[SOLVED] Tailscale funnel something is already listening port 443

boris099 · March 22, 2026, 5:27pm

I did setup tailscale to overcome CGNAT.

Tailscale is not setup on my OpenWRT router but on my LAN-Server on address 192.168.2.100 what runs Debian. Tailscale works and I can access my Server when logged on e.g. with my Android phone running Tailscale.

Now I am trying to setup “Funnel” for easy accessing my server without the need to login to my tailnet.

Problem:

When trying to setup the funnel using “tailscale funnel :8123 for my immich server I am getting the answer that something is already listening on port 443 what stops setting up funnel in tailscale.

Can I find out on my OpenWRT router what is listening to that port 443?

I stopped already NGINX what is somehow working with 443 but that was not helping.
Also the port forwarding for NGINX port 443 I stopped - no help.
So I stopped DDNS service cause that is used for my NGINX - no help either

Does anybody know how to identify the culprit listening 443?

ncompact · March 22, 2026, 5:32pm

I assume "uhttpd" is correct... (on router)

netstat -atnupw | grep 443

Just to clarify: since you're behind CGNAT, any port forwarding rules on your OpenWrt router are irrelevant for external access — there's no public IP to forward from. However, they could still interfere locally if traffic is being redirected to a different machine before reaching your Debian server.

boris099 · March 22, 2026, 5:42pm

Ok I was running that command on Debian and it points to nginx, what I thought might be the culprit.
I did stop the NGINX container and also deactivated the port forwards for NGINX on the OWRT Router but this was not helping.
Do I need to restart the OWRT router when deactivating the port forward

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 552615/nginx: maste

What to do with that OWRT webserver you added the link?

ncompact · March 22, 2026, 5:45pm

The output tells you exactly what's happening:

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 552615/nginx: master

There is a nginx process (PID 552615) running directly on your Debian host (not inside a container) that is binding port 443. Stopping the Docker container is not enough if nginx is also installed natively on the machine.

To fix it, on your Debian server run:

Check if nginx is installed natively

systemctl status nginx

If it's running, stop it and disable it

sudo systemctl stop nginx
sudo systemctl disable nginx

Then verify port 443 is free:
sudo ss -tlnp | grep 443

If nothing shows up, try Tailscale Funnel again:
tailscale funnel :8123

Regarding the OpenWrt uhttpd web server: that's unrelated to your issue. It only matters if something on the router itself is blocking port 443, which is not your case here. You don't need to restart the router either — disabling a port forward in OpenWrt takes effect immediately without reboot.

boris099 · March 22, 2026, 5:52pm

This is not installed natively it runs in a docker container

boris@localhost:~$ sudo systemctl status nginx
Unit nginx.service could not be found.

boris@localhost:~$ sudo ss -tlnp | grep 443
LISTEN 0      511               0.0.0.0:443        0.0.0.0:*    users:(("nginx",pid=552643,fd=15),("nginx",pid=552642,fd=15),("nginx",pid=552641,fd=15),("nginx",pid=552640,fd=15),("nginx",pid=552615,fd=15))
LISTEN 0      4096              0.0.0.0:9443       0.0.0.0:*    users:(("docker-proxy",pid=2495,fd=8))                                                                                                        
LISTEN 0      511                  [::]:443           [::]:*    users:(("nginx",pid=552643,fd=16),("nginx",pid=552642,fd=16),("nginx",pid=552641,fd=16),("nginx",pid=552640,fd=16),("nginx",pid=552615,fd=16))
LISTEN 0      4096                 [::]:9443          [::]:*    users:(("docker-proxy",pid=2522,fd=8))                                                                                                        
LISTEN 0      50                      *:8443             *:*    users:(("java",pid=3479,fd=75))

Can I not find it on the OpenWRT router what listens to 443?
Port Forwards cannot disturb?

ncompact · March 22, 2026, 5:54pm

The output confirms it: nginx is running inside Docker, but Docker is binding port 443 on your host network interface, which is exactly what blocks Tailscale Funnel.

You need to stop the Docker container that uses port 443. To find it:

docker ps | grep 443

Then stop it:

docker stop <container_name>

After that, verify port 443 is free:

sudo ss -tlnp | grep 443

If nothing shows up, Tailscale Funnel should work.

