[SOLVED] Custom sub domain routing through Tailscale with SSL

I have a Synology NAS running several services in Docker and a VM that I currently access via clearnet, each with individual subdomains. Caddy is my reverse proxy.

I’d like to be able to set up my configuration so that everything is routed through Tailscale.

domain.com routes to my Home Assistant instance in VM,
synology.domain.com routes to my master Synology NAS,
jellyfin.domain.com routes to my Jellyfin instance in Docker, etc…

The same as it is now, just through Tailscale, but as a requirement, everything must be HTTPS.

So now I’m stuck, I’m not sure how to configure my Cloudflare to use my Tailscale IP and allow me to generate certificates via letsencrypt in Caddy. I’m having a hard time finding information on something like this.

I have Tailscale installed on my Synology as well as on my router with subnet.

Could someone please explain to me if and how this is could be possible?

I got it! Here’s the steps I took:

1. Configured the dns.providers.cloudflare module for Caddy to generate certs: GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare
2. Set the A record for all subdomains to my Tailscale IP
3. Freed ports 80 & 443 on my Synology: Free ports 80 and 443 on Synology NAS · GitHub

Sounds simple, but took me hours to figure out.

Hey there, can you say more about step #2?

I’m in a similar situation, the promise is things “just work” but I am wanting to set out and enforce routing. Was curious where you’re setting the A records (globally?) because there are so many DNS-at-home options on top of HOSTS files.

I found your thread looking to set static routes for my 100.100.0.0 network, have a pi-hole forwarding requests to the MagicDNS server already, set my pihole(s) to know the IP addresses of the tailscale machines outside of the lab. Problem is that sometimes my internal .local resolution may get iffy at times since using Tailscale, so I’ve just begun to reinforce things that I know/prefer don’t/won’t/shouldn’t/can’t change.

EDIT: This is what I’m going after, you too? Static Routes for Tailscale - Add To Your Configuration for Non-Tailscale Clients in Your Network/Lab/Basement

I don’t think your issue is related. But to answer your question, I set the A records in Cloudflare.

You did answer, but I think they are related - no? You want to ensure routing is direct between devices on your Tailscale network - same as me. Traceroute shows it’s working fine, the dynamic routes are built, but I think we are after the same thing. We want to have static routes to reinforce that 100.100.100.X is to go from 100.100.100.Y to 100.100.100.Z without hitting a public IP, that all traffic remains private. DNS helps build the dynamic routes, but I’m suggesting our solutions/needs are the same, we need routes to match the names fetched.