docs: add Tailscale guide for secure access to Dokploy applications

- Introduced a new guide on using Tailscale to securely access Dokploy applications and servers through a private network.
- Updated meta.json to include the new Tailscale guide in the documentation structure.
- The guide covers setup, configuration, and security benefits of using Tailscale, emphasizing zero-config VPN features and private service access.

apps/docs/content/docs/core/guides/tailscale.mdx

@@ -0,0 +1,256 @@
+---
+title: Tailscale
+description: Learn how to use Tailscale to securely access your Dokploy applications and servers through a private network without opening ports.
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+Tailscale creates a secure, private network that connects your devices and servers using WireGuard. This allows you to access your Dokploy applications and servers securely without opening ports on your firewall or exposing services to the public internet.
+
+**Tailscale is particularly useful for preventing unauthorized access to your services.** By keeping your Dokploy instance and applications on a private network, only devices that are explicitly added to your Tailscale network can access them. This means your services remain completely private and invisible to the public internet, significantly reducing the attack surface and preventing unauthorized users from discovering or accessing your infrastructure.
+
+## What is Tailscale?
+
+Tailscale is a zero-config VPN that creates a mesh network between your devices and servers. It uses the WireGuard protocol to establish encrypted connections, making it easy to access your infrastructure securely from anywhere.
+
+### Benefits
+
+- **Zero-Config VPN**: Automatic key management and network setup
+- **No Port Forwarding**: Access services without opening firewall ports
+- **Secure by Default**: All traffic is encrypted end-to-end
+- **Private Services**: Keep your services completely private and prevent unauthorized access
+- **Easy Access**: Connect from any device with Tailscale installed
+- **Private IPs**: Each device gets a private IP address (100.x.x.x)
+- **Free Tier Available**: Up to 100 devices for personal use
+- **ACLs**: Fine-grained access control lists for security
+
+## Prerequisites
+
+Before setting up Tailscale with Dokploy, ensure you have:
+
+- A Tailscale account (free tier works)
+- Dokploy installed and running
+- Access to your server via SSH or console
+- Tailscale installed on your client devices (optional, for accessing services)
+
+<Callout type="info">
+  Tailscale works great for accessing Dokploy's admin interface and your applications from anywhere, without exposing them to the public internet. This keeps your services private and prevents unauthorized users from discovering or accessing them.
+</Callout>
+
+## Tailscale Setup
+
+This guide will walk you through setting up Tailscale to securely access your Dokploy server and applications through a private network.
+
+### Step 1: Prerequisites
+
+Before starting, ensure you have:
+
+1. **Dokploy installed and running** - Follow the [installation guide](/docs/core/installation) if needed
+2. **A Tailscale account** - Create one at [tailscale.com](https://login.tailscale.com/login) (free tier works)
+
+### Step 2: Get Docker Network Subnet
+
+First, we need to identify the Docker network subnet that Dokploy uses. This will be advertised to the Tailscale network to allow access to your containers.
+
+Run the following command on your Dokploy server:
+
+```bash
+docker network inspect dokploy-network | grep Subnet
+```
+
+You should see output like this:
+
+```
+"Subnet": "10.254.0.0/24",
+```
+
+Copy the subnet value (e.g., `10.254.0.0/24`) - you'll need it in the next step.
+
+### Step 3: Configure Tailscale Server
+
+Now we'll set up Tailscale on your Dokploy server with subnet routing enabled.
+
+#### 3.1: Create Server in Tailscale Admin
+
+1. Go to [Tailscale Admin Console](https://login.tailscale.com/admin/machines/new-linux)
+2. Click **Add a device** → **Linux**
+3. Scroll down and click **Generate install script**
+
+You'll see a script like this:
+
+```bash
+curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up --auth-key=tskey-auth-something-random
+```
+
+#### 3.2: Modify the Install Command
+
+We need to modify this command to:
+- Enable SSH access with the `--ssh` flag
+- Advertise the Docker subnet with `--advertise-routes` flag
+
+Replace `subnet-of-docker` with the subnet you copied in Step 2:
+
+```bash
+curl -fsSL https://tailscale.com/install.sh | sh && sudo tailscale up --ssh --advertise-routes=10.254.0.0/24 --auth-key=tskey-auth-something-random
+```
+
+<Callout type="warn">
+  Replace `10.254.0.0/24` with your actual Docker network subnet from Step 2.
+</Callout>
+
+#### 3.3: Run the Command
+
