Back again with another request for help.
I’m trying to set up Tailscale, with the ultimate goal of having a relatively simple way to access all my self hosted services when I’m not at home. My (naive) assumption was that once my device was in I connected to my home network by using my server as an exit node, I could just go to my 196.x.x.x:port address or friendly service.mydomain.xyz url and access things that way. That isn’t happening.
I’m running Tailscale in Docker and have Nginx Proxy Manager routing my friendly names to the right place. My services are all run in Docker as well, and most are set up as Proxy Hosts in NPM except one that I added more recently to see if I could access it/if NPM was the issue.
I have set up Tailscale both on my server and phone, I’m able to connect to my server as an exit node, but I don’t seem to be able to connect to services on the server. Tailscale is set to use subnets (added TS_ROUTES=192.168.0.0/24 to my compose file), but on my Tailscale Machines tab there is an exclamation mark next to both the Subnets and Exit Node saying the machine is misconfigured and that I need to enable IP forwarding. I double checked, it is enabled (as I understand it, that must be true for docker containers to forward from their 172.x.x.x addresses to 192), but the warning persists and I can’t access services (either by the friendly URL, normal IP, tailscale URL, or 100.x.x.x IP).
This is my compose file:
services: tailscale-authkey1: image: tailscale/tailscale:latest hostname: myhost environment: - TS_AUTHKEY=xx - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes - TS_ROUTES=192.168.0.0/24 volumes: - ts-authkey-test:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - SYS_MODULE restart: unless-stopped nginx-authkey-test: image: nginx network_mode: service:tailscale-authkey1
I’m not sure what I should do - I’m seeing this page (https://tailscale.com/kb/1406/quick-guide-subnets) that talks about creating a config file, but that’s clearly if you’re running on bare metal. I’ve also looked at their options for running a sidecar (https://tailscale.com/kb/1282/docker), where each service is spun up as a separate TS machine, but that’s way more work than I want to do (seems like cloudflare tunnels might be simpler at that point).
Thanks for any help!
Glad im not the only one struggling with this. I was able to get nginx to give me the congratulation page via the tailscale ip for the machine but getting that routing to work with my own custom name is giving me a headache. I am probably adding an extra unnecessary layer by trying to use adguard home as a dns rewrite. If you crack it id love to hear how you achieved it.
My theoretical reasoning is. Make adguard be the dns server tell tailscale to use that and then parse all rewrites and dns for the tailscale netwrok through that endpoint (including exit node which is on the same machine).
Read this section on setting up forwarding on Linux. You’ll want to do this on the host that is running docker and it should carry down into the container itself.
https://tailscale.com/kb/1019/subnets?q=forwarding#connect-to-tailscale-as-a-subnet-router
Thanks, I did check that my machine had IP forwarding enabled, and it does. I also ran those lines to create the config file as well, but that didn’t change anything. And I do have the lines in my compose file to advertise routes.
If it’s enable then this command should produce a
1in the outputcat /proc/sys/net/ipv4/ip_forwardYes, it does (been checking with sysctl net.ipv4.ip_forward, but guess it’s the same thing). It seems like the issue may be that IPv6 may not be enabled within the container. It’s enabled on the host, but the docker logs say ipv6 forwarding is not enabled.
This may sound crazy but do you have an AT&T router?
I have not been able to solve it myself yet unfortunately but having two routers has made it impossible for me to use Tailscale/Wireguard/ZeroTier etc. in much the same way as you’re describing.
The devices “see” each other but can’t connect no matter what configuration I follow, what firewall settings I tweak, nothing. I think there’s a pass through problem where UPnP is in conflict.
Sorry I don’t have an answer but I promise you’re not alone in your frustration.
Misery loves company! Mine is Verizon and there was a setting that was causing me trouble recently, but probably is unrelated to yours (was DNS rebind protection).
Is that because the AT&T router uses the same subnet as tailscale? I seem to remember seeing similar issues in the past?
Maybe? The port setups work fine on the home router (such as accessing Steam link/Sunshine from a TV) but because it’s behind the mandatory AT&T modem it causes some nasty configuration headaches for external access.
Not sure if this is related or not but on Linux when I have a machine on the same subnet as an advertised route that I have connected to Tailscale, I can’t access the local subnet at all. On Mac’s it’s fine, only Linux. I had to hunt down this little trick:
ip ro del table 52 <subnet>There are other ways to solve it but I added this to the service that starts Tailscale.
You can read more about it here. https://github.com/tailscale/tailscale/issues/6231
That was an interesting rabbit hole. I’m not sure if it’s related or not, but maybe I’ll give it a shot once I get my head wrapped around what it really means (though by then they might have developed a fix… and I see how long that’s taken so far)
You don’t use the local ip address to access things when you’re remote - in Tailscale you can see that it gives you a remote IP to use to access things.
Yeah, I’ve tried the 100.x.x.x IP and their tailscale URLs, neither of which work.
Can’t really help you then sorry, it’s always just worked out of the box for me with all my services so I haven’t had to troubleshoot or mess around with it.
That’s what I was counting on! Guess I just have to look at it as a learning opportunity.
Do you have an exit node specified?
Yes, the machine that is running Docker/Tailscale is serving as an exit node and it hosts all the other services I want to access, which are also in containers.
Sorry for misformatted code.
tailscale-authkey1: image: tailscale/tailscale:latest hostname: myhost environment: - TS_AUTHKEY=xx - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes - TS_ROUTES=192.168.0.0/24 volumes: - ts-authkey-test:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - SYS_MODULE restart: unless-stopped nginx-authkey-test: image: nginx network_mode: service:tailscale-authkey1You’re not advertising 196.x.x.x routes to your tailnet?
No, I thought the routing was to forward the IP from the Tailscale 100.x.x.x subnet(? not sure I’m using that word correctly) to where the resources I want to access are (in my case, my local 192.168 addresses).
The firewall on your server may need masquerading set and IP forwarding set.
