Accessing my ODK central on my homeserver while using Tailscale

jking · November 25, 2025, 3:46pm

1. What is the issue? Please be detailed.

I installed ODK central in my homeserver using the guide for DigitalOcean. My homeserver is an old laptop with Debian and some services installed through docker. I just want to use my homeserver as a test environment for learning purposes.

I do not have a public IP, I was planning to use Tailscale for now, and I’m using DuckDNS.

The issue is that I cannot access ODK server using the domain I configured. In my browser, I get the error “PR_END_OF_FILE_ERROR“ and it says the connection is not secure. I can access other services using the corresponding ports and the DuckDNS domain. In the .env file I set up the bare minimum, just the domain and email, everything else was left untouched.

2. What steps can we take to reproduce this issue?

Install Debian in a server, docker and then get a Tailscale docker container there. Then install ODK central using the DigitalOcean guide. For the domain use DuckDNS with the Tailscale server IP configured there. When ODK central is up try to access it with the DuckDNS domain.

3. What have you tried to fix the issue?

I also tried using the MagicDNS provided by tailscale but it does not work.

4. Upload any forms or screenshots you can share publicly below.

Nothing

jking · December 1, 2025, 11:55am

Hello. I just want to say that I didn’t try to make ODK work with Tailscale anymore.

I created an AWS account and deployed an EC2 instance for free. I’m using that instance as a proxy.

I used these articles for my setup:

https://steezeburger.com/2024/02/rathole-tunnel-for-palworld-server/

This is enough for learning and testing purposes.

Jihed · February 11, 2026, 8:31pm

For anyone landing here looking for a solution, here is what worked for me.

Basically, there are two options to access any self-hosted service remotely with Tailscale.

First option is to use Tailscale funnel. However, with funnel the service will be accessible for anyone on the internet, even if they do not have access to your private Tailscale network (known as tailnet), or they don’t even use Tailscale at all. Moreover, funnel can only use the DNS name of your tailnet’s domain (tailnet-name.ts.net). There are a number of other limitations and requirements which come with using this (otherwise amazing) feature of Tailscale that you’ll need to check them out yourself.

Second option is to either use Tailscale serve or Tailscale services. Both features allow remote access to any selfhosted service. But unlike Tailscale funnel, access to the service will be only restricted to the machines and users authorized in your private tailnet. Now Tailscale serve and services are pretty similar. However, with Tailscale serve DNS names are restricted to your tailnet's domain name (device-name.tailnet-name.ts.net). While Tailscale services let you share internal resources (like databases or web servers) as named services in your tailnet (e.g., odk-serve.tailnet-name.ts.net). However, notice that using the services feature will require more configuration than using the serve command. Tailscale’s documentation includes very detailed explanations and examples of how to use serve and services.

Either case, whether you decide to use Tailscale funnel, serve, or services you’ll need to change some settings in the ODK central’s .env file.

If you decided to use Tailscale funnel: 1) change he DOMAIN line so that after the = is the domain name that Tailscale configured for your device. As an example, DOMAIN=myhost.tailnet-name.ts.net. 2) change the ssl type to SSL_TYPE=upstream. 3) change the HTTP_PORT=80 to a higher port; for instance, HTTP_PORT=8082. Then after running your ODK central stack with docker or podman, run this command in your CLI: sudo tailscale funnel 8082. If everything goes well, Tailscale will confirm your command and will return the hostname that it configured for your device. To ensure that ODK server is remotely accessible on the internet, you can visit myhost.tailnet-name.ts.net on a device that’s not part of your tailnet or with tailscale turned off.

If you want to use Tailscale serve and restrict remote access to your ODK server within your private tailnet, just follow the same previous steps for Tailscale funnel. However, this time you will need to run sudo tailscale serve $HTTP_PORT.

Notice that if you want services shared with Tailscale funnel or serve to keep running in the background, you’ll need to use the --bg flag.

If you want to use Tailscale services, you’ll first need to define a service for your ODK server in your tailnet’s admin dashboard. This is easy to do and is well laid out in Tailscale’s documention. Let’s say you opted to name the service odk-server. Then you’ll need to change he DOMAIN line to DOMAIN=odk-server.tailnet-name.ts.net. After that, change the ssl type to SSL_TYPE=upstream and change the HTTP_PORT=80 to a higher port (e.g., HTTP_PORT=8082). Finally, run sudo tailscale serve --service=svc:odk-server --https=443 127.0.0.1:$HTTP_PORT. Unlike Tailscale funnel and serve, services shared with Tailscale services will automatically continue running in the background until you drain the host and remove the service’s configuration.

I hope this could be useful to someone!