alt Hacker NewsI use Headscale, an open source implementation of Tailscale control server. And it doesn't have funnel functionality implemented out of the box, but I use a custom Traefik proxy manager Web UI in which I can expose ports on different Tailnet nodes.
In order to avoid exposing something unnecessarily in the certificate transparency logs, I use a single wildcard certificate, so all the subdomains are not listed anywhere automatically.
I use the same approach for services hosted in the internal subdomain, because I don't want everyone to know what exactly I'm running in my homelab.
Another approach I’ve seen is to route public access from Traefik/nginx through a single Cloudflare tunnel instead, and Tailscale/Headscale can be left for private network and server access.
The traefik box can have the single Cloudflare tunnel , and tailscsle can hang out behind the scenes.
This way tailscale funnel doesn’t need to be public.
There is the self hosted Cloudflare alternative that’s escaping my mind right now too.