How to Expose TrueNAS Apps Securely Without a Public IP Address

If you run a TrueNAS SCALE server at home, you know the pain of wanting to access your apps — Nextcloud, Immich, Plex, or Paperless — from outside your local network. The traditional approach involves opening ports on your router, messing with DDNS, and praying your ISP hasn't put you behind CGNAT. But there is a better way. This guide covers three proven methods to expose TrueNAS apps securely without a public IP address: Cloudflare Tunnels (Zero Trust), Tailscale VPN, and Nginx Proxy Manager with a free DuckDNS domain. Each method keeps your network closed, avoids port forwarding, and adds a security layer.

Prerequisites

Before diving in, make sure you have the following:

TrueNAS SCALE (version 24.04 Dragonfish or later recommended) with the Apps service enabled

A working internet connection on your TrueNAS server

For Cloudflare Tunnel: a registered domain name and a Cloudflare account

For Tailscale: a Tailscale account (free tier available) and an Auth Key

For Nginx Proxy Manager: optionally a free DuckDNS domain if you do not own a custom domain

Basic familiarity with the TrueNAS SCALE web UI

Note: All three methods avoid exposing your TrueNAS server directly to the internet. They rely on outbound connections only, which is the fundamental principle of zero-trust networking.

Method 1: Cloudflare Tunnel (Zero Trust)

Cloudflare Tunnel (powered by cloudflared) creates an encrypted tunnel from your TrueNAS server to Cloudflare's edge network. Users connect via your domain, and Cloudflare proxies traffic to your server — no open ports required.

How It Works

Instead of opening a firewall port, your TrueNAS server initiates an outbound connection to Cloudflare. All incoming traffic hits Cloudflare's edge, which then forwards it through the tunnel to your local server. This means your TrueNAS is never directly reachable from the internet.

Step-by-Step Setup

1. Set up Cloudflare Tunnel in the Cloudflare Dashboard

1. Log into your Cloudflare account and navigate to Networking > Tunnels.

2. Click Create a tunnel, give it a name, and choose a connector type.

3. After creation, Cloudflare provides a token. Save this token — you will need it to configure the cloudflared app on TrueNAS.

2. Install the Cloudflared App on TrueNAS SCALE

1. In the TrueNAS web UI, go to Apps > Discover Apps.

2. Search for Cloudflared in the community train.

3. Click Install and paste the token from the Cloudflare dashboard into the required Token field.

4. Configure any additional settings (like resource limits) and click Install.

5. Wait for the app status to show as Running.

3. Configure DNS and Public Hostnames

Back in the Cloudflare dashboard (under the tunnel you created), add public hostnames:

Subdomain: e.g., nextcloud

Domain: your registered domain (e.g., example.com)

Type: HTTP (or HTTPS if your app supports it)

URL: localhost or 192.168.x.x with the port your app runs on

For example, to expose Immich running on 192.168.1.100:30041, you would set:

code

Subdomain: immich
Domain: example.com
Type: HTTP
URL: 192.168.1.100:30041

After saving, your app is reachable at https://immich.example.com with a valid Cloudflare SSL certificate.

4. Optional: Add Access Policies

In the Cloudflare Zero Trust dashboard, you can create Access Policies that require authentication (e.g., Google login, email OTP) before anyone can reach your tunnel. This adds a second layer of security on top of your app's own authentication.

Important: The official TrueNAS documentation at apps.truenas.com recommends following Cloudflare documentation to register a domain and set up DNS. Use strong passwords and two-factor authentication (TOTP or passkeys) for your Cloudflare account.

Method 2: Tailscale VPN

Tailscale builds a secure WireGuard-based mesh VPN between your devices. It does not require opening any ports. Once installed on TrueNAS and your client devices, you can access apps using Tailscale-assigned IP addresses or MagicDNS names.

Why Tailscale?

