Use Tailscale

[daimonkor]

Hello, please help. I use Proxmox LCX -> Docker -> Portainer. How I can configure Opencloud with Tailscale and use Tailscale Magic DNS.

version: "3.8"

services:
  opencloud:
    image: opencloudeu/opencloud-rolling:latest
    container_name: opencloud
    restart: unless-stopped
    volumes:
      - opencloud_config:/etc/opencloud
      - opencloud_data:/var/lib/opencloud
    ports:
      - "9200:9200"
    entrypoint: ["/bin/sh"]
    command: ["-c", "opencloud init|| true; opencloud server"]
    env_file:
      - stack.env

volumes:
  opencloud_config:
  opencloud_data:

OC_INSECURE=true
PROXY_HTTP_ADDR=0.0.0.0:9200
OC_URL=https://localhost:9200
IDM_ADMIN_PASSWORD=XXXXX

root@opencloud:~# tailscale serve https+insecure://localhost:9200
Available within your tailnet:

https://opencloud.XXXXX.XX.net/
|-- proxy https+insecure://localhost:9200

[micbar]

OC_URL=https://localhost:9200 is wrong. You have set that to localhost but it needs to be set to the public domain where you are accessing openCloud.

Make also sure that openCloud can access it’s public url from inside the container.

[daimonkor]

hello, @micbar, yes, you are right. but "main magic" is 'tailscale serve' for it. For example, I want use access by Local IP address and tailscale domain. How I must configure env (only sample: Frigate, Immich works the same)? I can change OC_URL=https://192.168.1.45:9200, but Tailscale Magic DNS (tailscale serve https+insecure://localhost:9200) does not work correct (screenshot upper). Thanks for help.

I can not use 'other' domain for server

tailscale serve https+insecure://192.168.1.45:9200
error: failed apply web serve: only localhost or 127.0.0.1 proxies are currently supported

try `tailscale serve --help` for usage info

[deenle]

@daimonkor As a workaround, use your host's Tailscale IP instead of localhost, e.g.: OC_URL: "https://100.x.x.x:9200" Also, tailscale serve can only bind to localhost or 127.0.0.1; other IP addresses are not supported.

I’ve been trying for a significant amount of time to get it working with Tailscale domains, but so far I’ve had no luck. In the issues linked below, people suggest that replacing certificates, adding domain to /etc/hosts or using other work‑arounds can help. I’ve tried many of those options without success. Having either config.json or Access denied error. https://github.com/orgs/opencloud-eu/discussions/363#discussioncomment-12646437 https://github.com/orgs/opencloud-eu/discussions/1757

The only officially supported method is to use a publicly accessible domain.

[micbar]

The only officially supported method is to use a publicly accessible domain.

Let me explain. OpenCloud uses OpenIDConnect for SSO A user is idenfied by subject@issues which means user@domain.

In order to do that, you need a fixed domain which is the same over all clients / devices.

[flimmy]

TL;DR: For me it worked using opencloud-compose with only the following 4 changes to the .env.example

INSECURE=false
COMPOSE_FILE=docker-compose.yml:external-proxy/opencloud.yml
OC_DOMAIN="lxc-hostname.mysterious-squirrel.ts.net"
INITIAL_ADMIN_PASSWORD="********"

open https://lxc-hostname.mysterious-squirrel.ts.net in browser (no port needed)

long version:

tailscale can provide you with a unique fqdn for your device as well as a valid https-certificate.

To get this up and running you need to make sure to have https enabled for magicdns in you tailscale admin console, the HTTPS Setting is at the end of the dns page: https://login.tailscale.com/admin/dns

Afterwards you need to tell Opencloud your tailscale-magic-dns-name for the device running opencloud. It should be something like lxc-hostname.mysterious-squirrel.ts.net

afterwards all that is needed is: tailscale serve --https=443 127.0.0.1:9200 Tailscale does all the background work then: -> sets up a hidden reverse proxy in the client -> gets a letsencrypt https-cert for your personal *.ts.net Name -> sets up routing and portforwarding to your "serve" target

beware of caveats of this setup though:

• docker in lxc is generally a performance-nightmare according to extensive tests done by the proxmox-community
• all operations done in the opencloud-ui are routed through the tailscale interface/reverse-proxy twice
• i have not found a documentation of tailscales internal reverse proxy so it may have attributes set that interfere with long runnning uploads

[deenle]

@flimmy thanks for sharing a working example. I guess I messed up with https://. For compose it's a must; for .env - not, which is why I received config.json error!

However, a new issue has appeared. Now, when singing in I'm getting this: Unexpected HTTP response: 500. Please check your connection and try again.

The logs indicate invalid credentials, but I'm sure they are valid... There's something with LDAP?

