[Plugin] Tailscale

[EDACerton]

On 4/5/2024 at 3:02 PM, dopeytree said:

This plugin seems to be averaging around 42% cpu which seems a bit on the high side. 

It's a newish 13-600H with aes chip built in etc. 

 

I run tailscale on my pfsense router but added this plugin as a backup.

 

What do others see cpu wise?

Tailscale CPU load is usually traffic-dependent; how much are you sending via Tailscale?

 

Otherwise, diagnostics would be helpful to see if there's something else going on.

[01111000]

I must be overlooking something simple but I’d like to access my server while on the go via IP Address when I’m using the VPN.  While Tailscale does connect, I cannot access any of the local services running on my server via IP.  Where do I configure local access?  

[marklevark]

Hello!

I used the script on the help tab to get an HTTPS cert working for my webgui. All good.

Now I'm trying to copy the cert over to some docker containers to get HTTPS on more of my services, following the steps on the help tab. I'm new to this kinda thing, so bear with me, but once copied over, how do I get the certs working? The instructions end and that's where I (a newbie) gets lost.

 

Thanks in advance!

 

 

[EDACerton]

10 hours ago, marklevark said:

Hello!

I used the script on the help tab to get an HTTPS cert working for my webgui. All good.

Now I'm trying to copy the cert over to some docker containers to get HTTPS on more of my services, following the steps on the help tab. I'm new to this kinda thing, so bear with me, but once copied over, how do I get the certs working? The instructions end and that's where I (a newbie) gets lost.

 

Thanks in advance!

 

 

This isn’t something that I can really help with, you’d have to refer to the documentation for the containers to see how to replace the certificate that each uses. 

[EDACerton]

On 4/7/2024 at 3:31 PM, 01111000 said:

I must be overlooking something simple but I’d like to access my server while on the go via IP Address when I’m using the VPN.  While Tailscale does connect, I cannot access any of the local services running on my server via IP.  Where do I configure local access?  

Are you trying to use the Tailscale IP or the LAN IP?

[01111000]

1 hour ago, EDACerton said:

Are you trying to use the Tailscale IP or the LAN IP?

LAN IP

[Secluded]

Hi, is there a way to set a delay for starting this plugin?

 

Context:

My case is kind of special. I don't use a physical router but running an OpenWRT on Unraid as VM. Each time rebooting the Unraid, it will reboot itself first, and then start an OpenWRT router at 192.168.1.1. This setup may be kind of awkward, but it is very popular in Chinese community. As many Chinese users have demand for using some router based plugin, which require running a router on a x86 system, and if they own a NAS, why not run a router as a VM on that NAS? Although I doubt if there is many Tailscale user in the Chinese community.

 

However, a more complex system get more chance to fail. For my case, I always lose connection to my Unraid server via Tailscale after I reboot it. I need to manually restart the Tailscale plugin after the Unraid server finishing the reboot, and then I can connect to it via Tailscale again. I suspect this is because the Tailscale plugin started before the OpenWRT VM when rebooting the Unraid. The plugin is required to send some info to the Tailscale server when it startup, in order to let the Tailnet to find this Unraid device. However, since the OpenWRT VM boot later than the Tailscale plugin, there is not Internet connection available to send those info. And then, for certain reason, the plugin won't try sending the info to the Tailscale server again, even the OpenWRT VM finished boot process.

 

A possible easy workaround is to add an option to let the user set a delay to start the plugin during rebooting the server. It's even better if we can fix why the plugin won't retry sending the info to the Tailscale server, but I don't know how many efforts are needed for fixing that. Or, that stopping sending info is an intended behavior to avoid consuming system resource.

 

I also attached my diagnosis info below, in case my inference is totally wrong.

 

Thanks!

 

Edited April 11 by Secluded
Removed diagnosis file since issue resolved.

[Hoopster]

18 minutes ago, Secluded said:

A possible easy workaround is to add an option to let the user set a delay to start the plugin

This will not work with plugins but with docker containers (I believe there is one for Tailscale) in the Advanced View in the docker tab you can

• drag-and-drop containers to change their startup order (they start in order from top to bottom)
• Set a delay after starting a container before starting the next one in the order

I am not sure when VMs start up compared to docker containers but Tailscale as a docker container could be set to be the last one to start with a delay after the container before it.