Regarding the OpenWrt router: port forwards on the router are irrelevant here. Since you are behind CGNAT there is no public IP anyway, and the conflict is happening locally on your Debian host between Docker and Tailscale. The router is not involved.

boris099 · March 22, 2026, 5:57pm

boris@localhost:~$ docker ps | grep 443
522e5daea3b0 portainer/portainer-ce:lts "/portainer" 3 months ago Up 23 hours 8000/tcp, 9000/tcp, 0.0.0.0:9443->9443/tcp, [::]:9443->9443/tcp portainer

That is confusing - is it Portainer or what but this is not 443 but 9443

ncompact · March 22, 2026, 5:59pm

Portainer only uses port 9443, not 443. The grep matched because 9443 contains "443".

To find the exact container binding port 443, run this instead:

docker ps --format "table {{.Names}}\t{{.Ports}}" | grep -w 443

Or to see all containers with their ports clearly:

docker ps --format "table {{.Names}}\t{{.Ports}}"

This will show you exactly which container is mapped to port 443 on the host.

boris099 · March 22, 2026, 6:04pm

Hmm

boris@localhost:~$ docker ps --format "table {{.Names}}\t{{.Ports}}" | grep -w 443
no answer here

boris@localhost:~$ docker ps --format "table {{.Names}}\t{{.Ports}}"
NAMES                           PORTS
immich_machine_learning         
zigbee2mqtt                     8080/tcp, 0.0.0.0:8081->8081/tcp, [::]:8081->8081/tcp
nginx-app-1                     
openhab1-openhab-1              
homeassistant                   
immich_server                   0.0.0.0:2283->2283/tcp, [::]:2283->2283/tcp
tailscaled                      
immich_postgres                 5432/tcp
immich_redis                    6379/tcp
eclipse-mosquitto-mosquitto-1   0.0.0.0:1883->1883/tcp, [::]:1883->1883/tcp, 0.0.0.0:9001->9001/tcp, [::]:9001->9001/tcp
glances-monitoring-1            
portainer                       8000/tcp, 9000/tcp, 0.0.0.0:9443->9443/tcp, [::]:9443->9443/tcp
seafile                         0.0.0.0:8099->80/tcp, [::]:8099->80/tcp
seafile-mysql                   3306/tcp
seafile-memcached               11211/tcp

for me it looks like my containers are not using 443

Can it not be on the OWRT router, would that even be recognized by Tailscale?

ncompact · March 22, 2026, 6:06pm

Look at "nginx-app-1" in your list — it shows no ports in the PORTS column. This usually means it is running in Docker host network mode, which means it uses the host's network interfaces directly without port mapping. That's why it doesn't show up in the ports list but still binds port 443.

Verify with:

docker inspect nginx-app-1 | grep -i networkmode

If it returns "host", that's your culprit. To confirm it's using port 443:

docker inspect nginx-app-1 | grep -i 443

To fix it, simply stop that container:

docker stop nginx-app-1

Then check port 443 is free:

sudo ss -tlnp | grep 443

Regarding installing Tailscale on the OpenWrt router instead: it would not help here. The conflict is on your Debian host between Docker and Tailscale Funnel. Moving Tailscale to the router would create a different setup entirely and would not solve the port 443 issue on the Debian machine.

boris099 · March 22, 2026, 6:14pm

You are right!

Ok I tried all of that I can see it is stopped also reflected in portainer but when I try to start that funnel I still get the same error “something listening on 443”

This is the output I have got

boris@localhost:~$ docker inspect nginx-app-1 | grep -i networkmode
            "NetworkMode": "host",
boris@localhost:~$ docker inspect nginx-app-1 | grep -i 443
                "443/tcp": [
                        "HostPort": "443"
                "443/tcp": {},
boris@localhost:~$ docker stop nginx-app-1
nginx-app-1
boris@localhost:~$ sudo ss -tlnp | grep 443
[sudo] Passwort für boris: 
LISTEN 0      4096              0.0.0.0:9443       0.0.0.0:*    users:(("docker-proxy",pid=2495,fd=8)) 
LISTEN 0      4096                 [::]:9443          [::]:*    users:(("docker-proxy",pid=2522,fd=8)) 
LISTEN 0      50                      *:8443             *:*    users:(("java",pid=3479,fd=75))        
boris@localhost:~$ docker inspect nginx-app-1 | grep -i 443
                "443/tcp": [
                        "HostPort": "443"
                "443/tcp": {},
boris@localhost:~$ docker stop nginx-app-1
nginx-app-1
boris@localhost:~$ docker inspect nginx-app-1 | grep -i networkmode
            "NetworkMode": "host",

ncompact · March 22, 2026, 6:15pm

Good news! Your port 443 is actually free now. Look at the ss output after stopping nginx-app-1:

