Headscale behind pfSense + HAProxy + Tailscale package

Wanted to have this setup working
Untitled Diagram.drawio

I can only connect to the Headscale control server on my LAN, which is basically pointless for most use cases. The HAProxy part seems to be working (can connect with certs to nginx if i start that on the same port, and can also access the web server that is started with Headscale containing the command you are suppose to run in Headscale to add the machine as a node). The problem is that I am not able to reach the server for login through the public IP. It does work if I open port 80, but not if only 443 is opened. Is this even something that should be possible with Headscale as it is now? In the Headscale config I changed only the listening port, so it should listen to all IPs at that port. Have already learned a lot in investigating this, but hoping for even more insight to networking. Any suggestions would really be appreciated.

I am not sure that Headscale will work with HAProxy, not something I have tested as it has it’s own system for setting up certificates.

I did hope it would be as simple as running Headscale without certs on the homeserver and letting pfSense (Acme + HAProxy) deal with certs. Might do some packet capturing to see if I can get some more info.

I just needed to configure websockets i HAProxy for this to work. Similar to what was disscussed in

https://forum.netgate.com/topic/158983/websockets-configuration-in-haproxy

1 Like