#Home assistant tailscale Community Add-On Failure

Hi all. I've installed Tailscale's addon in order to get external access to my raspberry pi hosting home assistant. for that reason i know i also need to enable and setup funnel . This is the list of what i've done:

1. Installed the addon , and using this configuration : "

accept_routes: true
advertise_exit_node: true
advertise_connector: true
log_level: trace
login_server: "https://controlplane.tailscale.com"
share_homeassistant: funnel
share_on_port: 443
snat_subnet_routes: true
stateful_filtering: false
tags:
  - tag:homeassistant
taildrop: true
userspace_networking: true```


2) Logged in using the URL found in the logs, adding the machine 
3) Disabled Key Expiry
4) Checked in the "Machine" Tab of the tailscale web dashboard if the funnel option is enabled and it is indeed
5) Edited ACL file and added nodeAttr with "funnel" line ( i don't know what i'm talking about , just followed what i've read ) 
6) Added in the ha's configuration.yaml file: 

http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1

7) Restarted HA and the addon.
8) Checked in the tailscale addon's logs for " Available on the internet: " and it is . ( Log: ``` Available on the internet:
https://*****.ts.net/
|-- proxy http://127.0.0.1:8123
Press Ctrl+C to exit. ```


Here's my problem: i can't connect to  ***.ts.net . What i see in the log is a network error ( a timeout error ) : basically when i try to connect i can see home assistant logo but after few seconds everything goes south. in the tailscale log i read : ```Drop TPC <STRINGS"> 80 no rules matchd
http: TLS handshake error from [fd7a:*****] EOF ```


I don't know if it's relevant but my home networks is a CGNAT 
Can someone pls tell me what i'm missing?

5. Edited ACL file and added nodeAttr with "funnel" line ( i don't know what i'm talking about , just followed what i've read )

Might be worth showing us your ACL file in its entirety. Redact any private information such as email addresses that are there if you have them, but there could be ACL issues involved.

You might also want to change

share_homeassistant: funnel
to serve so that it's not open to the entire internet.

ACL File: https://pastebin.com/ujcM06b7 .
TL:DR : It's default policy + funnel nodeAttrs

tags:

• tag:homeassistant

Is your home assistant instance using a tag? Can you see it in your admin console with "tag:homeassistant"?
If so, your nodeAttr isn't permitting funnel to be used by anything tagged as homeassistant. You'd need something like:

        {
            "target": ["tag:homeassistant"],
            "attr":   ["funnel"],
        },
    ], ```

to be able to use Funnel. 

That being said, I wouldn't advise using Funnel for this. I'd change  the option for share_homeassistant (or the configuration option that sets it ) to serve instead.  Then I don't think you need the nodeAttr.

I'm sorry , my friend. i forgot to mention i've reinstalled the addon removing the tag:homeassistant . here's the config: ```accept_dns: true
accept_routes: true
advertise_exit_node: false
advertise_connector: true
advertise_routes:

• local_subnets
• 192.168.1.0/24
• fd12:3456:abcd::/64
  log_level: debug
  login_server: https://controlplane.tailscale.com
  share_homeassistant: funnel
  share_on_port: "443"
  snat_subnet_routes: true
  ssh: false
  stateful_filtering: false
  tags: []
  taildrive:
  addons: false
  addon_configs: false
  backup: false
  config: false
  media: false
  share: false
  ssl: false
  taildrop: false
  userspace_networking: false
  dscp: 52
  lets_encrypt_certfile: fullchain.pem
  lets_encrypt_keyfile: privkey.pem

As u main notice, it's a bit different from the text i sent u before. that's because i've tried a different addon ( tailscale with services ) but i still get the same tcp error. in other terms : i get the same result ( not connecting at all ) from 2 different addons and their log is the same ( the second addon is a fork of the first )

log output has not changed therefore even if i told u i tried 2 addon i assure u the log output is the same!

Humor me, change share_homeassistant or however its set to serve. and see if it works.

s6-rc: info: service forwarding successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
2025/10/23 20:48:13 INFO: Add-on is healthy
2025/10/23 20:49:01 Received error: PollNetMap: unexpected EOF
2025/10/23 20:49:01 control: controlhttp: forcing port 443 dial due to recent noise dial
2025/10/23 20:49:02 control: netmap: got new dial plan from control
2025/10/23 20:49:02 appc: handling domains: [] and wildcards: []

still not working

i've setup ha with serve option. i can connect to ha while connected to the vpn. but that's not what i wanted. i want to connect without installing the device

I'm going to ask you to post your entire configuration again, because I'm not entirely sure with the changes you've made under the hood while we were trying to troubleshoot your old configuration. It makes troubleshooting difficult when you're working on one set of assumptions and they change from underfoot.

i've not changed since this time

i can upload it again if u want