[Plugin] Tailscale

[Masterwishx]

5 hours ago, EDACerton said:

I just pushed an update to the plugin that automatically applies the workaround.

 

Still have issue with MagicDns node names, in Unraid also in Ubuntu clients, but only in one working MagicDns. 

Using headscale as server. 

[cinereus]

8 hours ago, EDACerton said:

I just pushed an update to the plugin that automatically applies the workaround.

 

https://github.com/dkaser/unraid-tailscale/issues/110

https://github.com/tailscale/tailscale/issues/12108

Thanks. Seems to work for me.

[explosionhole]

I am having networking issues, which have occurred after updating get Tailscale plugin earlier this week.

 

Unraid is my home server, IPv4 192.168.1.1

 

Docker is running within this server, which I have not directly configured any network / DNS settings, but had worked without issue.

 

Running containers have port mapping so be accessed via the local network, which I expect to use the above 192.168.1.1 address. I also use the Nginx Proxy Manager (NPM) container as a front-facing reverse proxy for incoming connections to LetsEncrypt SSL certs.

 

I cannot complete the creation of a new NPM Host. The direct log file contains:

 

[5/17/2024] [9:30:07 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #26: sab.redswitch.co.uk
[5/17/2024] [9:30:07 AM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-26" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "sab.redswitch.co.uk" 
[5/17/2024] [9:30:07 AM] [Global   ] › ⬤  debug     CMD: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-26" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "sab.redswitch.co.uk" 
[5/17/2024] [9:30:10 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_26.conf
[5/17/2024] [9:30:10 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -t -g "error_log off;"
[5/17/2024] [9:30:10 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/17/2024] [9:30:10 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -s reload
[5/17/2024] [9:30:10 AM] [Express  ] › ⚠  warning   Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

 

I have attached the Tailscale plugin diagnostics as well as the letsencrypt-log file (obtained from within the NPM container).

 

If I open Unraid's console:

1. "nslookup tower" (the Unraid hostname), it returns the Tailscale FQDN
2. I cannot find any other hostname that resolves to the 192.168.1.1 LAN IPv4 address I am expecting
3. "ping tower" hits 127.0.0.1
4. "ping tower.local" returns "Name or service not known"

 

 

Can I ask for some help please?

 

 

 

npm_letsencrypt-log.txt Tower-tailscale-diag-20240517-093835.zip

[cinereus]

3 hours ago, explosionhole said:

I am having networking issues, which have occurred after updating get Tailscale plugin earlier this week.

 

Unraid is my home server, IPv4 192.168.1.1

 

Docker is running within this server, which I have not directly configured any network / DNS settings, but had worked without issue.

 

Running containers have port mapping so be accessed via the local network, which I expect to use the above 192.168.1.1 address. I also use the Nginx Proxy Manager (NPM) container as a front-facing reverse proxy for incoming connections to LetsEncrypt SSL certs.

 

I cannot complete the creation of a new NPM Host. The direct log file contains:

 

[5/17/2024] [9:30:07 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #26: sab.redswitch.co.uk
[5/17/2024] [9:30:07 AM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-26" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "sab.redswitch.co.uk" 
[5/17/2024] [9:30:07 AM] [Global   ] › ⬤  debug     CMD: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-26" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "sab.redswitch.co.uk" 
[5/17/2024] [9:30:10 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_26.conf
[5/17/2024] [9:30:10 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -t -g "error_log off;"
[5/17/2024] [9:30:10 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/17/2024] [9:30:10 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -s reload
[5/17/2024] [9:30:10 AM] [Express  ] › ⚠  warning   Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

 

I have attached the Tailscale plugin diagnostics as well as the letsencrypt-log file (obtained from within the NPM container).

 

If I open Unraid's console:

1. "nslookup tower" (the Unraid hostname), it returns the Tailscale FQDN
2. I cannot find any other hostname that resolves to the 192.168.1.1 LAN IPv4 address I am expecting
3. "ping tower" hits 127.0.0.1
4. "ping tower.local" returns "Name or service not known"

 

 

Can I ask for some help please?

 

 

 

npm_letsencrypt-log.txt 18.43 kB · 0 downloads Tower-tailscale-diag-20240517-093835.zip 187.74 kB · 0 downloads

Have you installed the latest update to the plugin?

[ma83]

On 3/25/2023 at 6:51 PM, EDACerton said:

Common Issues

• I can't access the WebGUI after logging in to Tailscale

  • This is usually caused by enabling the "Use Tailscale Subnets" feature. This feature isn't needed for most installs.

 

I just experienced this.
 

I rebooted the first time since installing Tailscale and was not able to access my Unraid locally. 

