I spent a decent chunk of my weekend doing some consolidation of systems and reworked my VPN usage a bit.

Earlier this year I found Tailscale and have fallen in love with how easy it is to use across my devices. I’d also been using Mullvad VPN for a few years now, and have been very happy with that. One downside to using both of these is that, on Macs at least, I can’t have multiple VPNs going at once. To use Tailscale, I’d have to shut off Mullvad, turn on Tailscale, and then remember to turn Mullvad back on.

Tailscale now allows you to connect a Mullvad account so that you can use it as an exit node. The downside is that you can only do this with a new Mullvad account through Tailscale. You can’t use an existing Mullvad account. Since my annual Mullvad subscription was nearing its end, I switched to paying for it through Tailscale.

I self-host several applications on a Mac Mini, including FreshRSS. I wanted to open FreshRSS up so that I could access my feeds in Reeder when out of the house. I had set up a Cloudflare tunnel for this, and until this week it was working just fine. On Friday I noticed the tunnel was down, and after an hour or so of troubleshooting with no results, I got fed up and turned to Tailscale. I don’t really need these apps to be available to the internet, I just need them available to me. Tailscale creates a mesh VPN wherever I am, so this seemed the best way forward.

What I ended up doing was setting up a new docker container for FreshRSS and a Tailscale container to be the network route for FreshRSS. I don’t need to use Tailscale’s serve or funnel services for this, my new FreshRSS instance lives as a subdomain of my Tailscale domain. So freshrss.mytailscale.net as example. It took several hours of tweaking the docker compose file to get things working the way I wanted, but it’s now up and I can access my feeds anywhere I have internet access.

And because I now have Mullvad set up as an exit node, all my regular internet traffic is sent through that. I also have Tailscale set up to use my NextDNS account for ad blocking at the DNS level. Nice little privacy + security win for me.

For anyone else looking to implement this, here’s the docker compose file I used along with an environment config file. I based this all off the tutorial by Tailscale here.

Before you set all this up below, you have to set up an oAuth client in Tailscale settings so that you can set the client secret in TS_AUTHKEY below.

The TS_SERVE_CONFIG env file is here: