How to Set Up Nextcloud AIO on Home Server with a VPS Relay via Tailscale?

Hi Nextcloud community,

I’m running Nextcloud AIO on my home server, and I want to use a VPS as a relay/reverse proxy so I can access Nextcloud through a domain without exposing my home IP or opening ports on my local network.

My Setup

  • Home Server: Running Nextcloud AIO in a Docker container.
  • VPS (Oracle Cloud): I want to use it as a relay to receive traffic and forward it to the Home Server.
  • Connection Between VPS and Home Server: I have Tailscale configured to create a private VPN between them.

What I Need to Know

  1. How should I configure Nextcloud AIO to work properly with Tailscale?
  • Should I add the Tailscale domain or my domain?
  • Do I need to modify anything in Apache/Nginx inside Nextcloud AIO?
  1. How do I configure the VPS as a reverse proxy?
  • Should I use Caddy or Nginx to forward requests from https://my-domain.com to the Tailscale IP of my Home Server?
  • Should I configure SSL on the VPS, or in local network?
  1. Are there any known issues when using a VPS as a relay for Nextcloud AIO?
  • Will webhooks, Collabora, and other Nextcloud services work properly through this relay?

I’d appreciate any guidance or detailed steps on how to set this up correctly.
Thanks in advance!

Hi Locos!

Here is what I would do:

  1. I would not modify the AIO installation besides configuration (preference). That means, I would install tailscale on the host system, and then listen to the tailscale interface with the docker container. You also wonder about tailscale domain, but you need to imagine if you are on the public interenet, how do you access the service? You probably want to use your own domain, but if you want it behind a proxy, then tailscale domain is probably fine. I have written the rest with the assumption that you want it to be publicly exposed, not behind a VPN network.
  2. The VPS (your proxy) will also need tailscale installed, and you would need to expect my-domain.com to be directed to your server tailscale IP. If you use Caddy or Nginx, that comes down to preference, but Caddy is lightweight and easy to use, so I would use that for this.
    When it comes to terminating SSL, you would want to protect the connection between the Client and the next hop (which in your case will be the Proxy VPS server). So make sure that your reverse proxy expects and listens on HTTPS. Remember, you are protecting the client by using HTTPS. Tailscale is already encrypted, beacuse it is built on top of Wireguard.
  3. The various services will continue to work as before, as long as the correct container receives the traffic as before. You are just adding a few extra hops in between. If there are other ports, you will need to manually forward these too.

While I have not made a guide directly for setting up a reverse proxy like this, I have made guides on how you can forward connections and even make remote network interfaces on an external VPS to protect your home IP. You can take a look at that if it is of interest for later.

okey thanks, I installed nextcloud aio to work with tailscale, so when i enter from tailscale domain works perfectly but on the vps when I try to redirect with nginx proxy manager it returns “502 Bad Gateway”. So I’m trying to fix that.

Bad gateway indicates that something is going wrong in the step where you are trying to forward the connection from the proxy to the server hosting the instance.

Maybe you can share your configuration and how things are sat up, and I can help you take a look if you still need help?

yes, this is my configuration in nginx


if i put in shceme http, page load but return “Client sent an HTTP request to an HTTPS server.”

or if i use caddy

drive.domain.com {
    reverse_proxy https://nextcloud.tailc2d778.ts.net
}

the page goes blank

Since your tailscale network is already behind closed doors, you do not need to worry that someone is doing “man in the middle” attacks, or snoops on the trafffic. Your requirements may be different, but to the looks of it, I do not see why you need to use SSL between nextcloud and the front facing server :slight_smile:

That will allow you to send a http (not https) connection to the backend.

I recommend looking at what you have set APACHE_PORT to, and that you are pointing your reverse proxy to that port :slight_smile: (Do not point it to 443, that requires a valid cert…)

There are someone who has a writeup here on how to enable communcation to the AIO setup with a sidecar container here.

Here is also a set of things that can help you debug the connection between the server and the reverse proxy: