As the title suggest, I want to basically disable the public TCP port and allow plex or other apps to only connect using Tailscale.

Like, I don't want to allow server-public-ip:32400, but instead I wanna do tailscale-server-name:32400.

If I have the port opened in TCP for all sources it works, doesn't work when I remove the ingress rule.

The server pings fine (MagicDNS enabled)

Pinging oracle.hidden-name.ts.net [tailscale-ip] with 32 bytes of data:
Reply from tailscale-ip: bytes=32 time=36ms TTL=64
Reply from tailscale-ip: bytes=32 time=36ms TTL=64
Reply from tailscale-ip: bytes=32 time=38ms TTL=64
Reply from tailscale-ip: bytes=32 time=37ms TTL=64

Ping statistics for tailscale-ip:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 36ms, Maximum = 38ms, Average = 36ms

CodePudding user response：

If I have the port opened in TCP for all sources it works, doesn't work when I remove the ingress rule.

That likely means the apps connecting to plex are still using the LAN IP address, not the Tailscale IP address. Using MagicDNS might help, the Plex app can be told to go to plex.example.com.beta.tailscale.net.

CodePudding user response：

Figured it out. It won't work with only machine name as it won't resolve HTTP/S, will work with Tailscale IP or the ts.net domain.