Back again with another request for help.
I’m trying to set up Tailscale, with the ultimate goal of having a relatively simple way to access all my self hosted services when I’m not at home. My (naive) assumption was that once my device was in I connected to my home network by using my server as an exit node, I could just go to my 196.x.x.x:port address or friendly service.mydomain.xyz url and access things that way. That isn’t happening.
I’m running Tailscale in Docker and have Nginx Proxy Manager routing my friendly names to the right place. My services are all run in Docker as well, and most are set up as Proxy Hosts in NPM except one that I added more recently to see if I could access it/if NPM was the issue.
I have set up Tailscale both on my server and phone, I’m able to connect to my server as an exit node, but I don’t seem to be able to connect to services on the server. Tailscale is set to use subnets (added TS_ROUTES=192.168.0.0/24 to my compose file), but on my Tailscale Machines tab there is an exclamation mark next to both the Subnets and Exit Node saying the machine is misconfigured and that I need to enable IP forwarding. I double checked, it is enabled (as I understand it, that must be true for docker containers to forward from their 172.x.x.x addresses to 192), but the warning persists and I can’t access services (either by the friendly URL, normal IP, tailscale URL, or 100.x.x.x IP).
This is my compose file:
services: tailscale-authkey1: image: tailscale/tailscale:latest hostname: myhost environment: - TS_AUTHKEY=xx - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes - TS_ROUTES=192.168.0.0/24 volumes: - ts-authkey-test:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - SYS_MODULE restart: unless-stopped nginx-authkey-test: image: nginx network_mode: service:tailscale-authkey1
I’m not sure what I should do - I’m seeing this page (https://tailscale.com/kb/1406/quick-guide-subnets) that talks about creating a config file, but that’s clearly if you’re running on bare metal. I’ve also looked at their options for running a sidecar (https://tailscale.com/kb/1282/docker), where each service is spun up as a separate TS machine, but that’s way more work than I want to do (seems like cloudflare tunnels might be simpler at that point).
Thanks for any help!
I also tried tailscale in a docker container as a subnet handler and realized I was out of my depth. Net engineering is abstract and hard. There’s a reason there are pros making bank just doing that for big corps.
Followed a way simpler setup. Now tailscale runs on the server bare metal and podman handles the routing automatically. I just use the magicDNS address given by tailscale and everything just works as intended. All my services are available, and apps run no issue, no matter where I am as long as I’m connected to tailscale. I will make the setup more complex as I learn more and acquire the need for more features. But so far this has met all my expectations.
I also do this. Just run Tailscale on bare metal and then I can access my all my services the same as if I was on my LAN, essentially.
I may be (probably am) worrying too much about this, but doesn’t that remove much of the benefit of running services in containers? My understanding is that one benefit of containerization is so that if one service is somehow compromised, the others remain isolated, but running the service that allows you inside on bare metal gives single point access to the drives that those other services rely on, and that’s from the most likely point someone could get into your network. Alternatively, if Tailscale is containerized and someone gets in, they have access to the other services’ front ends but not the data they rely on since Tailscale itself doesn’t have that access.
You could be right. I am not a pro so I don’t really want to speak on the best practice approach. Really the only reason I containerize my services is the ease-of-deployment and the ease of potential re-deployment if my server did crash.
I personally am not too stressed about bad actors, being as this is a hobby server and the payout for a bad actor would be pretty low.
But your point does make sense to me.
It’s true, and I was wondering if that would be the route I have to go. Good to know it has been a positive experience.