35
Tailscale difficulties (lemmy.world)
submitted 2 days ago by [email protected] to c/[email protected]
35 comments fedilink hide all child comments

Back again with another request for help.

I'm trying to set up Tailscale, with the ultimate goal of having a relatively simple way to access all my self hosted services when I'm not at home. My (naive) assumption was that once my device was in I connected to my home network by using my server as an exit node, I could just go to my 196.x.x.x:port address or friendly service.mydomain.xyz url and access things that way. That isn't happening.

I'm running Tailscale in Docker and have Nginx Proxy Manager routing my friendly names to the right place. My services are all run in Docker as well, and most are set up as Proxy Hosts in NPM except one that I added more recently to see if I could access it/if NPM was the issue.

I have set up Tailscale both on my server and phone, I'm able to connect to my server as an exit node, but I don't seem to be able to connect to services on the server. Tailscale is set to use subnets (added TS_ROUTES=192.168.0.0/24 to my compose file), but on my Tailscale Machines tab there is an exclamation mark next to both the Subnets and Exit Node saying the machine is misconfigured and that I need to enable IP forwarding. I double checked, it is enabled (as I understand it, that must be true for docker containers to forward from their 172.x.x.x addresses to 192), but the warning persists and I can't access services (either by the friendly URL, normal IP, tailscale URL, or 100.x.x.x IP).

This is my compose file: services: tailscale-authkey1: image: tailscale/tailscale:latest hostname: myhost environment: - TS_AUTHKEY=xx - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes - TS_ROUTES=192.168.0.0/24 volumes: - ts-authkey-test:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - SYS_MODULE restart: unless-stopped nginx-authkey-test: image: nginx network_mode: service:tailscale-authkey1

I'm not sure what I should do - I'm seeing this page (https://tailscale.com/kb/1406/quick-guide-subnets) that talks about creating a config file, but that's clearly if you're running on bare metal. I've also looked at their options for running a sidecar (https://tailscale.com/kb/1282/docker), where each service is spun up as a separate TS machine, but that's way more work than I want to do (seems like cloudflare tunnels might be simpler at that point).

Thanks for any help!

top 35 comments
sorted by: hot top new old
[-] [email protected] 2 points 13 hours ago

Hey, if you're just looking for a reverse proxy my recommendation is Caddy. Give it port 443 and 80 and it'll reverse proxy you to wherever you want depending of the subdomain/port

[-] [email protected] 5 points 1 day ago

I also tried tailscale in a docker container as a subnet handler and realized I was out of my depth. Net engineering is abstract and hard. There's a reason there are pros making bank just doing that for big corps.

Followed a way simpler setup. Now tailscale runs on the server bare metal and podman handles the routing automatically. I just use the magicDNS address given by tailscale and everything just works as intended. All my services are available, and apps run no issue, no matter where I am as long as I'm connected to tailscale. I will make the setup more complex as I learn more and acquire the need for more features. But so far this has met all my expectations.

[-] [email protected] 2 points 1 day ago

I also do this. Just run Tailscale on bare metal and then I can access my all my services the same as if I was on my LAN, essentially.

[-] [email protected] 1 points 1 day ago

I may be (probably am) worrying too much about this, but doesn't that remove much of the benefit of running services in containers? My understanding is that one benefit of containerization is so that if one service is somehow compromised, the others remain isolated, but running the service that allows you inside on bare metal gives single point access to the drives that those other services rely on, and that's from the most likely point someone could get into your network. Alternatively, if Tailscale is containerized and someone gets in, they have access to the other services' front ends but not the data they rely on since Tailscale itself doesn't have that access.

[-] [email protected] 1 points 23 hours ago

You could be right. I am not a pro so I don’t really want to speak on the best practice approach. Really the only reason I containerize my services is the ease-of-deployment and the ease of potential re-deployment if my server did crash.

I personally am not too stressed about bad actors, being as this is a hobby server and the payout for a bad actor would be pretty low.

But your point does make sense to me.

[-] [email protected] 1 points 1 day ago

It's true, and I was wondering if that would be the route I have to go. Good to know it has been a positive experience.

[-] [email protected] 1 points 1 day ago

Sorry I'd this has been answered but are you running this in docker on a VM or LXC?

[-] [email protected] 1 points 1 day ago

LXC

[-] [email protected] 1 points 1 day ago* (last edited 1 day ago)

Proxmox does say docker isn't officially supported in LXC. That being said I'm running 10 docker containers with no issues on an LXC. I have recently had some weird database not connecting issues and other strange new docker containers not working in an LXC for some reason. If you can I would try the same setup but in a VM and see what happens.

I recently was trying to get authentik setup via docker and it just wouldn't work. I gave up and spun up a VM, ran the same docker compose file and it worked right away.

Hopefully this helps?

[-] [email protected] 13 points 2 days ago

Read this section on setting up forwarding on Linux. You’ll want to do this on the host that is running docker and it should carry down into the container itself.

https://tailscale.com/kb/1019/subnets?q=forwarding#connect-to-tailscale-as-a-subnet-router

[-] [email protected] 2 points 1 day ago

Thanks, I did check that my machine had IP forwarding enabled, and it does. I also ran those lines to create the config file as well, but that didn't change anything. And I do have the lines in my compose file to advertise routes.

