TL;DR
Need to expose a local HTTPS endpoint to the internet or your private network? Tailscale does it in minutes. One command, no complex configuration, free for up to 3 users and 100 devices. It is a game changer for my developer setup.
tailscale serve --service=svc:my-service --https=3000 http://localhost:3000
That’s it. Your local service is now accessible over HTTPS in your private Tailscale network with a valid certificate.
The Problem
As developers, we constantly hit the same wall: “I need to expose my local service”. Here are real scenarios I deal with regularly:
- MCP Servers - Extending Home Assistant with MCP - https required to register the server with AI assistants like Claude
- Copilot Studio with MCP Server - Copilot Studio’s MCP Server integration also requires a publicly reachable HTTPS endpoint even during development
- SaaS Callbacks - Microsoft Entra Verified ID requires a publicly reachable callback URL
- Webhooks - Testing Stripe, GitHub, or any webhook integration
- Homelab - Exposing services from your home network without opening ports on your router
- Smart Home - Accessing Home Assistant or other home automation platforms from outside your LAN
The traditional approach? Port forwarding, dynamic DNS, self-signed certificates, reverse proxies… Hours of configuration for something that should be simple.
Enter Tailscale
Tailscale builds a private mesh network (based on WireGuard) across all your devices. Every device gets a stable IP and DNS name, and all traffic is encrypted end-to-end.
But the feature that changed everything for me is Tailscale Serve.
Expose a Local Service in One Command
tailscale serve --service=svc:my-name-of-service --https=443 http://localhost:3000
What this does:
- Takes your local
http://localhost:3000service - Exposes it as HTTPS on default port 443
- Provides a valid TLS certificate (automatically managed by Tailscale)
- Makes it accessible to all devices in your Tailscale network (tailnet)
- Gives it a name (
svc:my-name-of-service) so you can manage multiple services
No certificate generation. No nginx config. No DNS records. Minutes, not hours.
Real-World Example: Home Assistant MCP Server for Claude
Home Assistant has a built-in MCP server integration that exposes your smart home to AI assistants like Claude. The problem? Claude needs to reach it over HTTPS, and your Home Assistant runs on your local network.
The easiest path: install the Tailscale add-on for Home Assistant (available directly from the add-on store), and your Home Assistant instance joins your tailnet. If you prefer a video walkthrough, this YouTube guide covers the full setup.
Then expose the MCP server switch configuration to ‘serve’ with Tailscale in the config.
Done. Claude can now connect to your Home Assistant MCP server over a secure HTTPS connection through your tailnet. No port forwarding, no public exposure - just your devices on a private mesh network.
💡Side note: In addition you Home Assistant instance is now accessible from anywhere you have Tailscale installed - perfect for remote access to your smart home.
Real-World Example: Entra Verified ID Callbacks
When developing with Microsoft Entra Verified ID, the service needs to call back to your application during credential issuance and presentation. During development, your app runs on localhost - but Microsoft’s cloud needs to reach it.
With Tailscale Serve + Funnel (which exposes your service to the public internet):
tailscale funnel --https=443 http://localhost:5000
Now your Entra Verified ID callback URL points to your Tailscale Funnel address, and Microsoft’s service can reach your local development machine directly.
Pricing That Makes Sense
Tailscale’s free plan includes:
- 3 users
- 100 devices
- All core features including Tailscale Serve
For a solo developer or small team, this is more than enough. No credit card required to start.
Alternative: Cloudflare Tunnel
If you need a public-facing endpoint with a custom domain, Cloudflare Tunnel is an alternative.
Key Differences
| Feature | Tailscale Serve | Cloudflare Tunnel |
|---|---|---|
| Network type | Private (tailnet) | Public internet |
| Custom domain | Not required | Required |
| TLS certificates | Automatic | Automatic |
| Setup complexity | One command | Moderate (domain + tunnel config) |
| Best for | Dev environments, homelabs | Production, public services |
| Pricing | Free (3 users, 100 devices) | Free (custom domain required) |
Cloudflare Tunnel Setup
Cloudflare Tunnel requires a custom domain, but domains are cheap. I use Spaceship where you can register a .xyz domain with minimum 9 digits for $0.67 - and the renewal price is the same! No surprise price jumps.
Cloudflare Tunnel can be installed as:
- Windows Service - runs in the background, survives reboots
- Docker container - perfect for homelab setups
The tunnel will be public by default, which is great for production services but something to be aware of from a security perspective. You can add Cloudflare Access policies to restrict who can reach your tunnel.
When to Use Which?
- Tailscale - Development, testing, homelabs, private access, quick iterations. You want speed and simplicity.
- Cloudflare Tunnel - Public-facing services, custom domains, production workloads, CDN benefits.
I use both. Tailscale for my daily development workflow and Cloudflare Tunnel for services I want to expose publicly.
Why It’s a Game Changer
Before Tailscale, exposing a local service meant:
- Configure your router (port forwarding)
- Set up dynamic DNS
- Generate and manage TLS certificates
- Configure a reverse proxy
- Deal with firewall rules
- Pray nothing breaks after a router reboot
With Tailscale:
- Install Tailscale
- Run one command
- Done
The simplicity is the point. It takes minutes, not hours. And when you’re deep in a development flow, those saved hours add up fast.
Summary
Stop fighting with networking. Use the right tool and get back to building.