🛠️
Tools & AppsFree

Run Docker Apps Privately with Tailscale Instead of Opening Router Ports

A practical self-hosting resource for exposing Docker apps inside a private Tailnet instead of opening router ports, reverse proxies, and public subdomains by default.

Original
Tarnkappe articleOpen original externally↗
Jun 1, 2026
#tailscale#docker#self-hosting#homelab#privacy#security#resource
Status & Access
Current access and latest update details.
Access
Free
Updated
Jun 1, 2026, 09:54 AM

LinkLoot AI review

Start code only in isolation

Score: 67/100
Code execution prepared for isolation

Reviewed loot: Run Docker Apps Privately with Tailscale Instead of Opening Router Ports

My take: ScaleTail: Private Docker Services over Tailscale has practical evidence: install, dependency checks, and the relevant sandbox steps ran in isolation.

User decisionVerify first

Check first: try this loot isolated or with test data and read the open points below.

The value is practically supported because installation and relevant sandbox steps produced usable results.Judges how careful a user should be when trying it: permissions, network use, dependencies, and hard warnings.
Reasons to use it
  • Easy to try: Judges whether a normal user can repeat the first setup with reasonable effort.
  • Sources, external URL, and visible link/site signals were reviewed.
  • Install surface, scripts, dependencies, and suspicious patterns were checked statically.
  • Optional page snapshot. For code repositories this is context, not security proof.
Reasons to be careful
  • The runner found 2 place(s) that can start programs, use install scripts, or run code dynamically. For this loot: try it in a test environment first, do not use real tokens/cookies, then...
  • 5 spots mention credentials, browser sessions, root/admin mode, proxies, or similar access-sensitive behavior. This fits the tool category, but it means testing should happen with throwaw...
  • The review could not extract a clear current deal price from the target page. Verify the live price before following the deal.
  • The open GitHub issues are mostly about documentation, UX/configuration, bugs/crashes, or setup. This is a public user signal, not representative customer feedback.

What this is

ScaleTail is a collection of ready-to-run Docker Compose stacks that attach common self-hosted apps to a Tailscale tailnet through a sidecar container. The useful idea is simple: make private tools reachable from your own devices without turning every dashboard, password vault, document archive, or admin panel into a public web service.

Best use case

Use this when you run services such as Vaultwarden, Paperless-ngx, Jellyfin, Immich, Pi-hole, AdGuard Home, Home Assistant, Open WebUI, Portainer, or Uptime Kuma and want remote access without a new router port, reverse-proxy rule, or public DNS entry for every app.

Workflow

  1. Create a reusable Tailscale auth key in the Tailscale admin console.
  2. Pick the ScaleTail template matching your service.
  3. Review the Docker Compose file before running it, especially volumes, environment variables, and exposed ports.
  4. Bind the app container to the Tailscale sidecar network stack with the template's network_mode: service: pattern.
  5. Start the stack with Docker Compose and confirm the service appears in your Tailnet.
  6. Use Tailscale Serve for private Tailnet access. Only use Funnel when the service is intentionally public.

Security notes

  • ScaleTail reduces accidental public exposure, but it does not replace Docker hardening, backups, patching, or least-privilege access controls.
  • Treat every template as code: inspect the image source, tags, volume mounts, environment variables, and update policy before production use.
  • Keep admin panels, password managers, document stores, and local AI interfaces private unless you have a strong reason to expose them publicly.
  • Do not confuse Tailscale Serve with Funnel: Serve is private to the Tailnet, while Funnel publishes a service to the public internet.

Quick decision table

NeedUse ScaleTail?Caveat
Private remote access to homelab appsYesRequires Tailscale and Docker Compose
Public webhook endpointMaybeFunnel can be public; harden it carefully
Full site publishingNoUse a normal deployment and security model
Multi-service homelab on one hostYesStill plan backups, updates, and separation

Source check

The Tarnkappe article explains the privacy angle, the Serve/Funnel distinction, and why ScaleTail fits self-hosted Docker services that should not be exposed publicly by default. The ScaleTail GitHub repository confirms that the project provides Docker Compose sidecar configurations for connecting self-hosted apps to a Tailnet. Tailscale's own Docker documentation provides the official baseline for running Tailscale with containers.

Sources & links
References, demos, and supporting links.
Tarnkappe articletarnkappe.infoPrimaryScaleTail GitHub repositorygithub.comTailscale Docker documentationtailscale.com
Discussion

Sign in to join the discussion and vote on comments.

No comments yet. Start the discussion.
Keep exploring

More from this topic

More in Tools & Apps