Helper scripts to install Tailscale-issued HTTPS certificates on:
- GL.iNet routers (nginx on port 443)
- GL-KVM devices (kvmd)
This lets you access your device securely using its Tailnet FQDN
(e.g. device-name.tailnet.ts.net) with a trusted certificate instead of the
default self-signed Cert.
⚠️ Important
- This is a manual process
- You must re-run the script about every 90 days to renew the cert OR Setup a cronjob or service etc...
- The certificate will only validate for the Tailnet hostname, not the LAN IP
- You must have HTTPS enabled in your tailnet admin settings
- You must be using an up to date tailscale version, this works on both routers and kvm thanks to Admon:
bash wget -q https://get.admon.me/tailscale -O update-tailscale.sh ; sh update-tailscale.sh
Each script:
- Detects the device’s Tailnet domain
- Runs
tailscale cert <domain>to generate / refresh cert files - Backs up the existing HTTPS certs
- Installs the Tailscale cert into the correct service
- Restarts the service safely
- Verifies the cert is actually being served
The scripts are:
- GL.iNET/OpenWrt safe
- Tested on real hardware
- Flint 3 (GL-BE9300)
- Slate 7 (GL-BE3600)
- Puli AX (GL-XE3000)
- Slate 7 Pro (GL-BE10000)
- Other GL.iNet routers using nginx for HTTPS should work
- Comet (GL-RM1)
- Comet Pro (GL-RM10)
- Other GLKVM devices using kvmd should work
Run the updater without cloning the repository:
wget -q https://raw.githubusercontent.com/techrelay/GL.iNet-Tailscale-Enable-SSL/main/tailscale-ssl-kvm.sh -O tailscale-ssl-kvm.sh ; sh tailscale-ssl-kvm.shRun the updater without cloning the repository:
wget -q https://raw.githubusercontent.com/techrelay/GL.iNet-Tailscale-Enable-SSL/main/tailscale-ssl-router.sh -O tailscale-ssl-router.sh ; sh tailscale-ssl-router.sh