Hardware components | ||||||
 |
| × | 1 | |||
 |
| × | 1 | |||
| × | 1 | ||||
Software apps and online services | ||||||
| ||||||
| ||||||
| ||||||
| ||||||
| ||||||
Securely Expose Your Weather Station Dashboards with Tailscale and Caddy
One Domain. Two Dashboards. Zero Exposed Internals.
Section 1: Introduction
Running a personal weather station is deeply satisfying — watching real-time data flow in from your own backyard sensors, logging history, and tracking micro-climate patterns unique to your location. But at some point, you want to share that data — with family, neighbors, or the broader weather community.
That's where things get tricky. Simply opening your home network to the internet exposes not just your weather dashboards, but potentially your weather software admin interfaces, your computers, and your entire internal network. That's a risk not worth taking.
If your ISP uses Carrier-Grade NAT (CGNAT), traditional port forwarding simply isn't an option — you share a public IP with hundreds of other customers. Tailscale Funnel bypasses this completely, making it the only practical solution for many home weather station operators.
This tutorial walks you through a clean, secure solution using two excellent tools:
• Tailscale — a zero-config VPN with a powerful feature called Funnel that safely exposes selected services to the public internet through Tailscale's own infrastructure — no domain registration, no open firewall ports, no dynamic DNS headaches. Works even behind CGNAT.
• Caddy — a modern, easy-to-configure reverse proxy that acts as a security gatekeeper, exposing only your public weather dashboards to the world, blocking everything else.
The result: both your weather dashboards are publicly accessible, your admin interfaces stay completely private, and your home network remains locked down.
My setup serves as the concrete example throughout this tutorial:
• A TP3000WC weather station broadcasting data via the Ecowitt protocol
• FOSHKplugin — standalone middleware on a Raspberry Pi receiving station data and forwarding to multiple destinations simultaneously
• WeeWX on the Raspberry Pi independently processing station data, generating a graphical HTML dashboard served via Apache
• CumulusMX on a Windows 11 PC (oscar-ii) receiving station data and serving a gauges dashboard
• Caddy running on oscar-ii, acting as the security gatekeeper between the public internet and both dashboards
• Tailscale providing both private admin access and public internet exposure via Funnel
Your hardware and weather software may differ — and that's perfectly fine. The Caddy and Tailscale configuration is the same regardless of what's generating your weather data.
Section 2: Architecture OverviewBefore diving into configuration, it helps to understand the full picture of how data flows through this setup.
Data Collection and DistributionThe TP3000WC weather station broadcasts Ecowitt protocol data to the Raspberry Pi, where FOSHKplugin acts as the central data hub:
TP3000WC Weather Station (192.168.12.199:45000)Foshkplugin, Tailscale Funnel, Caddy
The beauty of this architecture is its simplicity. Tailscale does double duty — handling both your private admin access and your public-facing Funnel. Caddy sits in the middle as a strict gatekeeper, ensuring the public sees only what you choose to share. Your admin interfaces, internal settings, and home network remain completely invisible to the outside world.
Section 3: PrerequisitesBefore following this tutorial, you'll need the following in place. Don't worry if you're not running the exact same hardware and software as my setup — the Tailscale and Caddy portions apply broadly to any WeeWX or CumulusMX installation.
Weather Software (at least one)• CumulusMX installed and running, with your weather station data flowing in
• WeeWX installed and running on a Raspberry Pi (or any Linux machine), with its HTML dashboard being generated and served via Apache
• Both, as in this tutorial — the more the merrier!
