key supersol.tail3942a.ts.net

The job can run daily as it will only renew the certification if it is close to expiration.

Configure Caddy

Now we’re ready to set up Caddy. First make sure that the certs folder is mapped as a volume in your Caddy container. For consistency, I mapped the certs folder to /certs on the Caddy container.

Now for each application you’re running, you can add an entry into the Caddyfile. You can have multiple applications in a Caddyfile. With Tailscale, you’ll be setting up the entry with an external port that will be used with the MagicDNS address that will route to the internal address with the internal port. You won’t be able to use the same ports as they are essentially all running on your network. I chose to start at 8443 for my reverse proxy ports and am adding one per application. The internal port is dependent on the application and your Docker setup. Here is an example entry:

# APPLICATIONNAME
SERVERNAME.tailXXXXX.ts.net:YYYY {
        tls /certs/SERVERNAME.tailXXXXX.ts.net.crt /certs/SERVERNAME.tailXXXXX.ts.net.key
        reverse_proxy localhost:ZZZZ
}

Sub out the following:

  • APPLICATIONAME to add a comment
  • SERVERNAME for the name of your TrueNAS server
  • XXXXX for the Tailnet ID
  • YYYY for the port you will access the application through the MagicDNS
  • ZZZZ for the port the container is accessible through Docker

Reload the Caddy application or reload the Caddyfile through this command that would be run with your user when SSH’d into the server:

sudo docker exec $(sudo docker ps --format '{{.Names}}' | grep -i caddy) caddy reload --config /etc/caddy/Caddyfile

Now access SERVERNAME.tailXXXXX.ts.net:YYYY through the web. So long as the device you’re connected to is on your Tailnet, it should work. You can test outside access by disconnecting from the Tailnet and the application won’t load. You may need to configure the application to recognize that as the new base address.

  1. It’s entirely possible the claims from Anthropic are hyperbolic, but the fact is read release notes for recent applications and they are full of bug fixes.