No port forwarding required on your router

Works through NAT, firewalls, and CGNAT

Free for personal use (up to 100 devices)

Encrypted peer-to-peer connections

Available as an official app in the TrueNAS catalog

Step-by-Step Setup

1. Create a Tailscale Auth Key

1. Log into your Tailscale admin console.

2. Go to Settings > Keys > Generate auth key.

3. Set an expiry (or leave it reusable) and copy the key.

2. Install the Tailscale App on TrueNAS SCALE

1. In TrueNAS, navigate to Apps > Discover Apps.

2. Search for Tailscale and click Install.

3. Paste the Auth Key into the required field.

4. Configure optional settings:

- Advertise as Exit Node — if enabled, all traffic from your client devices can route through your TrueNAS server (useful for accessing your home network remotely)

5. Click Install and wait for the app to show Running.

3. Connect Client Devices

1. Install Tailscale on your laptop, phone, or other devices (available for Windows, macOS, Linux, iOS, Android).

2. Log into the same Tailscale account on all devices.

3. Once connected, run tailscale status on any device to see the list of machines.

4. Access Your Apps

Each device in your Tailscale network gets a unique IP address (typically 100.x.x.x). To access a TrueNAS app:

Use the Tailscale IP of your TrueNAS server followed by the app's port number.

Or enable MagicDNS in the Tailscale admin console to use hostnames like truenas.tailnet-name.ts.net instead of IP addresses.

For example, if TrueNAS has the Tailscale IP 100.64.0.1 and your Nextcloud app is on port 30041, you access it at http://100.64.0.1:30041.

Tip: According to the TrueNAS Community Forums, Tailscale is considered the safest way to handle remote access — it avoids exposing apps to the public internet entirely.

Method 3: Nginx Proxy Manager with DuckDNS

If you prefer a traditional reverse proxy but still do not have a public IP, combine Nginx Proxy Manager (NPM) with DuckDNS — a free dynamic DNS service. This method is popular in the TrueNAS community and works well even if your ISP changes your IP address.

Step-by-Step Setup

1. Install Nginx Proxy Manager in TrueNAS SCALE

1. Go to Apps > Discover Apps and search for nginx-proxy-manager.

2. Click Install and accept the default settings or customize as needed.

3. Wait for the app to show Running.

4. Access the NPM admin UI at http://<your-truenas-ip>:81. Default credentials are admin@example.com / changeme.

2. Set Up DuckDNS

1. Go to DuckDNS.org and sign in with a supported provider (GitHub, Google, etc.).

2. Create a subdomain (e.g., mynas.duckdns.org).

3. Note your token — you will use it to update the DNS record.

3. Configure DuckDNS Update on TrueNAS

You can update DuckDNS using a cron job or a simple script. One common approach is to set up a container or script that periodically calls:

code

https://www.duckdns.org/update?domains=mynas&token=YOUR_TOKEN&ip=

This tells DuckDNS to point your domain to your router's current public IP.

4. Configure Nginx Proxy Manager

1. In the NPM admin UI, go to SSL Certificates > Add SSL Certificate > Let's Encrypt.

2. Enter your DuckDNS domain (e.g., mynas.duckdns.org) and your email.

3. Ensure port 80 is open for the Let's Encrypt verification (this may be the only port you forward).

5. Add Proxy Hosts

For each app you want to expose:

1. Go to Hosts > Proxy Hosts > Add Proxy Host.

2. Domain Names: enter your subdomain (e.g., immich.mynas.duckdns.org).

3. Scheme: http

4. Forward Hostname / IP: your TrueNAS local IP (e.g., 192.168.1.100)

5. Forward Port: the port your app is running on (e.g., 30041 for Immich)

6. Enable Block Common Exploits and Websockets Support (if needed).

7. Under the SSL tab, select the Let's Encrypt certificate you generated and enable Force SSL.

Now your app is accessible at https://immich.mynas.duckdns.org with a valid SSL certificate.

