It’s unnecessary if you don’t mind using the Tailscale app to establish the remote-access connection.
If you don’t want to use the app, and don’t mind exposing your Home Assistant system to the Internet, then Tailscale’s Funnel feature is an alternative way of providing remote-access (refer to parhelion’s instructions).
I don’t mind if using the app is more secure.
I have two machines set up and connected in tailscale admin page (my pc on lan & my android via mobile data) but neither can connect to HA via tailscale with provided addresses. Both connect fine with local login and wifi.
What am doing wrong?
I suggest creating a new topic to discuss the problem in order to keep the discussion separate from this one (which is about using Tailscale’s Funnel feature).
Hi there,
I used DuckDNS in the past and wanted to switch to tailscale. I tought it would be a good idea to remove the DuckDNS app first and install tailscale then. But somehow it did not work this way. In the machines section of tailscale, the green funnel logo did not come up. And yes, I checked the funnel box and save the configuration of the app before I started the app. I added the code snippet to tailscales access control JSON file within the curly brackets.
// Added for Homeassistant 20.04.2026
"nodeAttrs": [
{
"target": ["autogroup:member"],
"attr": ["funnel"],
},
],
// Test access rules every time they're saved.
// "tests": [
// {
// "src": "[email protected]",
// "accept": ["tag:example"],
// "deny": ["100.101.102.103:443"],
// },
// ],
}
I noted some existing code in the http section of my configuration.yaml when I added the nessesary snippet for tailscale. I think it was for DuckDNS but I am not sure what to do with it.
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
cors_allowed_origins:
- https://google.com
- https://home-assistant.io
ip_ban_enabled: true
login_attempts_threshold: 5
The ssl_certificate and the ssl_key do exist in the ssl folder.
Is there a way to subsequently enable the funnel function?
Do I have to delete the old http entries and their associated files?
Thank you in advance for your assistance.
I managed to solve it myself.
The rest was a piece of cake.
This is a fantastic guide, clear and detailed. Thank you! I can't wait to try it.
I have been using DuckDNS for about a year, and it has mostly worked fine, until recently, when it started acting strange. Even before, I have never been able to use my local address in the Companion App because the certificate was not recognized. Now, locally the DuckDNS address stopped being recognized.
Following guides on the web and chats with AI, I tried adding NGINX and forwarding ports (443 and 80) without success. I can still access Ha locally, and now I'm at a point where I can only use DuckDNS without SSL. So I'm looking for better options, and Tailscale Funnel seems to be it.
Just to clarify, after creating a backup (which I do every day, but still), I should:
1-remove NGINX from HA
2-remove DuckDNS from HA
3-follow the guide above
4-change the local address in the Companion app to http://homeassistant.local:8123 (right?)
5-change the remote address in the Companion App to the Taiscale address (right?)
In the past, I had problems with IPV6 so I had completely removed that from Home Assistant. I don't remember if it was linked to DuckDNS specifically. Is it a problem to use only IPV4?
Thanks!
#4 - This, to be clear, would be the "Internal connection URL" field. And I would just use http://<your-local-ipv4>:8123 instead, for when you are on you home wifi & not on Tailscale VPN.
#5 - This would be the "Home Assistant URL" field, using https://<device_name>.<your-tailnet-name>.ts.net for when you are not on your home wifi.
I use IPV4 only also.
Also, for me, in the end, I chose not using funnel - only because I don't even want to expose https://<my_ha_device_name>.<my-tailnet-name>.ts.net to the wild wild internet... just as what people have discussed earlier in this thread. But I digress.
Thanks for confirming my understanding makes sense. I appreciate it!
Also, I forgot to mention that I should remove port forwarding from my router.
I understand the issues discussed regardig security. Using funnel brings me back to the same level as HTTPS with DuckDNS, essentially, I'm ok with that, and using VPNs on every phone in the family is a great way to kill any approval factor I might currently have 
Hi everyone, I set up the Tailscale app with funnels on my HA. The remote connection works using a URL like: https://homeassistant.tailxyz.ts.net, the problem is that it often doesn’t work, I can’t reach it, neither from my PC browser nor using the HA app on my Android smartphone. Why? Are you having these problems too? Is there a more reliable solution (still free?)
Back again.
I configured the Tailscape funnel this morning. After several reboots, approving the subnet and Exit node in the Machines tab of the Tailscape admin page, more reboots, I finally saw the TLS certificate appear with a 3 months validity. Yet another reboot let me connect to HA using the tailspace domain name. But only locally! When using, say, data from my mobile phone, I cannot connect, even when explicitly writing https:// before the domain.
I have not opened any ports in my router, should I?
I have added 127.0.0.1 in the trusted proxies as requested. I had been told before to also have my local IP, I let that there, is it a good idea?
Anything else to do in order to make it work?
EDIT : it started working all by itself. I guess what it needed was time. I leave this here for anyone who'd wonder what's going on with their setup.