Tailscale Funnel enables port forwarding with Mullvad

General
1

Tailscale Funnel Enables Port Forwarding with Mullvad VPN

Mullvad VPN has long been a favorite among privacy enthusiasts for its no-logs policy, anonymous payments, and robust encryption. However, one notable limitation has frustrated users: the absence of port forwarding support. This feature, essential for hosting services like game servers, remote desktops, or personal web applications, is unavailable on Mullvad’s servers. Enter Tailscale Funnel, a innovative feature from the Tailscale team that bridges this gap, allowing secure port forwarding even when connected through Mullvad.

Tailscale itself is a zero-config VPN built on WireGuard, creating a secure mesh network—or “tailnet”—across devices. It simplifies connectivity without relying on traditional VPN servers, using public key cryptography for authentication and end-to-end encryption. Recently, Tailscale introduced Funnel, which exposes TCP services from your tailnet to the public internet via automatically generated HTTPS endpoints. This means you can make internal services accessible worldwide without opening firewall ports on your router or exposing your IP address.

The magic happens when combining Tailscale with Mullvad. By running Tailscale over your Mullvad VPN connection, your device joins the tailnet while maintaining Mullvad’s privacy protections. Funnel then punches through to the internet, providing inbound access to your services without compromising security. This setup is particularly appealing for users who prioritize anonymity, as Mullvad hides your real IP, and Tailscale handles the secure exposure.

How Tailscale Funnel Works

At its core, Funnel acts as a reverse proxy. When activated on a Tailscale-connected machine, it listens for incoming HTTPS connections on a unique Tailscale-provided domain, such as https://your-service.ts.net. These requests are forwarded over the encrypted tailnet to your local service, which could be running on any TCP port. Tailscale manages TLS certificates automatically using Let’s Encrypt, ensuring end-to-end encryption without manual configuration.

Key technical details include:

  • Protocol Support: Currently limited to TCP services over HTTPS. UDP is not supported, which rules out some real-time applications like certain VoIP setups.
  • Access Control: Tailscale’s Access Control Lists (ACLs) govern who can reach the funneled service. By default, it’s public, but you can restrict it to specific tailnet users or OAuth providers.
  • Performance: Relay servers (DERP) handle NAT traversal, minimizing latency. Direct peer-to-peer connections are preferred when possible.
  • Exit Nodes: For advanced setups, Tailscale exit nodes can route traffic through Mullvad, further obscuring origins.

This integration shines in scenarios where Mullvad’s port forwarding absence is a blocker. For instance, developers testing webhooks, gamers hosting private servers, or homelab enthusiasts sharing dashboards can now do so securely.

Step-by-Step Setup Guide

Setting up Tailscale Funnel with Mullvad is straightforward, requiring minimal command-line interaction. Here’s a complete walkthrough for Linux, with notes for other platforms.

  1. Connect to Mullvad: Launch your Mullvad VPN client and establish a connection. Verify your public IP has changed using a site like whatismyipaddress.com.

  2. Install Tailscale: Download and install Tailscale from the official repository. For Debian/Ubuntu:

    curl -fsSL https://tailscale.com/install.sh | sh

    Authenticate with sudo tailscale up --authkey=your-auth-key (generate keys at tailscale.com).

  3. Verify Tailnet Connectivity: Run tailscale status to confirm your device is online. Test internal connectivity with tailscale ping other-device.

  4. Enable Funnel: Tailscale CLI now includes funnel commands. Start by enabling the feature in your tailnet admin console (login.tailscale.com) under the “Funnel” section—ensure it’s allowed for your policy file.

  5. Funnel a Service: Suppose you have a web server on port 8080. Run:

    sudo tailscale funnel 8080

    Tailscale assigns a public URL like https://randomstring.ts.net. Access it from any browser; traffic routes securely to your local port.

  6. Customize and Secure: Edit your tailnet policy (ACL JSON) to limit access:

    "funnels": [
  {
    "action": "accept",
    "src": ["autogroup:admin"],
    "dst": ["your-machine:8080"]
  }
]

    For HTTPS-to-HTTP forwarding, Funnel terminates TLS and proxies cleanly.

On Windows or macOS, use the Tailscale GUI or equivalent CLI commands. Mobile support is experimental but functional for outbound funnels.

Security and Privacy Considerations

Funnel maintains Tailscale’s strong security model. All traffic is WireGuard-encrypted within the tailnet, and public exposure uses short-lived certificates with HSTS preloading. Mullvad adds a layer by masking your origin IP from Tailscale’s coordination servers—though Tailscale sees your Mullvad exit IP, it doesn’t log it persistently.

Potential risks include:

  • Public Exposure: Default funnels are internet-accessible; always apply ACLs.
  • Rate Limiting: Tailscale imposes fair-use limits on relay bandwidth.
  • Mullvad WireGuard Quirks: Ensure MTU is set correctly (e.g., tailscale up --mtu=1280) to avoid fragmentation.

Compared to traditional port forwarding, this method avoids router NAT issues and UPnP vulnerabilities. It’s also resilient to CGNAT, common with Mullvad.

Real-World Applications and Limitations

Users report success with Jellyfin media servers, Nextcloud instances, and SSH tunneling. One example from the Tailscale community involved funneling a Minecraft server: players connect via the HTTPS domain, with Tailscale handling TCP proxying seamlessly.

Limitations persist: No UDP, no custom domains (yet), and funnels require Tailscale v1.48+. Mullvad’s kill switch ensures no leaks if Tailscale drops.

In summary, Tailscale Funnel transforms Mullvad from a privacy fortress into a versatile hosting platform. This combination empowers users to expose services without sacrificing anonymity or security, marking a significant advancement for decentralized networking.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.