Note: If your router supports it, you can avoid port forwarding entirely by using only a local DuckDNS record pointing to your TrueNAS server's local IP, then use Tailscale to connect from outside. This is a hybrid approach recommended by community members.

Comparing the Three Methods

|---|---|---|---|

| Public IP required | No | No | Partial (or use Tailscale hybrid) |

| Port forwarding | No | No | Minimal (port 80 for SSL) |

Security Best Practices

Regardless of which method you choose, follow these recommendations from the TrueNAS documentation:

Use strong passwords and 2FA — preferably TOTP or passkeys — for all accounts (TrueNAS, Cloudflare, Tailscale).

Keep TrueNAS updated — the latest security patches are critical. TrueNAS 24.04 (Dragonfish) introduced the Credentials > Groups > Privileges screen for defining limited administrative roles.

Limit app exposure — only expose apps that need to be public. Keep administrative interfaces (TrueNAS web UI) on the local network.

Enable HTTPS — always serve apps over encrypted connections.

Monitor access logs — Cloudflare provides analytics, and Tailscale shows connected devices.

Use private SMB datasets — if sharing files, the TrueNAS documentation recommends selecting Private SMB Datasets and Shares to restrict access.

Troubleshooting

Cloudflare Tunnel not connecting

Ensure the token is correctly pasted in the Cloudflared app configuration.

Check that the Cloudflared app status is Running in TrueNAS.

Verify DNS records in Cloudflare are pointing to the tunnel (not your public IP).

Tailscale devices not visible

Confirm all devices are logged into the same Tailscale account.

Check that the Tailscale app is Running on TrueNAS.

In the Tailscale admin console, verify that your TrueNAS machine appears under Machines.

Nginx Proxy Manager SSL errors

Ensure port 80 is reachable from the internet for Let's Encrypt verification.

Verify that your DuckDNS domain resolves to the correct IP.

Check NPM logs under Logs > Audit Log for detailed error messages.

Conclusion

Exposing TrueNAS apps securely without a public IP address is not only possible — it is actually the recommended approach for modern homelabs. Cloudflare Tunnel provides a zero-trust gateway with built-in authentication, perfect for sharing apps with friends and family. Tailscale offers a dead-simple VPN that requires zero configuration on your router, ideal for personal remote access. And Nginx Proxy Manager with DuckDNS delivers a classic reverse proxy experience with free SSL certificates.

Whichever method you choose, you eliminate the risk of opening ports to your home network. Your TrueNAS server remains hidden, your apps stay accessible, and you sleep better knowing your homelab is secure.

Final recommendation: Start with Tailscale if you only need personal access. Graduate to Cloudflare Tunnel if you want to share apps publicly without a VPN. Use Nginx Proxy Manager if you prefer fine-grained control over reverse proxy rules and SSL management.

How to Expose TrueNAS Apps Securely Without a Public IP Address

How to Expose TrueNAS Apps Securely Without a Public IP Address

Prerequisites

Method 1: Cloudflare Tunnel (Zero Trust)

How It Works

Step-by-Step Setup

Method 2: Tailscale VPN

Why Tailscale?

Step-by-Step Setup

Method 3: Nginx Proxy Manager with DuckDNS

Step-by-Step Setup

Comparing the Three Methods

Security Best Practices

Troubleshooting

Conclusion

Related Articles

Nginx Reverse Proxy Mistakes That Break Applications (And How to Fix Them)

OpenClaw Agent Stuck: Root Causes and Fixes for Homelab Users

OpenClaw No Output / Empty Response Fix: A Homelab Practitioner's Guide to Debugging Silent Agent Failures

Why OpenClaw Is Not Responding: Full Fix Guide (2026)

More in Cybersecurity

TrueNAS vs Unraid vs Proxmox in 2026 – Which Homelab OS Is Best for You?

TrueNAS Apps Not Working? The Complete 2026 Fix Guide