{"level":"error","service":"idm","bind_dn":"uid=idp,ou=sysusers,o=libregraph-idm","op":"bind","remote_addr":"127.0.0.1:35476","time":"2025-11-26T16:53:48Z","line":"github.com/opencloud-eu/opencloud/pkg/log/logrus_wrapper.go:50","message":"invalid credentials"}
{"level":"error","service":"idp","error":"ldap identifier backend logon connect error: LDAP Result Code 49 \"Invalid Credentials\": ","time":"2025-11-26T16:53:48Z","line":"github.com/opencloud-eu/opencloud/pkg/log/logrus_wrapper.go:50","message":"identifier failed to logon with backend"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"50fb21e3f654/sZDTx78vFc-000353","traceid":"6bedfe5be1816787d2c5fc84cccd3fb3","remote-addr":"100.111.159.67","method":"POST","status":500,"path":"/signin/v1/identifier/_/logon","duration":24.888158,"bytes":44,"time":"2025-11-26T16:53:48Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"storage-system","host.name":"50fb21e3f654","pkg":"rgrpc","traceid":"bbcdb2833e49efa22949f4259b95eba4","time":"2025-11-26T16:54:09Z","line":"github.com/opencloud-eu/reva/[email protected]/internal/grpc/services/authprovider/authprovider.go:146","message":"user idp:\"internal\" opaque_id:\"8d154903-abcf-483c-8d0a-791c9638aee4\" type:USER_TYPE_SERVICE authenticated"}
{"level":"info","service":"storage-system","host.name":"50fb21e3f654","pkg":"rgrpc","traceid":"ed0abffa2d2eef6e251e2b3bf90616c8","time":"2025-11-26T16:55:09Z","line":"github.com/opencloud-eu/reva/[email protected]/internal/grpc/services/authprovider/authprovider.go:146","message":"user idp:\"internal\" opaque_id:\"8d154903-abcf-483c-8d0a-791c9638aee4\" type:USER_TYPE_SERVICE authenticated"}
{"level":"info","service":"storage-system","host.name":"50fb21e3f654","pkg":"rgrpc","traceid":"27b8b2bc9c5af2a461940359592bf193","time":"2025-11-26T16:56:09Z","line":"github.com/opencloud-eu/reva/[email protected]/internal/grpc/services/authprovider/authprovider.go:146","message":"user idp:\"internal\" opaque_id:\"8d154903-abcf-483c-8d0a-791c9638aee4\" type:USER_TYPE_SERVICE authenticated"}

add: opencloud init --force-overwrite didn't help

add2: Pruning and recreating everything from scratch for the second/third time worked like a charm! Thanks!

[daimonkor]

TL;DR: For me it worked using opencloud-compose with only the following 4 changes to the .env.example

INSECURE=false COMPOSE_FILE=docker-compose.yml:external-proxy/opencloud.yml OC_DOMAIN="lxc-hostname.mysterious-squirrel.ts.net" INITIAL_ADMIN_PASSWORD="********"

open https://lxc-hostname.mysterious-squirrel.ts.net in browser (no port needed)

long version:

tailscale can provide you with a unique fqdn for your device as well as a valid https-certificate.

To get this up and running you need to make sure to have https enabled for magicdns in you tailscale admin console, the HTTPS Setting is at the end of the dns page: https://login.tailscale.com/admin/dns

Afterwards you need to tell Opencloud your tailscale-magic-dns-name for the device running opencloud. It should be something like lxc-hostname.mysterious-squirrel.ts.net

afterwards all that is needed is: tailscale serve --https=443 127.0.0.1:9200 Tailscale does all the background work then: -> sets up a hidden reverse proxy in the client -> gets a letsencrypt https-cert for your personal *.ts.net Name -> sets up routing and portforwarding to your "serve" target

beware of caveats of this setup though:

* docker in lxc is generally a performance-nightmare according to extensive tests done by the proxmox-community

* all operations done in the opencloud-ui are routed through the tailscale interface/reverse-proxy **twice**

* i have not found a documentation of tailscales internal reverse proxy so it may have attributes set that interfere with long runnning uploads

Thanks, it works, but second plan is not resolved (use Local IP to site access).

[deenle]

use Local IP to site access

@daimonkor what do you mean by that? It must be possible to visit http://localhost:9200.

What I'm really trying to overcome is using services by tailscale serve (advertising a local service to another TS domain). It gives me a 401 Unauthorized (logs below). Must be something related to CSP and Keycloak..

docker in lxc is generally a performance-nightmare

@flimmy I made in work as a bare executable on bare LXC with my TrueNAS (unable to do it with docker and host TS domain).

I know the issue is resolved; just sharing my experience.

Browser logs:

Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'self' 'unsafe-inline' https://keycloak.opencloud.test/” (Missing 'unsafe-eval')

POST https://oc-test.tailXXX.ts.net/api/v0/settings/roles-list  [HTTP/2 401  10103ms]
GET https://oc-test.tailXXX.ts.net/graph/v1.0/me?$expand=memberOf](https://oc-test.tailXXX.ts.net/graph/v1.0/me?%24expand=memberOf) [HTTP/2 401  20096ms]

[daimonkor]

use Local IP to site access

@daimonkor what do you mean by that? It must be possible to visit http://localhost:9200.

What I'm really trying to overcome is using services by tailscale serve (advertising a local service to another TS domain). It gives me a 401 Unauthorized (logs below). Must be something related to CSP and Keycloak..

docker in lxc is generally a performance-nightmare

@flimmy I made in work as a bare executable on bare LXC with my TrueNAS (unable to do it with docker and host TS domain).

I know the issue is resolved; just sharing my experience.

Browser logs:

Content-Security-Policy: The page’s settings blocked a JavaScript eval (script-src) from being executed because it violates the following directive: “script-src 'self' 'unsafe-inline' https://keycloak.opencloud.test/” (Missing 'unsafe-eval')

POST https://oc-test.tailXXX.ts.net/api/v0/settings/roles-list  [HTTP/2 401  10103ms]
GET https://oc-test.tailXXX.ts.net/graph/v1.0/me?$expand=memberOf](https://oc-test.tailXXX.ts.net/graph/v1.0/me?%24expand=memberOf) [HTTP/2 401  20096ms]

Hello, I mean LAN IP like 192.168.1.45. Thanks, it works with Tailscale Magic DNS (Tailscale domain).