Just by coincidence I saw the node up in Tailscale and successfully tried the Tailscale IP.

 

Current state: Enabling Use Tailscale Subnets disables access to Unraid on the local ip immediately.

So I can't have both now... I had both before the first reboot after installing the Tailscale plugin.

 

There should be some way to fix this?
Also... I would suggest to add a warning to the Use Tailscale Subnets which says breaks local access on reboot until this is fixed.

 

I believe not everyone is able to troubleshoot this and many users don't have a Monitor hooked up - leaving them with an unreachable and unusable Unraid instance after installing Tailscale and enabling the Use Tailscale Subnets feature. 

 

 

[explosionhole]

On 5/17/2024 at 1:05 PM, cinereus said:

Have you installed the latest update to the plugin?

Yes, I updated yesterday ahead of making this thread.

 

[EDACerton]

On 5/18/2024 at 5:40 AM, ma83 said:

 

I just experienced this.
 

I rebooted the first time since installing Tailscale and was not able to access my Unraid locally. 

Just by coincidence I saw the node up in Tailscale and successfully tried the Tailscale IP.

 

Current state: Enabling Use Tailscale Subnets disables access to Unraid on the local ip immediately.

So I can't have both now... I had both before the first reboot after installing the Tailscale plugin.

 

There should be some way to fix this?
Also... I would suggest to add a warning to the Use Tailscale Subnets which says breaks local access on reboot until this is fixed.

 

I believe not everyone is able to troubleshoot this and many users don't have a Monitor hooked up - leaving them with an unreachable and unusable Unraid instance after installing Tailscale and enabling the Use Tailscale Subnets feature. 

 

 

Use Tailscale Subnets shouldn't break connectivity on reboot; however, how it behaves is highly dependent on the configuration of your tailnet.

 

This setting is intended only for folks that understand what it does, and as such I've already applied several warnings regarding its use:

• The setting is only displayed when you switch to the "Advanced" mode.
• Immediately above the setting is a bold warning which states "These should generally be left off unless specifically needed."
• The quoted warning in this thread.

Edited May 19 by EDACerton

[EDACerton]

On 5/18/2024 at 9:09 AM, explosionhole said:

Yes, I updated yesterday ahead of making this thread.

 

Please post plugin diagnostics.

[explosionhole]

On 5/17/2024 at 9:46 AM, explosionhole said:

I am having networking issues, which have occurred after updating get Tailscale plugin earlier this week.

 

Unraid is my home server, IPv4 192.168.1.1

 

Docker is running within this server, which I have not directly configured any network / DNS settings, but had worked without issue.

 

Running containers have port mapping so be accessed via the local network, which I expect to use the above 192.168.1.1 address. I also use the Nginx Proxy Manager (NPM) container as a front-facing reverse proxy for incoming connections to LetsEncrypt SSL certs.

 

I cannot complete the creation of a new NPM Host. The direct log file contains:

 

[5/17/2024] [9:30:07 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #26: sab.redswitch.co.uk
[5/17/2024] [9:30:07 AM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-26" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "sab.redswitch.co.uk" 
[5/17/2024] [9:30:07 AM] [Global   ] › ⬤  debug     CMD: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-26" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "sab.redswitch.co.uk" 
[5/17/2024] [9:30:10 AM] [Nginx    ] › ⬤  debug     Deleting file: /data/nginx/temp/letsencrypt_26.conf
[5/17/2024] [9:30:10 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -t -g "error_log off;"
[5/17/2024] [9:30:10 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[5/17/2024] [9:30:10 AM] [Global   ] › ⬤  debug     CMD: /usr/sbin/nginx -s reload
[5/17/2024] [9:30:10 AM] [Express  ] › ⚠  warning   Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

 

I have attached the Tailscale plugin diagnostics as well as the letsencrypt-log file (obtained from within the NPM container).

 

If I open Unraid's console:

1. "nslookup tower" (the Unraid hostname), it returns the Tailscale FQDN
2. I cannot find any other hostname that resolves to the 192.168.1.1 LAN IPv4 address I am expecting
3. "ping tower" hits 127.0.0.1
4. "ping tower.local" returns "Name or service not known"

 

 

Can I ask for some help please?

 

 

 

npm_letsencrypt-log.txt 18.43 kB · 0 downloads Tower-tailscale-diag-20240517-093835.zip 187.74 kB · 0 downloads

 

16 hours ago, EDACerton said:

Please post plugin diagnostics.

 

Thanks @EDACerton - I had provided these files when I made the original post on Friday 09:46, but I will attach another downloaded file made just as I reply to this message.

