🛠️

Run Docker Apps Privately with Tailscale Instead of Opening Router Ports

A practical self-hosting resource for exposing Docker apps inside a private Tailnet instead of opening router ports, reverse proxies, and public subdomains by default.

Original
Jun 1, 2026
Status & Access
Current access and latest update details.
Access
Free
Updated
Jul 13, 2026, 09:02 PM

LinkLoot AI review

Tool has value, start small

AI take: 73/100
Private access to Docker web apps through Tailnet; check auth key, Serve/Funnel, and port exposure.

My take: For self-hosted tools, the approach is practical: the checked smoke fixture uses a Tailscale sidecar, no published host ports, and an auth key from the environment instead of inside the compose text. The boundary is real use in your own Tailnet, where the auth key, DNS, Serve/Funnel, and each individual app template still need careful checks.

facet
Private-access pattern checked, account use still open
facet
Clear value for private self-hosting access
facet
Better than public dashboards if Funnel stays off
facet
Simple pattern, but Docker and Tailscale knowledge needed
facet
Actively maintained, without release versions
Direct value

Helps you reach Docker web apps privately through your Tailnet without exposing the router or individual containers publicly.

Check first

Do not copy-paste blindly: keep the auth key short-lived, disable reuse, and confirm Tailnet join with a test service.

What you get
  • Practical for homelabs: services stay behind Tailscale while access is controlled more deliberately through sidecar/Serve.
  • The concrete value is less port-forwarding risk and a cleaner trial path for internal tools like dashboards, admin UIs, or small apps.
What to watch
  • Check Serve instead of Funnel and avoid publishing Docker ports on 0.0.0.0, otherwise the private-access benefit disappears.
  • Before real services, read the Compose file, volumes, env vars, and service template; secrets do not belong hardcoded in YAML.
  • Do not start with real tokens, private repos, or production data.

Automated AI review. Decision aid, not a safety guarantee. · 2026-06-08 17:20:27 UTC

What this is

ScaleTail is a collection of ready-to-run Docker Compose stacks that attach common self-hosted apps to a Tailscale tailnet through a sidecar container. The useful idea is simple: make private tools reachable from your own devices without turning every dashboard, password vault, document archive, or admin panel into a public web service.

Best use case

Use this when you run services such as Vaultwarden, Paperless-ngx, Jellyfin, Immich, Pi-hole, AdGuard Home, Home Assistant, Open WebUI, Portainer, or Uptime Kuma and want remote access without a new router port, reverse-proxy rule, or public DNS entry for every app.

Workflow

  1. Create a reusable Tailscale auth key in the Tailscale admin console.
  2. Pick the ScaleTail template matching your service.
  3. Review the Docker Compose file before running it, especially volumes, environment variables, and exposed ports.
  4. Bind the app container to the Tailscale sidecar network stack with the template's network_mode: service: pattern.
  5. Start the stack with Docker Compose and confirm the service appears in your Tailnet.
  6. Use Tailscale Serve for private Tailnet access. Only use Funnel when the service is intentionally public.

Security notes

  • ScaleTail reduces accidental public exposure, but it does not replace Docker hardening, backups, patching, or least-privilege access controls.
  • Treat every template as code: inspect the image source, tags, volume mounts, environment variables, and update policy before production use.
  • Keep admin panels, password managers, document stores, and local AI interfaces private unless you have a strong reason to expose them publicly.
  • Do not confuse Tailscale Serve with Funnel: Serve is private to the Tailnet, while Funnel publishes a service to the public internet.

Quick decision table

NeedUse ScaleTail?Caveat
Private remote access to homelab appsYesRequires Tailscale and Docker Compose
Public webhook endpointMaybeFunnel can be public; harden it carefully
Full site publishingNoUse a normal deployment and security model
Multi-service homelab on one hostYesStill plan backups, updates, and separation

Source check

The Tarnkappe article explains the privacy angle, the Serve/Funnel distinction, and why ScaleTail fits self-hosted Docker services that should not be exposed publicly by default. The ScaleTail GitHub repository confirms that the project provides Docker Compose sidecar configurations for connecting self-hosted apps to a Tailnet. Tailscale's own Docker documentation provides the official baseline for running Tailscale with containers.

Discussion

Sign in to join the discussion and vote on comments.

No comments yet. Start the discussion.
Keep exploring

More from this topic

More in Tools & Apps