LISTEN 9443 (Portainer)
LISTEN 8443 (Java/OpenHAB)

Port 443 is gone. So now try Tailscale Funnel again:

tailscale funnel :8123

If you still get the same error, try restarting the Tailscale daemon first:

sudo systemctl restart tailscaled

Then try again:

tailscale funnel :8123

What error message do you get exactly?

boris099 · March 22, 2026, 6:27pm

GREAT No error

Thanks a lot!!! Good that we have such people like you supporting here!

The output looks promising now it generates a https code for accessing
and I need to play around a bit with this funnel, but that is another story…
I also think I need to put it with - -bg into background so it survives a restart.

And OpenWRT is “not” the culprit!!

ncompact · March 22, 2026, 6:28pm

Glad it worked!

Yes, you are right about --bg. To make the funnel persistent across reboots:

tailscale funnel --bg :8123

This saves the funnel configuration permanently in Tailscale, so it survives restarts without any systemd service or cron job needed.

A few more tips for your setup:

You can check your active funnel configuration anytime with:
tailscale funnel status
If you want to expose multiple services, you can define them by path:
tailscale funnel --bg :8123 /immich
tailscale funnel --bg :8080 /homeassistant
Since nginx-app-1 was your reverse proxy, you now have two options going forward:

Keep using Tailscale Funnel and leave nginx stopped (simpler)
Reconfigure nginx to listen on a non-standard port (e.g. 8443) and let Tailscale Funnel forward to it, so you can keep using nginx as a reverse proxy for internal routing

And yes, OpenWrt was innocent all along!

boris099 · March 22, 2026, 6:38pm

Wait a sec

That is exactly what I want to do but I thought I just use the ports as such.
Why using a path and how is that path working, you wrote e.g. /immmich?

I even was searching for the possibility to just open the server IP for all ports is that possible?

And how to setup Tailscale funnel to forward to NGINX would that be a big story?

ncompact · March 22, 2026, 6:40pm

Great questions! Let me clarify all three points:

1. Path-based routing with Tailscale Funnel

The /immich and /homeassistant paths are URL prefixes — so when you visit https://yourdevice.ts.net/immich, Tailscale forwards that request to the local port you specified (e.g. :8123). However, this only works well if the backend app supports being served from a subpath, which many self-hosted apps (like Immich or Home Assistant) do NOT natively — they expect to run at /. So for most cases, using separate ports per service is simpler and more reliable.

2. Exposing all ports / the whole server IP

Tailscale Funnel is intentionally limited to HTTPS (port 443) only for public internet exposure — you cannot expose arbitrary ports publicly with Funnel. However, if you just need access within your own Tailscale network (not public internet), you don't need Funnel at all — Tailscale VPN already makes your server reachable on all ports from your other Tailscale devices directly via its Tailscale IP (e.g. 100.x.x.x). So for private access: just use the Tailscale IP + port directly. For public access: Funnel is limited to 443.

3. Tailscale Funnel → NGINX (not a big story at all!)

This is actually a clean setup. The idea is:

Tailscale Funnel listens on port 443 (public HTTPS)
It forwards to NGINX on a local port, e.g. 8080
NGINX acts as reverse proxy and routes to your apps by hostname or path

Step 1 — reconfigure NGINX to listen on port 8080 instead of 443:

server {
    listen 8080;
    ...
}

Step 2 — point Tailscale Funnel to NGINX:

tailscale funnel --bg :8080

Now all traffic from https://yourdevice.ts.net → Tailscale (443) → NGINX (8080) → your apps.

This gives you the best of both worlds: Tailscale handles the public TLS certificate, NGINX handles internal routing to multiple services.

boris099 · March 22, 2026, 6:45pm

Incredible! How quick are you

And Yes, this answers all my questions.

Thanks a lot again!

ncompact · March 22, 2026, 6:48pm

Happy to help! Enjoy your setup

system · April 1, 2026, 6:48pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.