Tailscale Forwarder
Connect to Railway services that are not publicly accessible
Tailscale Forwarder
brody192/tailscale-forwarder:latest
Just deployed
Deploy and Host Tailscale Forwarder on Railway
Tailscale Forwarder is a TCP proxy that allows you to connect through a Tailscale machine to the configured target address and port pair. This enables secure access to Railway services that are not accessible from the internet, effectively creating a private network tunnel for your infrastructure.
About Hosting Tailscale Forwarder
Hosting Tailscale Forwarder gives you access to a secure TCP proxy service that bridges your Tailscale network with Railway's private services. The forwarder provides secure network tunneling, flexible port mapping configuration, and seamless integration with Railway's private domains. It excels at creating secure connections to databases and services that should remain locked down from public internet access, while supporting multiple concurrent connection mappings. Tailscale Forwarder deployments benefit from Railway's automatic scaling, environment variable management, and integration with Tailscale's mesh networking capabilities. Railway provides comprehensive logging and secure container networking to support your proxy operations.
Common Use Cases
-
Database Security: Locking down access to your Railway databases (PostgreSQL, Redis, ClickHouse) to only those who are on your Tailscale network, preventing unauthorized internet access.
-
Private Service Access: Connecting to internal web services, APIs, and applications hosted on Railway through a secure Tailscale tunnel without exposing them to the public internet.
-
Multi-Service Proxy: Creating a single secure gateway to access multiple Railway services through one Tailscale machine, solving the limitation of running only one Tailscale subnet router per account.
-
Development and Testing: Providing secure access to staging databases and development services for team members without requiring complex VPN configurations or firewall rules.
Dependencies for Tailscale Forwarder Hosting
Tailscale Account- With MagicDNS enabled and a reusable auth keyTarget Railway Services- Any Railway services you want to proxy through Tailscale
Deployment Dependencies
- Official Tailscale container image with TCP forwarding capabilities
- Railway service with private domain access
- Tailscale mesh network configuration
Implementation Details
Authentication Setup
- Generate a Tailscale auth key with
Reusableenabled - Enable MagicDNS for your Tailscale account for hostname resolution
Connection Mapping Configuration
Connection mappings use the format: <source>::
Examples:
CONNECTION_MAPPING_01=5432:${{Postgres.RAILWAY_PRIVATE_DOMAIN}}:${{Postgres.PGPORT}}CONNECTION_MAPPING_02=6379:${{Redis.RAILWAY_PRIVATE_DOMAIN}}:${{Redis.REDISPORT}}
Multiple mappings can be configured by incrementing the CONNECTION_MAPPING_ prefix.
Machine Hostname
The Tailscale machine hostname follows the format: --
This hostname is used to connect to your proxied services from any device on your Tailscale network.
Environment Variables
| Environment Variable | Required | Default Value | Description |
|---|---|---|---|
TS_AUTHKEY | Yes | - | Tailscale auth key. |
TS_HOSTNAME | Yes | ${{RAILWAY_PROJECT_NAME}}-${{RAILWAY_ENVIRONMENT_NAME}}-${{RAILWAY_SERVICE_NAME}} | Hostname to use for the Tailscale machine. |
CONNECTION_MAPPING_[n] | Yes | - | Connection mapping for a service. |
Example Configurations
For all examples, assume the Tailscale Forwarder machine is named my-project-production-tailscale-forwarder.
Redis Configuration
Set the connection mapping:
CONNECTION_MAPPING_01=6379:${{Redis.RAILWAY_PRIVATE_DOMAIN}}:${{Redis.REDISPORT}}
Connect to Redis with:
redis://default:@my-project-production-tailscale-forwarder:6379
ClickHouse Configuration
Set the connection mapping:
CONNECTION_MAPPING_01=8123:${{ClickHouse.RAILWAY_PRIVATE_DOMAIN}}:${{ClickHouse.PORT}}
Connect to ClickHouse with:
http://clickhouse:@my-project-production-tailscale-forwarder:8123/railway
Web Server Configuration
Set the connection mapping:
CONNECTION_MAPPING_01=80:${{Web Server.RAILWAY_PRIVATE_DOMAIN}}:${{Web Server.PORT}}
Connect to the web server with:
http://my-project-production-tailscale-forwarder:80
PostgreSQL Configuration
Set the connection mapping:
CONNECTION_MAPPING_01=5432:${{Postgres.RAILWAY_PRIVATE_DOMAIN}}:${{Postgres.PGPORT}}
Connect to PostgreSQL with:
postgresql://postgres:@my-project-production-tailscale-forwarder:5432/railway
Multiple Services Configuration
Set multiple connection mappings:
CONNECTION_MAPPING_01=5432:${{Postgres.RAILWAY_PRIVATE_DOMAIN}}:${{Postgres.PGPORT}}
CONNECTION_MAPPING_02=6379:${{Redis.RAILWAY_PRIVATE_DOMAIN}}:${{Redis.REDISPORT}}
CONNECTION_MAPPING_03=8123:${{ClickHouse.RAILWAY_PRIVATE_DOMAIN}}:${{ClickHouse.PORT}}
CONNECTION_MAPPING_04=80:${{Web Server.RAILWAY_PRIVATE_DOMAIN}}:${{Web Server.PORT}}
Connect to each service using the my-project-production-tailscale-forwarder hostname with the appropriate source port from the connection mapping.
Why Deploy Tailscale Forwarder on Railway?
Railway is a singular platform to deploy your infrastructure stack. Railway will host your infrastructure so you don't have to deal with configuration, while allowing you to vertically scale it.
By deploying Tailscale Forwarder on Railway, you get secure network access to your private services with minimal setup. Railway handles the container orchestration, environment variable management, and automatic deployments, letting you focus on building secure, private network architectures for your applications.
Template Content
Tailscale Forwarder
ghcr.io/brody192/tailscale-forwarder:latestTS_AUTHKEY
Your Tailscale Auth Key
CONNECTION_MAPPING_01
The connection mapping for the initial service; add more by incrementing the index.
