I can only connect to the Headscale control server on my LAN, which is basically pointless for most use cases. The HAProxy part seems to be working (can connect with certs to nginx if i start that on the same port, and can also access the web server that is started with Headscale containing the command you are suppose to run in Headscale to add the machine as a node). The problem is that I am not able to reach the server for login through the public IP. It does work if I open port 80, but not if only 443 is opened. Is this even something that should be possible with Headscale as it is now? In the Headscale config I changed only the listening port, so it should listen to all IPs at that port. Have already learned a lot in investigating this, but hoping for even more insight to networking. Any suggestions would really be appreciated.
I did hope it would be as simple as running Headscale without certs on the homeserver and letting pfSense (Acme + HAProxy) deal with certs. Might do some packet capturing to see if I can get some more info.
I got it working, but cannot remember the details. Moved over to another box and found that a site to site Wireguard setup was better suited for my needs. So I don’t have the configuration anymore. I just followed Tom’s guide on HAProxy and web socket information from the link, and then it worked.