[-] [email protected] 2 points 1 day ago

If it’s enable then this command should produce a 1 in the output

cat /proc/sys/net/ipv4/ip_forward
[-] [email protected] 1 points 1 day ago

Yes, it does (been checking with sysctl net.ipv4.ip_forward, but guess it's the same thing). It seems like the issue may be that IPv6 may not be enabled within the container. It's enabled on the host, but the docker logs say ipv6 forwarding is not enabled.

[-] [email protected] 1 points 1 day ago

Did you end up enabling ipv6 as well? Did that help?

[-] [email protected] 1 points 1 day ago* (last edited 1 day ago)

Yes, I believe I made the stupid mistake of not restarting after enabling. Once I did that the warning went away and I was able to enable subnets, but I'm still not able to see my local services (where I try to access via the IP of the host given by Tailscale or the magicDNS address). So, progress!

ETA: I also had removed the advertise exit nodes line and restarted the container with the --reset flag. After the warning went away I re-added the exit node option and I get the warning that it is misconfigured again.

[-] [email protected] 2 points 1 day ago

You don’t use the local ip address to access things when you’re remote - in Tailscale you can see that it gives you a remote IP to use to access things.

[-] [email protected] 4 points 1 day ago

Yeah, I've tried the 100.x.x.x IP and their tailscale URLs, neither of which work.

[-] [email protected] -1 points 1 day ago

Can’t really help you then sorry, it’s always just worked out of the box for me with all my services so I haven’t had to troubleshoot or mess around with it.

[-] [email protected] 3 points 1 day ago

That's what I was counting on! Guess I just have to look at it as a learning opportunity.

[-] [email protected] -2 points 1 day ago

Do you have an exit node specified?

[-] [email protected] 2 points 1 day ago

Yes, the machine that is running Docker/Tailscale is serving as an exit node and it hosts all the other services I want to access, which are also in containers.

[-] [email protected] 1 points 1 day ago* (last edited 1 day ago)

Glad im not the only one struggling with this. I was able to get nginx to give me the congratulation page via the tailscale ip for the machine but getting that routing to work with my own custom name is giving me a headache. I am probably adding an extra unnecessary layer by trying to use adguard home as a dns rewrite. If you crack it id love to hear how you achieved it.

[-] [email protected] 2 points 1 day ago

My theoretical reasoning is. Make adguard be the dns server tell tailscale to use that and then parse all rewrites and dns for the tailscale netwrok through that endpoint (including exit node which is on the same machine).

[-] [email protected] 2 points 1 day ago

I routed the dns of the vm to the tailscale adguard and it worked.

[-] [email protected] 2 points 2 days ago

Sorry for misformatted code.

  tailscale-authkey1:
    image: tailscale/tailscale:latest
    hostname: myhost
    environment:
      - TS_AUTHKEY=xx
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=false
      - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes
      - TS_ROUTES=192.168.0.0/24
    volumes:
      - ts-authkey-test:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped
  nginx-authkey-test:
    image: nginx
    network_mode: service:tailscale-authkey1
[-] [email protected] 1 points 1 day ago* (last edited 1 day ago)

try adding the sysctls parameters to your docker container too

[-] [email protected] 0 points 1 day ago

You're not advertising 196.x.x.x routes to your tailnet?

[-] [email protected] 2 points 1 day ago

No, I thought the routing was to forward the IP from the Tailscale 100.x.x.x subnet(? not sure I'm using that word correctly) to where the resources I want to access are (in my case, my local 192.168 addresses).

[-] [email protected] 3 points 1 day ago

The firewall on your server may need masquerading set and IP forwarding set.

[-] [email protected] 1 points 1 day ago

This may sound crazy but do you have an AT&T router?

I have not been able to solve it myself yet unfortunately but having two routers has made it impossible for me to use Tailscale/Wireguard/ZeroTier etc. in much the same way as you’re describing.

The devices “see” each other but can’t connect no matter what configuration I follow, what firewall settings I tweak, nothing. I think there’s a pass through problem where UPnP is in conflict.

Sorry I don’t have an answer but I promise you’re not alone in your frustration.

[-] [email protected] 2 points 1 day ago

Misery loves company! Mine is Verizon and there was a setting that was causing me trouble recently, but probably is unrelated to yours (was DNS rebind protection).

[-] [email protected] 2 points 1 day ago

Is that because the AT&T router uses the same subnet as tailscale? I seem to remember seeing similar issues in the past?

[-] [email protected] 1 points 1 day ago

Maybe? The port setups work fine on the home router (such as accessing Steam link/Sunshine from a TV) but because it’s behind the mandatory AT&T modem it causes some nasty configuration headaches for external access.

[-] [email protected] 1 points 1 day ago

Not sure if this is related or not but on Linux when I have a machine on the same subnet as an advertised route that I have connected to Tailscale, I can’t access the local subnet at all. On Mac’s it’s fine, only Linux. I had to hunt down this little trick:

ip ro del table 52 <subnet>

There are other ways to solve it but I added this to the service that starts Tailscale.

You can read more about it here. https://github.com/tailscale/tailscale/issues/6231

[-] [email protected] 1 points 1 day ago

That was an interesting rabbit hole. I'm not sure if it's related or not, but maybe I'll give it a shot once I get my head wrapped around what it really means (though by then they might have developed a fix... and I see how long that's taken so far)

this post was submitted on 19 Sep 2025
35 points (100.0% liked)

Selfhosted

51598 readers
429 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]