Tower-tailscale-diag-20240520-084545.zip

[Pulteney]

So I used CLI to set a Mullvad exit node. How does that work exactly. Is all internet traffic to and from my Unraid box sent through Mullvad with this enabled?

[jchaven]

How to have update restart plugin?

I have a few Unraid servers all running Tailscale for remote access. In most cases I can access the Unraid server using a local IP if Tailscale is not running. However, I have two machines that I can only access via Tailscale.

The problem comes when the plug-in is updated and does not restart. At this point I lose access to the server and there is no way to get it back unless I restart the server (have user hold power button until powered-off).

Is there a way to have the plug-in restarted after updates?

EDIT: It appears the UP Flags needed to be updated. I tried to restart the container and is failed. The log had the change required for the container's UP Flag variable. With changes applied the container started. There appears to be no issue here after all.

Edited May 21 by jchaven

[EDACerton]

On 5/21/2024 at 10:36 AM, jchaven said:

How to have update restart plugin?

I have a few Unraid servers all running Tailscale for remote access. In most cases I can access the Unraid server using a local IP if Tailscale is not running. However, I have two machines that I can only access via Tailscale.

The problem comes when the plug-in is updated and does not restart. At this point I lose access to the server and there is no way to get it back unless I restart the server (have user hold power button until powered-off).

Is there a way to have the plug-in restarted after updates?

EDIT: It appears the UP Flags needed to be updated. I tried to restart the container and is failed. The log had the change required for the container's UP Flag variable. With changes applied the container started. There appears to be no issue here after all.

This sounds like you're using the Tailscale container, not the Tailscale plugin.

[EDACerton]

On 5/20/2024 at 7:52 AM, Pulteney said:

So I used CLI to set a Mullvad exit node. How does that work exactly. Is all internet traffic to and from my Unraid box sent through Mullvad with this enabled?

In theory, yes -- although this isn't something that I've expressly tested (on my to-do list).

[EDACerton]

On 5/20/2024 at 3:46 AM, explosionhole said:

 

 

Thanks @EDACerton - I had provided these files when I made the original post on Friday 09:46, but I will attach another downloaded file made just as I reply to this message.

Tower-tailscale-diag-20240520-084545.zip 206.32 kB · 0 downloads

Looking at this... if you had installed 2024.05.11, that would have likely cause issues with your Docker networking. The later versions correct this issue.

 

As for the Let's Encrypt errors, that doesn't seem to be Tailscale related. Let's Encrypt can't resolve the DNS address that you're trying to generate a certificate for:

DNS problem: NXDOMAIN looking up A for sab.redswitch.co.uk

 

[Goldmaster]

Got this setup and with LAN access and all.

But splashtop does not connect, had no issues using the docker version in the past.

Just an update got it to run with the following

open a terminal and run this, no sudo root needed.

tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node --reset

change your local ip range if needed

Edited May 30 by Goldmaster
correct comand needed

[nemo868]

 I’m running Unraid 6.12.10 with the Tailscale plugin and I have never been able to access the Unraid GUI remotely.

 

I can’t even ping the Tailscale IP of the Unraid box from any of my other tailnet devices remotely, though the server shows up as connected on the Tailscale admin page.

 

I have attached the diagnostics file in case anyone can help me figure this out.

Tower-tailscale-diag-20240531-170248.zip

[nerbonne]

I have tailscale installed as a plugin.  I've read to enable direct connections, I need to forward port UDP/41641 to the IP of my unraid box.  Problem is that I have dual WAN, WAN1 being a CGNAT 5g connection and WAN2 being a fiber connection which I can port forward with.  That being said, WAN1 is the default WAN, which I could change but I dont want to for "reasons".  I already have the unraid box IP configured to go out WAN2 in my pfsense router, but that does not seem to force the tailscale connection out WAN2, it seems to use WAN1.  Since the plugin has no console, I don't have any way to check this, but the 5g connection has a monthly transfer limit and then becomes slow for the rest of the month, so I know I'm hitting this limit every now and then because the tailscale connection becomes unreasonable slow late in the month on high usage months.

[nassauer]

Hi all. I´d be happy if someone could point me in the right direction: I have installed Tailscale plugin and I can access my immich docker with ease. But for the life of me I can´t connect to jellyfin using the tailscale IP and port. I am advertising subnet (I hope, as I am not an IT pro  who always knows what he is doing. Subnet advertising was not neccessary for immich though.

