Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Have you managed to get TLS working with a setup like this? I have a custom domain that isn't used but I'd like to point it to a machine that's on Tailscale. Do you just put your Tailscale DNS on public DNS servers or do you use an internal one? Do you use a reverse proxy to route port 80/443 to the port your app is running on?


You could just get a wildcard certificate with lets encrypt, via a dns challenge.

E.g. lego supports many different dns providers

https://go-acme.github.io/lego/

And then internally inside of tailscale you could have your own dns server, which serves subdomains of your domain, and for all subdomains you can use the same wildcard certificate.

This also does not 'expose' your subdomains on Certificate Transparency logs


Cool thanks! I'll have to spend some more time looking into this. Do you have any recommendations for a DNS server to run inside Tailscale?


Depends, if you only want dns and nothing more, then probably dnsmasq. That's basically one of the most used dns/dhcp servers.

Otherwise you could use solutions like AdGuard Home or PiHole, which both have a Web Interface for configuration, and the ability to block ads and tracking domains.

Note that I don't use Tailscale myself, so I don't know if Tailscale 'needs' something else. But I use pure wireguard, and all of the services mentioned above work with 'pure wireguard'.


I can recommend pihole, it have a dns server, easy to use with web interface.


I had once ran dns server from pihole inside tailscale. Worked pretty decent, but latency was the issue and had reliability issue.


I run nginx proxy manager that gives out certs for each subdomain via letsencrypt + provider API




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: