The issue I am facing:
I am running Tailscale and a Traefik Proxy in my homelab (which is a Raspberry Pi). Also, I am running Pi-hole on it.
This took me quite a while, but now Ive got these 3 Docker containers up an running with Traefik using the Tailscale https-Cert for my tailnet iE that one machine.
But there is one thing I need help with: subdomains and DNS. I would like to use subdomains for services on my Raspberry Pi and valid http-Certs, but I don’t know how Tailscale DNS (split DNS?) and my own DNS server Pi-hole need to play together to achieve this.
At the moment, the https-Cert for the one machine „raspi5“ = raspi5.taile0b43.ts.net is working fine. But I couldn’t get nextcloud.raspi5.taile0b43.ts.net working.
Please, what settings do I need in Tailscale („DNS / Nameservers“ ? „DNS / Search Domains“ ?) and in Pi-Hole („Local DNS Records“ ?) to make this work?
Thanks!
JAN
Details about my system:
Raspberry Pi 5 running latest OS (= Debian)
Docker
Pi-Hole:latest
Tailscale:latest
Traefik: latest
What I have changed since installing Pi-hole:
(Nothing)
You should not use nextcloud.raspi5.taile0b43.ts.net, use nextcloud.taile0b43.ts.net instead.
Tailscale only generates HTTPS cerificates for device.tailnet.ts.net and not device.other-device.tailnet.ts.net.
My setup may help you: elederberrypi(192.168.178.158) and blueberrypi(192.168.178.88) have tailscale installed, Tailscale itself is disabled in my home network.
Both use elederberrypi.my-tailnet.ts.net/blueberrypi.my-tailnet.ts.net tailscale https certificates.
I am also using https://elederberrypi.my-tailnet.ts.net to access them in my home network, due to the signed https certificate.
My local DNS-records:
Thanks for helping!
The way I understand it: you have got 2 separate devices each running Tailscale. Connecting to port :443 of each machine has a valid https-cert for the service running on that port.
I would like to do it differently: one device running Tailscale, multiple things running on it. And I think with a separate DNS server (Pi-hole) and a reverse proxy (Traefik doing the routing stuff) this would be possible, as I have seen videos on yt and read articles about subdomain.device.tailnet.ts.net , just cant get it working myself.
You can theoretically use subdomain.device.tailnet.ts.net for DNS but not for HTTPS
admin@blueberrypi:~ $ sudo tailscale cert subdomain.blueberrypi.tailnet-name.ts.net
500 Internal Server Error: invalid domain "subdomain.blueberrypi.tailnet-name.ts.net"; must be one of ["blueberrypi.tailnet-name.ts.net"]
admin@blueberrypi:~ $ sudo tailscale cert *.blueberrypi.tailnet-name.ts.net
500 Internal Server Error: invalid domain "*.blueberrypi.tailnet-name.ts.net"; must be one of ["blueberrypi.tailnet-name.ts.net"]
hmm, that would mean Id have to run multiple Tailscale containers as sidecars to the application Id like a separate https-Cert for (and pair them in a custom Docker bridge network) ?
Since Tailscale only uses 70 MB of memory I could do that, and have each ts container as a separate machine on my tailnet?!
TSD Proxy is a Tailscale client that watches the docker.sock and creates multiple Tailscale machines container-name.tailnet-name.ts.net for desired containers and bakes https into them.
Its not what I initially was looking for (iE subdomains), but it solves my need for https-Certs
without further Tailscale sidecar containers
