Expose the Web UI over Tailnet

Running Tailscale Serve Persistently on Proxmox

To securely expose the Proxmox Web UI over your Tailnet, use the tailscale serve command with the --bg flag:

sudo tailscale serve --bg https+insecure://localhost:8006

Key Points:

  • The --bg flag runs Tailscale Serve in the background persistently until you explicitly stop it.

  • The Serve process automatically resumes after system shutdowns, reboots, or Tailscale daemon restarts- no manual restarts needed.

  • The https+insecure:// prefix tells Tailscale Serve to connect to the local HTTPS backend (Proxmox Web UI) while ignoring its self-signed certificate.

  • You can check the currently running proxy with:

    tailscale serve status

  • To stop the shared proxy at any time, run:

    tailscale serve off

(Optional) Ensuring Reliable Startup After Reboot

There is a known timing issue where the Tailscale daemon (tailscaled) may signal readiness before the Tailscale IP address is fully assigned, causing issues with dependent services starting too early.

To fix this, create a systemd override to delay tailscaled readiness until the network is fully ready:

sudo systemctl edit tailscaled

Add this to the override file:

[Service]
ExecStartPost=timeout 60s bash -c 'until tailscale status --peers=false; do sleep 1; done'

Save and exit the editor, then reload and restart the daemon:

sudo systemctl daemon-reload
sudo systemctl restart tailscaled

(Optional) Systemd Service for Tailscale Serve

If you want to fully automate and guarantee the Tailscale Serve proxy starts after the daemon and network are ready, create a systemd service:

  1. Create /etc/systemd/system/tailscale-serve-proxmox.service with:

[Unit]
Description=Tailscale Serve Proxy for Proxmox Web UI
After=network.target tailscaled.service
Requires=tailscaled.service

[Service]
Type=simple
ExecStart=/usr/bin/tailscale serve --bg https+insecure://localhost:8006
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

  1. Enable and start it:

sudo systemctl daemon-reload
sudo systemctl enable tailscale-serve-proxmox.service
sudo systemctl start tailscale-serve-proxmox.service

Summary

  • tailscale serve --bg runs persistently and automatically resumes after reboots or daemon restarts.

  • Using https+insecure:// allows proxying to Proxmox’s self-signed HTTPS UI without certificate errors.

  • Systemd override on tailscaled ensures it signals readiness only when fully connected to the network.

  • Optionally, a systemd service can manage the Serve proxy for guaranteed correct startup order and restart on failure.

PreviousSecure Remote Access with TailScale + Hardened SSHNextRemote Unlock of LUKS-Encrypted Root Disk via SSH

Last updated