Hardware• A PC or server running your weather software — Windows, Linux, or macOS all work. This tutorial uses a Windows 11 PC (oscar-ii) for CumulusMX and Caddy
• A Raspberry Pi (optional) running WeeWX, FOSHKplugin, and Apache if you want to expose a second dashboard
• Your weather station already configured and sending data
Tailscale• A free Tailscale account — sign up at tailscale.com if you don't have one
• Tailscale installed on your weather station PC (oscar-ii in this tutorial)
• Funnel enabled on your Tailscale account — this is a one-time step in the Tailscale admin console
• Note your Tailscale hostname — it will look like machinename.tailXXXX.ts.net
Caddy• Caddy installed on the same machine as your primary weather software
• This tutorial covers installation on Windows 11 — Caddy also runs on Linux, macOS, and Raspberry Pi
• Download Caddy from caddyserver.com
caddyfile -- put in same folder as Caddy.exe
Networking• Your weather software machine and Raspberry Pi on the same local network
• Know the local IP address of your Raspberry Pi (e.g., 192.168.12.15 in this tutorial)
• No port forwarding or firewall changes required — Tailscale Funnel handles all of that
What You Do NOT Need• A registered domain name
• A static public IP address
• Dynamic DNS service
• Opening any ports on your router or firewall
• A publicly routable IP address — Tailscale Funnel works even behind CGNAT (Carrier-Grade NAT), which affects many home internet connections, mobile broadband, and rural ISP customers who cannot use traditional port forwarding at all
Section 3.5: Understanding FOSHKpluginFOSHKplugin is a powerful standalone middleware application that runs on the Raspberry Pi. It is the central data hub of this setup — receiving data from the weather station and simultaneously forwarding it to multiple destinations.
In this setup, FOSHKplugin is installed at /opt/FOSHKplugin/ and configured via /opt/FOSHKplugin/foshkplugin.conf.
FOSHKplugin Configuration192.168.12.15:8000
The key FOSHKplugin configuration sections in foshkplugin.conf are shown below. Replace IP addresses and credentials with your own values:
FOSHKplugin Auto-start
FOSHKplugin runs as a systemd service and starts automatically on boot. To check its status:
sudo systemctl status foshkplugin
You should see: Active: active (running)
Section 4: Installing and Configuring TailscaleTailscale is the foundation of this setup — it provides both your private admin access and public-facing Funnel. Installation is remarkably straightforward.
Step 1: Create a Tailscale Account
If you don't already have one, sign up for a free account at tailscale.com. The free tier is generous and more than sufficient for a home weather station setup.
Step 2: Install Tailscale on Your Weather Station PC
On Windows 11 (oscar-ii):
1. Download the Tailscale installer from tailscale.com/download
2. Run the installer and follow the prompts
3. When prompted, log in with your Tailscale account
4. Tailscale will appear in your system tray when running
On Raspberry Pi:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
Follow the authentication link provided to connect the Pi to your Tailscale network.
Step 3: Verify Your Tailscale HostnameOnce installed, your machine gets a permanent Tailscale hostname in the format: machinename.tailXXXX.ts.net
In this tutorial, oscar-ii's Tailscale hostname is: oscar-ii.tailb986d2.ts.net
To find yours, click the Tailscale system tray icon or visit the Tailscale admin console at login.tailscale.com/admin under Machines.
Step 4: Verify Private Admin AccessCumulusMX binds to your Tailscale IP address automatically at startup. You can confirm your Tailscale IP from the CumulusMX console output when it starts:
Cumulus running at: http://localhost:8998/
http://100.110.13.52:8998/ <-- Tailscale IP
http://192.168.12.187:8998/ <-- Local network IP
From any device connected to your Tailscale network, open a browser and navigate to your Tailscale IP:
You should see your CumulusMX admin interface. The public internet cannot reach this address — it is only accessible to devices on your Tailscale network.
Note: If you prefer using the ts.net hostname instead of the IP address, ensure MagicDNS is enabled in your Tailscale admin console at login.tailscale.com/admin under DNS.
Step 5: Enable Tailscale FunnelFunnel is the feature that allows selected traffic to reach your machine from the public internet — still through Tailscale's secure infrastructure, with no open ports required. It works even if your ISP uses CGNAT.
Enable Funnel in the Tailscale admin console:
5. Go to login.tailscale.com/admin
6. Navigate to DNS and ensure MagicDNS is enabled
7. Navigate to Access Controls and add Funnel permissions for your machine
Then enable Funnel on oscar-ii via Command Prompt (run as Administrator):
tailscale funnel --bg 443
Verify Funnel is active:
tailscale funnel status
You should see oscar-ii listed as actively funneling port 443.
What You've Accomplished• Tailscale is installed on oscar-ii and your Raspberry Pi
• Private admin access is working via your Tailscale IP
• Tailscale Funnel is enabled and listening for public traffic on port 443
• Your home network remains completely closed — no open firewall ports
Section 5: Installing and Configuring CaddyCaddy is the security gatekeeper of this setup. It sits between Tailscale Funnel and your weather dashboards, deciding exactly what the public internet is allowed to see. Everything not explicitly permitted is blocked.