[Secluded]

18 hours ago, 01111000 said:

LAN IP

You mean your computer was running another VPN besides Tailscale? And you can connect to your service via LAN IP if you turn that VPN off? That may be because your VPN software has a builtin firewall to prevent to leak your true IP, which is a very common way for many commercial VPNs. Some of them are set to pass thourgh the LAN IP (192.168.x.x) by default, but some may need you to set it up by yourself. Your case may be the later one.

[Secluded]

4 minutes ago, Hoopster said:

This will not work with plugins but with docker containers (I believe there is one for Tailscale) in the Advanced View in the docker tab you can

• drag-and-drop containers to change their startup order (they start in order from top to bottom)
• Set a delay after starting a container before starting the next one in the order

I am not sure when VMs start up compared to docker containers but Tailscale as a docker container could be set to be the last one to start with a delay after the container before it.

Hi Hoopster, thank you for the advice! ☺️ Yeah, using a docker version seems a feasible way.

 

While I still would like to let the plugin developer know this problem, and to see if this can be fixed from the developer side.

 

I will try swtiching to the docker version if this won't be fixed for the plugin version.

[EDACerton]

6 hours ago, Secluded said:

Hi Hoopster, thank you for the advice! ☺️ Yeah, using a docker version seems a feasible way.

 

While I still would like to let the plugin developer know this problem, and to see if this can be fixed from the developer side.

 

I will try swtiching to the docker version if this won't be fixed for the plugin version.

Adding a "delay start" isn't something that I plan to add to the plugin settings.

 

Reason: using arbitrary delay values to solve race conditions is generally bad and should be avoided.

Secondary reason: the User Scripts plugin can do what you're trying to accomplish, and since this is technically not a Tailscale problem I'd rather not start trying to build fixes into the plugin for other plugins/containers.

 

Ideally, you'd want to build something smart that would run "At startup of array" which would:

1. Wait for the container you want to be started (hint), then
2. Restart Tailscale using the script at /usr/local/emhttp/plugins/tailscale/restart.sh

Alternately, you could just build a simple wait by doing this in an "at startup of array" script (change the 60 seconds as needed):

 

sleep 60
/usr/local/emhttp/plugins/tailscale/restart.sh

 

[EDACerton]

On 4/8/2024 at 10:12 PM, 01111000 said:

LAN IP

Did you configure a subnet router for that network? By default, if you're trying to remotely connect to a Tailscale device, you have to use the Tailscale IP, not the local IP. If you configure a subnet router, however, you can use the local IP remotely as well.

[Secluded]

2 hours ago, EDACerton said:

Adding a "delay start" isn't something that I plan to add to the plugin settings.

 

Reason: using arbitrary delay values to solve race conditions is generally bad and should be avoided.

Secondary reason: the User Scripts plugin can do what you're trying to accomplish, and since this is technically not a Tailscale problem I'd rather not start trying to build fixes into the plugin for other plugins/containers.

 

Ideally, you'd want to build something smart that would run "At startup of array" which would:

1. Wait for the container you want to be started (hint), then
2. Restart Tailscale using the script at /usr/local/emhttp/plugins/tailscale/restart.sh

Alternately, you could just build a simple wait by doing this in an "at startup of array" script (change the 60 seconds as needed):

 

sleep 60
/usr/local/emhttp/plugins/tailscale/restart.sh

 

Hi EDACerton, thanks for your suggestion! I will give the User Scripts a try.

[thegrapeescape177]

On 3/14/2024 at 6:57 PM, CrispyFrizzles said:

I am losing my mind with this. I was running the docker img which stopped working a bit ago. I then saw that there was no longer support for it and that it was recommended to install the plugin, which I've done (and uninstalled the img). Now, despite advertising my unraid server as an exit-node as well as adding my subnet routes, I cannot access my local network from any other device running tailscale.

 

I've tried uninstalling and reinstalling the plugin several times now as well as reconfiguring each time, still nothing. 

 

For what it's worth, here's how I configured in command line: tailscale up --accept-dns=false --advertise-exit-node --advertise-routes=10.10.30.0/24 --accept-routes=true

 

--------UPDATE FIXED--------

Alright, I went for broke and fixed it. In case anyone else has a similar issue, here's what I did:

• Erased the plugin via the plugin's settings
• Deleted the plugin
• Rebooted Unraid (this honestly may have been the real fix as I did not do this after deleting the docker img i had originally been using due to the sheer inconvience of rebooting)
• Reinstalled the plugin, connected to my tailscale account and disabled key expirary via the tailscale admin panel
• CLI:

  • tailscale set --advertise-exit-node

    • accepted the exit node via admin panel

  • tailscale set --exit-node-allow-lan-access

    • at this point I tested it, still couldn't connect with local IP, however Tailscale IP worked to access Unraid GUI.

