Tailscale Funnel Security

Funnel exposes services to the public internet. Use with caution.

Enabling

Docker:

labels:
  tsdproxy.port.1: "443/https:80/http, tailscale_funnel"

Lists:

public-service:
  ports:
    443/https:
      targets:
        - http://localhost:8080
      tailscale:
        funnel: true

"nodeAttrs": [{
  "target": ["autogroup:member", "tag:server"],
  "attr": ["funnel"]
}]

Caution

Funnel bypasses Tailscale authentication. Ensure your backend has its own auth.

Last updated on April 30, 2026