Tailscale Services GA: App-aware connectivity with more control

Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ by ⁨new_otters_raft@piefed.ca⁩ to ⁨selfhosted@lemmy.world⁩

This should be excellent for selfhosters that have all their services in one VM. I haven’t tried this myself, but I think this means you can:
- you can create memorable links instead of memorizing port numbers: jellyfin.foo-bar.ts.net
- share one service from a machine instead of all of them in a more intuitive way

If you’re new to Tailscale Services, it lets you publish internal resources like databases, APIs, and web servers as named services in your tailnet, using stable MagicDNS names. Rather than connecting to individual machines, teams connect to logical services that automatically route traffic to healthy, available backends across your infrastructure. This decoupling makes migrations, scaling, and high availability far easier, without reconfiguring clients, rewriting access policies, or standing up load balancers. Our documentation has details on use cases, requirements, and implementation.

source

Comments

Sort:hotnew top

avidamoeba@lemmy.ca ⁨2⁩ ⁨days⁩ ago
While this is great, especially for smaller self-hosters, as a setup gets more and more dependent on Tailscale, one should think about self-hosting Headscale, and therefore not being over-reliant on services not offered by it. I’m in that boat and I haven’t done the Headscale migration yet.

source
- irmadlad@lemmy.world ⁨2⁩ ⁨days⁩ ago
  What is it about Tailscale that is giving you heartburn? I am over reliant on my ISP. Without them, selfhosting would be rather bland.
  
  source
  - avidamoeba@lemmy.ca ⁨2⁩ ⁨days⁩ ago
    Ownership, size and profit growth strategy. My ISP is a massively profitable regulated oligopoly. They aren’t providing a free service today that they’ll have to monetize down the line to compensate for the time operating on VC funding. Tailscale, awesome as it is today, is in my view guaranteed to enshittify over time as they start getting pressed to grow profit. That’s not too much of a problem for me since the clients I use are open source and there’s an alternative open source server. If I used features unavailable in Headscale or were in over my head and unable to self-host Headscale, I might be in a bad time some time down the line.
    
    source
    -> View More Comments
- Archer@lemmy.world ⁨2⁩ ⁨days⁩ ago
  Yeah it’s gonna hurt a lot when they enshittify
  
  source
- MatSeFi@lemmy.liebeleu.de ⁨2⁩ ⁨days⁩ ago
  did it one 8-Months ago or so…just works… like black magic. Fire and forget VPN (But SSO is a must in my opinion otherwise key exchange is too tideous ) I did it about 8 months ago… it just works like black magic. It’s a “fire and forget” VPN, but SSO is a must in my opinion; otherwise, key exchange is too tedious.
  
  source
  - avidamoeba@lemmy.ca ⁨2⁩ ⁨days⁩ ago
    You’re talking about Headscale right?
    
    source
    -> View More Comments
- prenatal_confusion@feddit.org ⁨2⁩ ⁨days⁩ ago
  I switched to pangolin and I am amazed how well it works.
  
  source
  - WingedObsidian@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
    Love pangolin
    
    source
    -> View More Comments
avidamoeba@lemmy.ca ⁨2⁩ ⁨days⁩ ago
you can create memorable links instead of memorizing port numbers: jellyfin.foo-bar.ts.net

BTW, I’m doing something similar with standard DNS records that point to an internal Tailscale IP. I can go to immich.mydomain.com which only works if Tailscale is active. Let’s Encrypt works too.
source
- TheBlackLounge@lemmy.zip ⁨1⁩ ⁨day⁩ ago
  Immich needs this, right? I remember it not working on a tailscale funnel path.
  
  source
  - avidamoeba@lemmy.ca ⁨1⁩ ⁨day⁩ ago
    I haven’t tried funnel but it works using an internal Talscale IP/host and port. E.g. the-immich-host:1234 if the-immich-host is a Tailscale machine.
    
    source
    -> View More Comments
- blanka@lemmy.dbzer0.com ⁨2⁩ ⁨days⁩ ago
  I do this too. Can recommend.
  
  source
- GraveyardOrbit@lemmy.zip ⁨2⁩ ⁨days⁩ ago
  [deleted]
  source
  - avidamoeba@lemmy.ca ⁨1⁩ ⁨day⁩ ago
    Works outside. I’m setting a standard DNS record on a standard DNS provider to an internal TS IP. The record works everywhere but the IP is only accessible when TS is on. Whether I’m on the local net or outside.
    
    source
irmadlad@lemmy.world ⁨2⁩ ⁨days⁩ ago
Neat. What would be a good application for App-aware connectivity?

source
Decronym@lemmy.decronym.xyz ⁨2⁩ ⁨days⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

SSL Secure Sockets Layer, for transparent encryption

SSO Single Sign-On

VPN Virtual Private Network

[Thread #106 for this comm, first seen 20th Feb 2026, 18:40] [FAQ] [Full list] [Contact] [Source code]

source
picnic@lemmy.world ⁨1⁩ ⁨day⁩ ago
Some time ago, I had a sales call with tailscale for a business as a consultant.

If enterprise features are needes, theyre 2x more costly per user than a few other sase providers.

While I love wg and been using that for a long time, I have hard time believing they’ll get clients with posted prices. There was some wiggle room, but still.

Personally I’ll use tailscale at home as a backup connection as long as its good.

source

Fewer Letters	More Letters
SSL	Secure Sockets Layer, for transparent encryption
SSO	Single Sign-On
VPN	Virtual Private Network