+Execute the modified command on your Dokploy server terminal.
+
+#### 3.4: Approve Subnet Routes
+
+After running the command, you need to approve the subnet routes in Tailscale:
+
+1. Go to [Tailscale Admin Console](https://login.tailscale.com/admin/machines/)
+2. Find your server and approve the advertised routes
+
+#### 3.5: Verify Server Connection
+
+Verify that your server is connected to Tailscale:
+
+```bash
+sudo tailscale status
+```
+
+You should see your server listed. Get the server's Tailscale IP address:
+
+```bash
+sudo tailscale ip -4
+```
+
+This will return something like:
+```
+100.100.100.100
+```
+
+Copy this IPv4 address - you'll use it to access your server and Dokploy.
+
+### Step 4: Configure Client Devices
+
+Now you'll set up client devices (your computer, phone, etc.) to connect to the Tailscale network.
+
+#### 4.1: Add Client Device
+
+1. Go to [Tailscale Admin Console](https://login.tailscale.com/admin/machines)
+2. Click **Add a device** → **Client device**
+3. Select your device type:
+   - Windows
+   - macOS
+   - Linux
+   - Android
+   - iPhone & iPad
+   - Synology
+
+#### 4.2: Install Tailscale on Client
+
+**For macOS:**
+- Download the native app from [tailscale.com/download/macos](https://tailscale.com/download/macos)
+- Install and authenticate with your Tailscale account
+
+**For other platforms:**
+- Visit [tailscale.com/download](https://tailscale.com/download) for your specific platform
+- Follow the installation instructions
+
+
+
+Login to your Tailscale account and you should see both your server and client device connected to the network it will also display in the tailscale dashboard.
+
+### Step 5: Access Dokploy via Tailscale
+
+Now you can access Dokploy and your applications through the Tailscale network.
+
+#### Access Dokploy Dashboard
+
+1. Use your server's Tailscale IP address (from Step 3.5):
+   ```
+   http://100.100.100.100:3000
+   ```
+   Replace `100.100.100.100` with your actual Tailscale IP.
+
+2. Or use the Tailscale hostname (if MagicDNS is enabled):
+   ```
+   http://your-server-name.tailscale.ts.net:3000
+   ```
+
+#### Access via SSH
+
+You can also SSH into your server using the Tailscale IP:
+
+```bash
+ssh root@100.100.100.100
+```
+
+Replace `100.100.100.100` with your server's Tailscale IP address.
+
+<Callout type="info">
+  With this setup, you can access Dokploy and your applications without any port forwarding or exposing services to the public internet. Only devices in your Tailscale network can access these services, ensuring they remain private and protected from unauthorized access.
+</Callout>
+
+## Configuring Applications
+
+### Accessing Applications via Tailscale
+
+Once Tailscale is set up, you can access your Dokploy applications through the Tailscale network:
+
+1. **Using Tailscale IP**: Access applications directly using your server's Tailscale IP and the port configured in Dokploy
+2. **Using Tailscale DNS**: Use your server's Tailscale hostname (e.g., `your-server.tailscale.ts.net`)
+
+### Example: Accessing an Application
+
+If you have an application running on port `8080`:
+
+1. Get your server's Tailscale IP:
+   ```bash
+   sudo tailscale ip -4
+   ```
+
+2. Access your application your application/compose should expose the port:
+   ```
+   http://YOUR_TAILSCALE_IP:8080
+   ```
+
+You can access from your client device or any device in the Tailscale network.
+
+## Advanced Configuration
+
+### Enabling MagicDNS
+
+MagicDNS provides automatic DNS resolution for devices in your Tailscale network:
+
+1. Go to [Tailscale Admin Console](https://login.tailscale.com/admin/dns)
+2. Enable **MagicDNS**
+3. Optionally add custom DNS names for your devices
+
+With MagicDNS enabled, you can access your server using its hostname.
+
+For example, to access the Dokploy dashboard (which runs on port 3000):
+
+```
+http://your-server-name.tailscale.ts.net:3000
+```
+
+### Using Custom Domains with MagicDNS
+
+If you want to use a custom domain for your Dokploy server, you'll need to find the Full Domain assigned by Tailscale:
+
+1. Go to [Tailscale Admin Console](https://login.tailscale.com/admin/machines/)
+2. Navigate to **Machines** and search for your server
+3. Scroll down to find the **Full Domain** field
+4. The Full Domain will look something like: `ubuntu-2gb-ash-4.tail1ff529.ts.net`
+
+Once you have the Full Domain, you can use it to access your Dokploy server:
+
+```
+http://ubuntu-2gb-ash-4.tail1ff529.ts.net:3000
+```
+
+<Callout type="info">
+  Replace `ubuntu-2gb-ash-4.tail1ff529.ts.net` with your actual server's Full Domain from the Tailscale admin console.
+</Callout>
+
+

apps/docs/content/docs/core/meta.json

@@ -49,6 +49,7 @@
 	"remote-servers/validate",
 	"---Guides---",
 	"guides/cloudflare-tunnels",
+	"guides/tailscale",
 	"guides/ec2-instructions",
 	"---Advanced---",
 	"cluster"