  • tailscale set --advertise-routes=10.10.30.0/24 (my subnet)

    • enabled the subnet route via the admin panel. 
  • Boom. It works.

I imagine you could probably do it all in one shot by typing

tailscale set --advertise-exit-node --exit-node-allow-lan-access --advertise-routes=[your subnet]

 

Hopefully this will prove of use to somone else!

 

Logged in just to say that this worked - you legend,  thank you!

[JM2005]

I posted awhile back about setting up Tail Scale Plugin to be able to access vault warden without opening any ports on my router.  

 

I am wondering if anyone is using Vault warden with Tail scale on unRaid and if so, you mind sharing your setup instructions?

 

Thank you for any help you can provide.

 

-JM2005

Edited April 17 by JM2005

[Lordmarck]

Just switched from the docker and I can't begin to describe how easier and immediate it is!! Not to mention that it stay active with the array down! You good sir are a genius!!

Edited April 19 by Lordmarck

[J05u]

On 4/10/2024 at 4:32 AM, EDACerton said:

Did you configure a subnet router for that network? By default, if you're trying to remotely connect to a Tailscale device, you have to use the Tailscale IP, not the local IP. If you configure a subnet router, however, you can use the local IP remotely as well.

I have same issue, by some reason lan IP option not working, even with subnets enabled

what can be wrong? I entered 3 commands from config option from Tailsale website, but no luck to make it running with local IP

Can be this due to I have other tailscale instance on other unraid pc, but configured in Docker? Exit node set to PC which I currently use

Lol, when I randomly unticked in Tailscale windows App Use Tailscale subnets it start working 

Edited April 19 by J05u
miracle

[Abomy]

I've switched from docker tailscale to the plugin, but now I can only reach the containers and not the Server GUI, any setting I overlooked?

[thegrapeescape177]

55 minutes ago, Abomy said:

I've switched from docker tailscale to the plugin, but now I can only reach the containers and not the Server GUI, any setting I overlooked?

I had this issue but was linked to running privoxy at the same time. 
 

have you tried both local IP and Tailscale IP? 

[Abomy]

1 hour ago, thegrapeescape177 said:

I had this issue but was linked to running privoxy at the same time. 
 

have you tried both local IP and Tailscale IP? 

Hey yes none of it works

[thegrapeescape177]

1 hour ago, Abomy said:

Hey yes none of it works

In your Tailscale plugin GUI, does your unraid server show any error in the top right? For a while mine said something like "We can't find your Tailscale IP". I ended up erasing the config, deleting the plugin, rebooting, reinstalling and then it worked. Doesn't take long to reconfigure so worth a shot? 

[Abomy]

Just now, thegrapeescape177 said:

In your Tailscale plugin GUI, does your unraid server show any error in the top right? For a while mine said something like "We can't find your Tailscale IP". I ended up erasing the config, deleting the plugin, rebooting, reinstalling and then it worked. Doesn't take long to reconfigure so worth a shot? 

Might need to try it out, how do you erase the config?

[thegrapeescape177]

6 minutes ago, Abomy said:

Might need to try it out, how do you erase the config?

Plugins > Tailscale > Settings tab

 

 

[ISOT]

I setup tailscale to push routes, and I can ping physical computers and virtual machines, but not any docker containers?  I imagine thats largely because the dockers don't have MAC addresses due to being on ipvlan?  How can I make it so I can ping/access web gui of docker containers.

 

.99 is a VM on the unraid server running tailscale.

.6 is another unraid server on the same physical network.

.11 is a nextcloud docker on the unraid server running tailscale.

 

Is it because my br0 docker network is the same network as my physical network? (See third screenshot)

 

 

 

 

Edited April 24 by ISOT

[ISOT]

27 minutes ago, ISOT said:

I setup tailscale to push routes, and I can ping physical computers and virtual machines, but not any docker containers?  I imagine thats largely because the dockers don't have MAC addresses due to being on ipvlan?  How can I make it so I can ping/access web gui of docker containers.

 

.99 is a VM on the unraid server running tailscale.

.6 is another unraid server on the same physical network.

.11 is a nextcloud docker on the unraid server running tailscale.

 

Is it because my br0 docker network is the same network as my physical network? (See third screenshot)

 

Ok disregard.  Enabled "Host has access to custom networks" in docker config, working now.  8 year unraid user, feel dumb now.