Tailscale lets you connect your devices over the internet as if they were on the same local network. Its MagicDNS feature gives each device a stable hostname so you can reach them with something like foo.yourtailnet.ts.net instead of an IP address. It’s convenient and private.
I use Container Manager on my Synology NAS to self-host services. Tailscale can be installed as a client directly into DSM, but any self-hosted service needs to be exposed on distinct ports since they share the same Tailscale interface. While there is nothing technically wrong with this, remembering foo.yourtailnet.ts.net:61209 is not particularly elegant.
You can use the Docker sidecar pattern to run a Tailscale interface alongside your primary service. Here is a YAML configuration I figured out for self-hosting Glances:
version: "3.9"
services:
glances-tailscaled:
image: tailscale/tailscale:latest
restart: unless-stopped
environment:
- TS_AUTHKEY=tskey-auth-REDACTED
- TS_HOSTNAME=glances # Hostname will be something like glances.yourtailnet.ts.net
- TS_EXTRA_ARGS=--advertise-tags=tag:app # Recommended so you can write rules in your Tailscale ACL for this target
- TS_SIMPLE_SERVE_CONFIG=http://127.0.0.1:61208 # Traffic is routed to this address
- TS_ACCEPT_DNS=false
- TS_USERSPACE=true # Must run in userspace on DSM, otherwise the tunnel will never be created
- TS_STATE_DIR=/var/lib/tailscale
volumes:
- glances_tailscale_state:/var/lib/tailscale
glances:
image: nicolargo/glances:latest
restart: unless-stopped
network_mode: "service:glances-tailscaled" # Bind to the Tailscale interface
depends_on:
- glances-tailscaled
environment:
- GLANCES_OPT=-w
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
volumes:
glances_tailscale_state:
This approach uses configuration to avoid custom scripting and maximises compatibility with any docker image. Minimal maintenance.
Written by Tate Johnson on 8 Mar 2026. Subscribe to my blog's RSS feed.