Jens Willmer

Tutorials, projects, dissertations and more..

Home ABOUT

Securely Expose Local Ports with Tailscale Funnel

on tailscale funnel development networking testing

When developing applications that need to interact with external services such as OAuth providers or webhooks, it’s often necessary to expose your local environment to the internet. Tailscale Funnel provides a quick, secure, and hassle-free method to do this, allowing any port on your local machine to be accessible over the internet with minimal configuration. This guide will walk you through setting up Tailscale Funnel to expose your application’s port, making it ideal for developers who need a temporary public endpoint for testing.

What is Tailscale Funnel?

Tailscale Funnel allows you to expose a local service running on your machine to the internet via HTTPS, leveraging Tailscale’s secure VPN. This feature is especially useful for scenarios where you need a public endpoint, such as testing OAuth callbacks, receiving webhooks, or sharing a development environment temporarily.

Key Benefits of Tailscale Funnel

  • Quick Setup: The process is straightforward and quick, making it perfect for rapid testing and debugging.
  • Secure and Easily Disabled: Public access can be enabled or disabled with a single command, ensuring your local environment remains secure when not in use.
  • Automatic HTTPS and MagicDNS: Tailscale handles HTTPS provisioning and DNS management, simplifying the setup.

Prerequisites

To use Tailscale Funnel, you need the following:

  1. Tailscale account: Sign up at Tailscale.
  2. Tailscale client: Installed and running on your development machine.
  3. An application running locally: Your application should be running on a specific port (e.g., localhost:5000).

Step-by-Step Guide to Set Up Tailscale Funnel

1. Install and Configure Tailscale

Make sure Tailscale is installed and configured on your machine:

  1. Download and install the Tailscale client from Tailscale Downloads.
  2. Log in to your Tailscale account using the Tailscale client.
  3. Authorize your device in the Tailscale admin console.

2. Provision a Certificate for Your Device

To ensure your service is accessible over HTTPS, you need to provision a certificate for your device using Tailscale:

  1. Open the DNS page in the Tailscale admin console.
  2. Enable MagicDNS if it is not already enabled for your tailnet.
  3. Under HTTPS Certificates, select Enable HTTPS.
  4. To obtain a certificate on your machine run the following command in the terminal: 
tailscale cert

This step is crucial as it enables secure connections to your public endpoint through HTTPS.

3. Configure Access Controls

To enable Funnel, you need to adjust your Tailscale network’s access control list (ACL) settings:

  1. Open the Tailscale admin console and go to Access Controls.
  2. Modify your ACL configuration to include the Funnel attribute: 
{
  "nodeAttrs": [
    // Adds the "funnel" attribute to all devices in your network
    { "target": ["autogroup:member"], "attr": ["funnel"] }
  ],
  "acls": [
    // Allow all connections.
    { "action": "accept", "src": ["*"], "dst": ["*:*"] },
  ]
}

4. Enable Tailscale Funnel for Your Application

Now, enable Funnel to expose your application:

tailscale funnel <port>

This command will make your application accessible via a public URL over HTTPS.

4. Obtain and Test Your Public URL

Once Funnel is enabled, Tailscale generates a public URL for your service. It will be in the format:

https://<device-name>.ts.net:<port>

For instance, if your device name is my-laptop and your application is running on port 5000, the URL will be:

https://my-laptop.ts.net:5000

7. Use the URL for External Integrations

With your application now accessible online, you can:

  • Test OAuth callbacks: Configure your OAuth provider’s redirect URI to your Tailscale Funnel URL (e.g., https://my-laptop.ts.net:5000/callback).
  • Receive webhooks: Set the Funnel URL as the endpoint for services needing to send data to your application.
  • Collaborate easily: Share your development environment securely for team testing or demonstrations.

8. Disable Funnel When Done

After testing, you can easily disable Funnel to secure your environment:

  1. Open your terminal or command prompt.
  2. Run the command to disable Funnel: 
tailscale funnel disable <port>

Nice to Know: Using Tailscale Funnel to Share Files

In addition to exposing your local development environment, Tailscale Funnel can be used to share files quickly over the internet. This is particularly useful when you need to send files directly from your device without using an external file-sharing service. Here’s how to use Funnel for file sharing:

tailscale funnel /tmp/public

This command will activate file sharing mode, and Tailscale will automatically generate a public URL for you.