{
  "@context": [
    "https://www.w3.org/ns/credentials/v2"
  ],
  "type": [
    "VerifiableCredential",
    "BlogPostCredential"
  ],
  "id": "urn:uuid:4902b91b-24db-4ae3-b185-25fffd551bd1",
  "issuer": "did:webvh:QmTVQnV3qGxWzWmnmWJAy1zkYswgbUmE95K5qodmAizVfr:mjendza.net",
  "validFrom": "2026-04-04T21:03:44Z",
  "credentialSubject": {
    "title": "Tailscale: A Developer's Secret Weapon",
    "author": "Mateusz Jendza",
    "body": "## TL;DR\n\nNeed to expose a local HTTPS endpoint to the internet or your private network? Tailscale does it in minutes. One command, no complex configuration, free for up to 3 users and 100 devices. It is a game changer for my developer setup.\n\n```bash\ntailscale serve --service=svc:my-service --https=3000 http://localhost:3000\n```\n\nThat's it. Your local service is now accessible over HTTPS in your private Tailscale network with a valid certificate.\n\n## The Problem\n\nAs developers, we constantly hit the same wall: **\"I need to expose my local service\"**. Here are real scenarios I deal with regularly:\n\n1. **MCP Servers** - Extending Home Assistant with MCP - https required to register the server with AI assistants like Claude\n1. **Copilot Studio with MCP Server** - Copilot Studio's MCP Server integration also requires a publicly reachable HTTPS endpoint even during development\n2. **SaaS Callbacks** - Microsoft Entra Verified ID requires a publicly reachable callback URL\n3. **Webhooks** - Testing Stripe, GitHub, or any webhook integration\n4. **Homelab** - Exposing services from your home network without opening ports on your router\n5. **Smart Home** - Accessing Home Assistant or other home automation platforms from outside your LAN\n\nThe traditional approach? Port forwarding, dynamic DNS, self-signed certificates, reverse proxies... Hours of configuration for something that should be simple.\n\n## Enter Tailscale\n\n[Tailscale](https://tailscale.com/) builds a private mesh network (based on WireGuard) across all your devices. Every device gets a stable IP and DNS name, and all traffic is encrypted end-to-end.\n\nBut the feature that changed everything for me is **Tailscale Serve**.\n\n### Expose a Local Service in One Command\n\n```bash\ntailscale serve --service=svc:my-name-of-service --https=443 http://localhost:3000\n```\n\nWhat this does:\n- Takes your local `http://localhost:3000` service\n- Exposes it as HTTPS on default port 443\n- Provides a valid TLS certificate (automatically managed by Tailscale)\n- Makes it accessible to all devices in your Tailscale network (tailnet)\n- Gives it a name (`svc:my-name-of-service`) so you can manage multiple services\n\nNo certificate generation. No nginx config. No DNS records. **Minutes, not hours.**\n\n### Real-World Example: Home Assistant MCP Server for Claude\n\nHome Assistant has a built-in [MCP server integration](https://www.home-assistant.io/integrations/mcp_server/) that exposes your smart home to AI assistants like Claude. The problem? Claude needs to reach it over HTTPS, and your Home Assistant runs on your local network.\n\nThe easiest path: install the [Tailscale add-on for Home Assistant](https://github.com/hassio-addons/app-tailscale) (available directly from the add-on store), and your Home Assistant instance joins your tailnet. If you prefer a video walkthrough, [this YouTube guide](https://www.youtube.com/watch?v=vDxmtRByXDY) covers the full setup.\n\nThen expose the MCP server switch configuration to 'serve' with Tailscale in the config.\n\n\nDone. Claude can now connect to your Home Assistant MCP server over a secure HTTPS connection through your tailnet. No port forwarding, no public exposure - just your devices on a private mesh network.\n\n> 💡Side note:\n> In addition you Home Assistant instance is now accessible from anywhere you have Tailscale installed - perfect for remote access to your smart home.