Setting Up Tailscale Funnel for Home Assistant

Setting Up Tailscale Funnel

Tailscale Funnel lets you expose your Home Assistant instance to the internet through Tailscale's secure network. It's free for personal use and gives you a public HTTPS URL without port forwarding.

What you get

• Free remote access: No monthly subscription required
• Secure HTTPS URL: A dedicated https://your-hostname.tail-scale.ts.net address
• No port forwarding: Works behind NAT and firewalls
• End-to-end encryption: Traffic is encrypted through Tailscale's network

Prerequisites

• Home Assistant OS, Supervised, or Container installation
• A Tailscale account (free at tailscale.com)
• Basic comfort with terminal/SSH access

Step-by-step setup

1. Install the Tailscale add-on in Home Assistant

1. In Home Assistant, go to Settings → Add-ons → Add-on Store
2. Search for Tailscale and click on it
3. Click Install and wait for installation to complete
4. Don't start it yet — we need to configure it first

2. Create a Tailscale auth key

1. Log into your Tailscale admin console at login.tailscale.com/admin
2. Go to Settings → Keys
3. Click Generate auth key
4. Enable Reusable and Pre-approved (optional but recommended)
5. Copy the key — you'll need it in the next step

3. Configure the Tailscale add-on

1. In Home Assistant, go to the Tailscale add-on page
2. Click the Configuration tab
3. Enter your auth key in the auth_key field
4. Add the following to enable Funnel:

funnel: true
proxy: true
proxy_and_funnel_port: 443

5. Save the configuration

4. Start Tailscale and enable Funnel

1. Go to the Info tab of the Tailscale add-on
2. Click Start
3. Check the logs to confirm it connected successfully
4. In the Tailscale admin console, find your Home Assistant device
5. Click the ... menu → Edit route settings
6. Enable Funnel for this device

5. Get your public URL

Your Funnel URL follows this pattern:

https://[machine-name].[tailnet-name].ts.net

For example: https://homeassistant.tail1234.ts.net

You can find your exact URL in:

• The Tailscale admin console under your device
• The Tailscale add-on logs in Home Assistant

6. Test your connection

1. On your phone, turn off WiFi
2. Open your Funnel URL in a browser
3. You should see your Home Assistant login page
4. Log in to verify everything works

Using your Tailscale URL with Staykey

Once Funnel is working, use your Tailscale URL when connecting Home Assistant to Staykey:

• URL format: https://your-hostname.your-tailnet.ts.net
• Don't include a port number
• Generate a Long-Lived Access Token in Home Assistant for Staykey to use

Troubleshooting

Funnel not working:

• Verify Funnel is enabled in both the add-on config AND the Tailscale admin console
• Check that proxy: true is set in the add-on configuration
• Restart the Tailscale add-on after config changes

"Bad gateway" or connection errors:

• Ensure Home Assistant is running and accessible locally
• Check the Tailscale add-on logs for errors
• Verify the proxy_and_funnel_port matches your setup (443 is standard)

URL not resolving:

• DNS propagation can take a few minutes after enabling Funnel
• Try accessing from a different network or device
• Check your Tailscale subscription allows Funnel (free tier includes it)

Authentication issues:

• If using a new auth key, you may need to re-approve the device in the admin console
• Check that the auth key hasn't expired

Alternatives

If you prefer a simpler setup and don't mind a monthly fee, Nabu Casa is easier to configure and supports Home Assistant development.