Step 1: Download and Install Caddy on Windows 118. Go to caddyserver.com/download
9. Select Windows and amd64 architecture
10. Download the Caddy executable — it will arrive with a version-specific filename such as: caddy_2.9.1_windows_amd64.exe
11. Create a dedicated folder: C:\Caddy\
12. Move the downloaded file into C:\Caddy\
13. Rename it to caddy.exe — open Command Prompt in C:\Caddy\ and run:
rename caddy_2.9.1_windows_amd64.exe caddy.exe
Note: Substitute the actual filename you downloaded in the rename command above.
Step 2: Create Your CaddyfileThe Caddyfile is Caddy's configuration file. Create a new file called Caddyfile (no extension) in C:\Caddy\ with the following content:
This configuration uses a block-list approach — all CumulusMX public pages (gauges, charts, reports) pass through freely, while known sensitive API and admin endpoints are explicitly blocked with a 403 Forbidden response.
Request Path
Result
/gauges.htm
Allowed — proxied to CumulusMX
/api/settings*
403 Forbidden
/api/station*
403 Forbidden
/login*
403 Forbidden
/api/edit*
403 Forbidden
Any other public page
Allowed — proxied to CumulusMX
Note: Replace localhost:8998 with your CumulusMX IP and port if Caddy is running on a different machine.
Step 3: Start CaddyOpen Command Prompt as Administrator, navigate to your Caddy folder and test the configuration:
cd C:\caddy
caddy validate
A clean response looks like: Valid configuration
Then start Caddy manually to verify it works:
caddy run
Step 4: Install Caddy as a Windows ServiceOnce you've verified Caddy works, install it as a Windows service so it starts automatically with Windows. Open Command Prompt as Administrator:
cd C:\caddy
caddy service install
caddy service start
Verify the service is running:
sc query caddy
You should see: STATE: 4 RUNNING
What You've Accomplished• Caddy is installed and running on oscar-ii
• Your Caddyfile blocks all sensitive CumulusMX admin paths
• Caddy is configured as a Windows service, starting automatically
• HTTPS is handled automatically by Caddy — no certificate management needed
• CumulusMX admin interface is protected — only accessible via Tailscale
Section 6: CumulusMX Internet SettingsCumulusMX needs to be configured to serve its web files locally so that Caddy can proxy them. This is done through the Internet Settings tab in the CumulusMX setup wizard.
Configure Local Copy14. Open CumulusMX in your browser at http://100.110.13.52:8998 (your Tailscale IP) --Use your URL; this is my URL
15. Navigate to Settings > Internet Settings
16. Under Web Hosting Site > Local Copy, check Enable local file copy of standard files
17. Set Local copy destination folder path to: C:\CumulusMX\webfiles\
18. Leave Upload unchecked — Caddy serves files locally, no FTP needed
19. Click Save Settings
With this configuration, CumulusMX writes all its web files to C:\CumulusMX\webfiles\ and Caddy serves them directly from that location. No external hosting or FTP required.
CumulusMX Auto-startTo ensure CumulusMX starts automatically when oscar-ii boots:
20. Open Task Manager (Ctrl+Shift+Esc)
21. Click the Startup apps tab
22. Click Add and browse to C:\CumulusMX\CumulusMX.exe
23. CumulusMX will now start automatically when Windows boots
Note: CumulusMX must be running for the Caddy reverse proxy to work. If CumulusMX is not started, visitors will see a 502 error on the gauges page.
Section 7: Putting It All TogetherWith Tailscale, Caddy, and CumulusMX all configured, it's time to verify the complete setup works correctly.
Step 1: Verify Your Public Weather DashboardTo properly test public access, you need to verify from outside your home network. The most reliable way is to use your mobile phone as a hotspot and connect a laptop or tablet to it — this puts you on your cellular carrier's network, completely separate from your home network and Tailscale.
Test Method
Reliable?
Phone hotspot (laptop connects to it)
Yes — truly external
Phone browser on cellular
Yes — truly external
Home network device
No — local access, false positive
Tailscale-connected device
No — private access, false positive
Connect your laptop to your phone's hotspot, then navigate to your CumulusMX gauges page:
https://oscar-ii.tailb986d2.ts.net/gauges.htm --Use your Domain for Tailscale
You should see your CumulusMX gauges page with live weather data, served securely over HTTPS.