Taruga-tailscale-diag-20240602-085645.zip

[EDACerton]

On 6/1/2024 at 8:31 AM, nerbonne said:

I have tailscale installed as a plugin.  I've read to enable direct connections, I need to forward port UDP/41641 to the IP of my unraid box.  Problem is that I have dual WAN, WAN1 being a CGNAT 5g connection and WAN2 being a fiber connection which I can port forward with.  That being said, WAN1 is the default WAN, which I could change but I dont want to for "reasons".  I already have the unraid box IP configured to go out WAN2 in my pfsense router, but that does not seem to force the tailscale connection out WAN2, it seems to use WAN1.  Since the plugin has no console, I don't have any way to check this, but the 5g connection has a monthly transfer limit and then becomes slow for the rest of the month, so I know I'm hitting this limit every now and then because the tailscale connection becomes unreasonable slow late in the month on high usage months.

This doesn't seem like something that I can fix in the plugin. I can't think of any reason why Tailscale would use a different route than what the rest of the Unraid instance would.

 

My recommendation would be to make a post in somewhere like r/Tailscale, there might be someone there who has tried a similar setup.

[EDACerton]

On 5/31/2024 at 5:09 PM, nemo868 said:

 I’m running Unraid 6.12.10 with the Tailscale plugin and I have never been able to access the Unraid GUI remotely.

 

I can’t even ping the Tailscale IP of the Unraid box from any of my other tailnet devices remotely, though the server shows up as connected on the Tailscale admin page.

 

I have attached the diagnostics file in case anyone can help me figure this out.

Tower-tailscale-diag-20240531-170248.zip 123.91 kB · 0 downloads

Are you able to connect from home-desktop-pc? I can see some MDNS traffic in the logs that seems to be OK.

 

I also see some weird "no associated peer node" messages in the logs. That makes me think that something either on the server or the clients isn't connected correctly. I would try either logging off/logging on to the clients, or erase the Tailscale plugin configuration (there's a button in the settings) and then try connecting the server again.

[EDACerton]

8 hours ago, nassauer said:

Hi all. I´d be happy if someone could point me in the right direction: I have installed Tailscale plugin and I can access my immich docker with ease. But for the life of me I can´t connect to jellyfin using the tailscale IP and port. I am advertising subnet (I hope, as I am not an IT pro  who always knows what he is doing. Subnet advertising was not neccessary for immich though.

Taruga-tailscale-diag-20240602-085645.zip 142.1 kB · 1 download

I see that your Jellyfin container is configured to use host networking; is there a reason for that?

[nassauer]

2 hours ago, EDACerton said:

I see that your Jellyfin container is configured to use host networking; is there a reason for that?

No, there wasn´t. I just ran the docker as it was. Switching to "Bridge" fixed the issue! Thank you very very much.

[sdballer]

@EDACerton

Is there any way to enable dark mode on the default tailscale tab? Also, what about the iframe dimensions?

[nemo868]

4 hours ago, EDACerton said:

Are you able to connect from home-desktop-pc? I can see some MDNS traffic in the logs that seems to be OK.

 

I also see some weird "no associated peer node" messages in the logs. That makes me think that something either on the server or the clients isn't connected correctly. I would try either logging off/logging on to the clients, or erase the Tailscale plugin configuration (there's a button in the settings) and then try connecting the server again.

I erased the Tailscale plugin configuration and reconnected with a new Tailscale IP. I also logged out and in on the clients but nothing has changed.

 

I can connect to the Unraid server (and Linux and Windows VM's it hosts) from all my tailnet devices on the LAN but remotely I cannot connect to the Unraid server or any of its VM's.

 

All the other tailnet devices ( 3 windows PC's and and an Iphone) have no issues connecting to each other either locally or remotely.

 

Edited June 2 by nemo868

[Stavros]

 

Hello! I, like many others here, found this plugin after suddenly finding out that my Tailscale docker was no longer working properly at a very poor time. Thank you so much for creating this and putting it out there! 

 

After reading Goldmasters post a few above this one with the terminal command, I was able to get the plugin to act as an exit node and can connect to the tailnet when on cellular/off-network by accessing the IP listed in the app.

 

However, I cannot access the webGUIs for my various services using the internal LAN ip (192.168.10.x), which I was able to do so when using the container. This was extremely useful in the past as all of my bookmarks could remain the same. Is there a way to address this and I am approaching the configuration in the wrong way? Or is there a different approach to how I should be utilizing Tailscale and update all of my bookmarks

 

To that last question, should I have Tailscale on for ALL of my devices, all of the time, and set up hostnames for each exit node (i.e. Tower in place of 192.168.10.x) and update my bookmarks accordingly? Admittedly, I do not have a full grasp on how Tailscale would work, but my initial sense would be that there would be conflicts with other devices on networks that may not have Tailscale installed that I'd have to resolve, if all of my devices were connected all the time. Have to sort through this thought, appreciate any insight on the meat of this question though. 

Thank you!