External access to Synology NAS with Let's Encrypt certificate and custom domain

Tailscale version: Windows 1.22.2 & Linux 1.16.2
Your operating system & version: Windows 10 Pro 21H2 & Synology DSM 7.0.1-42218 Update 3

I currently have a public, custom domain, example.com, tied to a Let’s Encrypt certificate on my Synology NAS and port forwarding setup to manage it externally.

I’m trying to move to a Tailscale setup to eliminate the port forwarding but would like to still be able to use my custom domain/name to access my NAS while connected to Tailscale.

My NAS is also a DNS server inside my home network where I have records for example.com and nas.example.com pointing to my NAS’s private IP address so all my access works and shows the valid certificate while on the local network both while I am connected to Tailscale and when I am not.

I am also able to query and access my NAS publicly, with valid certificate, at either example.com or nas.example.com while I have port forwarding setup.
When I have port forwarding setup, everything continues to work normally when connected to Tailscale or without (because of the port forwarding), but when I remove the port forwarding rules, I can no longer access example.com or nas.example.com from outside my local network.
However, I can access my NAS at the Tailscale IP and also the device name if I enable Magic DNS from outside my local network while connected to Tailscale.

Is there some way for me to map my domain name to my Tailscale IP while connected to Tailscale so I can still get to my NAS with a trusted certificate while outside my local network?

Tailscale currently doesn’t have a way to support a custom domain like example.com with MagicDNS, so focussing on extending the DNS server you’re currently running is probably best.

So you might:

  1. Install Tailscale on the DNS server, giving it a 100.x.y.z address.
  2. Add a second set of host entries, mapping to the 100.x.y.z Tailscale IP addresses.
  3. Distinguish based on the source IP address of vs the LAN IP subnet whether to respond with a Tailscale IP or LAN IP.

One thing is quite relevant: once a Tailscale IP address has been assigned to a node, it doesn’t change unless the node is deleted or loses its filesystem and node key. So you can add A records to your DNS server and not need to constantly update them. You could also add CNAME records for *.example.com.beta.tailscale.net

1 Like