\n\n### Real-World Example: Entra Verified ID Callbacks\n\nWhen developing with Microsoft Entra Verified ID, the service needs to call back to your application during credential issuance and presentation. During development, your app runs on localhost - but Microsoft's cloud needs to reach it.\n\nWith Tailscale Serve + Funnel (which exposes your service to the public internet):\n\n```bash\ntailscale funnel --https=443 http://localhost:5000\n```\n\nNow your Entra Verified ID callback URL points to your Tailscale Funnel address, and Microsoft's service can reach your local development machine directly.\n\n## Pricing That Makes Sense\n\nTailscale's **free plan** includes:\n- **3 users**\n- **100 devices**\n- All core features including Tailscale Serve\n\nFor a solo developer or small team, this is more than enough. No credit card required to start.\n\n## Alternative: Cloudflare Tunnel\n\nIf you need a **public-facing** endpoint with a **custom domain**, [Cloudflare Tunnel](https://www.cloudflare.com/products/tunnel/) is an alternative.\n\n### Key Differences\n\n| Feature | Tailscale Serve | Cloudflare Tunnel |\n|---------|----------------|-------------------|\n| Network type | Private (tailnet) | Public internet |\n| Custom domain | Not required | Required |\n| TLS certificates | Automatic | Automatic |\n| Setup complexity | One command | Moderate (domain + tunnel config) |\n| Best for | Dev environments, homelabs | Production, public services |\n| Pricing | Free (3 users, 100 devices) | Free (custom domain required) |\n\n### Cloudflare Tunnel Setup\n\nCloudflare Tunnel requires a custom domain, but domains are cheap. I use [Spaceship](https://www.spaceship.com/) where you can register a `.xyz` domain with minimum 9 digits for **$0.67** - and the renewal price is the same! No surprise price jumps.\n\nCloudflare Tunnel can be installed as:\n- **Windows Service** - runs in the background, survives reboots\n- **Docker container** - perfect for homelab setups\n\nThe tunnel will be **public by default**, which is great for production services but something to be aware of from a security perspective. You can add Cloudflare Access policies to restrict who can reach your tunnel.\n\n### When to Use Which?\n\n- **Tailscale** - Development, testing, homelabs, private access, quick iterations. You want speed and simplicity.\n- **Cloudflare Tunnel** - Public-facing services, custom domains, production workloads, CDN benefits.\n\nI use both. Tailscale for my daily development workflow and Cloudflare Tunnel for services I want to expose publicly.\n\n## Why It's a Game Changer\n\nBefore Tailscale, exposing a local service meant:\n1. Configure your router (port forwarding)\n2. Set up dynamic DNS\n3. Generate and manage TLS certificates\n4. Configure a reverse proxy\n5. Deal with firewall rules\n6. Pray nothing breaks after a router reboot\n\nWith Tailscale:\n1. Install Tailscale\n2. Run one command\n3. Done\n\nThe simplicity is the point. **It takes minutes, not hours.** And when you're deep in a development flow, those saved hours add up fast.\n\n## Summary\n\nStop fighting with networking. Use the right tool and get back to building.",
    "datePublished": "2026-04-04",
    "url": "/post/dev-env-proxy",
    "description": "How Tailscale changed my dev workflow - expose HTTPS APIs, callbacks, and homelabs in minutes",
    "tags": [
      "Development",
      "Networking",
      "Tools",
      "Tailscale",
      "Cloudflare"
    ]
  },
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "eddsa-jcs-2022",
    "verificationMethod": "did:key:z6MksoqpqENZmzzA4nhCPkfcbWtRHVegGV38Yqu2arRc5Er2#z6MksoqpqENZmzzA4nhCPkfcbWtRHVegGV38Yqu2arRc5Er2",
    "created": "2026-04-04T21:03:44Z",
    "proofPurpose": "assertionMethod",
    "proofValue": "z4weNp4sFgWEdr3mWyZ94NX2NL3XScdCRfdSQZF8QCV2h3p3Z5Ur2EuAqrhyjHuKd5p8yjEf39DUJjFugC5eWRyc8"
  }
}