Step 2: Verify Admin Interfaces Are BlockedThis is the critical security check. From the same device on cellular, try accessing the admin interface:
https://oscar-ii.tailb986d2.ts.net/api/settings
https://oscar-ii.tailb986d2.ts.net/login
Both should return: 403 Forbidden
If you see the CumulusMX admin interface from a public connection, stop and review your Caddyfile configuration before proceeding.
Step 3: Verify Private Admin Access Still WorksSwitch back to a device on your Tailscale network and confirm private admin access is unaffected:
http://100.110.13.52:8998 (CumulusMX admin)
http://192.168.12.15/weewx/ (WeeWX dashboard)
Both should load normally — your private access via Tailscale is completely unchanged.
Troubleshooting Common IssuesSymptom
Likely Cause
Fix
403 on /gauges.htm
CumulusMX not running
Start CumulusMX, check port 8998
Certificate error
Funnel not active
Run: tailscale funnel status
Caddy not starting
Service not installed
Re-run: caddy service install
Admin interface exposed
Caddyfile misconfigured
Review @blocked paths
502 error on gauges
CumulusMX stopped
Restart CumulusMX
Dashboards offline after reboot
CumulusMX not in startup
Add to Task Manager Startup
Section 8: Complete Auto-Start ReferenceHere is the complete picture of how every component starts automatically when their respective machines boot:
Raspberry Pi — systemd servicesComponent
Auto-start Method
Verify Command
FOSHKplugin
systemd (enabled)
sudo systemctl status foshkplugin
WeeWX
systemd (enabled)
sudo systemctl status weewx
Apache2
systemd (enabled)
sudo systemctl status apache2
oscar-ii Windows 11Component
Auto-start Method
Notes
Caddy
Windows Service
caddy service install
Tailscale Funnel
Persistent (--bg flag)
tailscale funnel --bg 443
CumulusMX
Task Manager Startup
Add CumulusMX.exe to Startup apps
Section 9: Conclusion and Next StepsCongratulations! You've built a secure, elegant solution for sharing your personal weather station data with the world — without exposing a single internal setting or admin interface to the public internet.
What You Built• Tailscale Funnel replaced the need for domain registration, static IP addresses, dynamic DNS, port forwarding, and firewall configuration — and works even behind CGNAT
• Caddy replaced complex web server configuration with a handful of clean, readable lines — and handles HTTPS certificates automatically
• Your CumulusMX gauges dashboard is now publicly accessible from a single secure URL
• Your admin interfaces remain completely invisible to the public internet
• Everything survives a reboot automatically
Sharing Your Weather DataNow that your dashboard is public, consider sharing it with the wider weather community:
• Weather Underground — add your public dashboard URL to your PWS profile
• CWOP (Citizens Weather Observer Program) — register your station at wxqa.com if you haven't already (station ID format: FWxxxx)
• Wxforum.net — an excellent community for personal weather station enthusiasts and a great place to get help: wxforum.net
• Reddit — r/homeautomation and r/raspberry_pi communities appreciate setups like this one
Next Steps and Further CustomizationExpand your FOSHKplugin destinations:
FOSHKplugin can forward your data to many additional destinations simultaneously — OpenWeather, PWS Weather, Weather Observations Website (WOW), AWEKAS, and more. Each destination is simply a new [Forward-N] block in foshkplugin.conf.
Explore WeeWX skins:
The default WeeWX Seasons skin is functional but many beautiful alternatives exist — Belchertown (modern, responsive), Weather34 (feature-rich), and others. Each can be served publicly through the same Caddy configuration.
Secure your Raspberry Pi with Tailscale:
Installing Tailscale on your Raspberry Pi gives you secure remote SSH access from anywhere with no open SSH port required:
ssh pi@raspberrypi.tailXXXX.ts.net
Monitor your setup:
Consider setting up UptimeRobot (free) to ping your public dashboard URL and notify you by email if it goes offline.
Community and ResourcesResource
URL
Wxforum.net community
WeeWX documentation
FOSHKplugin documentation
https://foshkplugin.phantasoft.de
Tailscale documentation
Caddy documentation
CWOP registration
CumulusMX forum
https://cumulus.hosiene.co.uk/index.php
Clear skies and steady barometers!
Comments