[Plugin] Tailscale

[EDACerton]

8 hours ago, Karmaa said:

Hello! I use Tailscale to access the WebGUl remotely on my unraid server. I access it by just connecting to the Tailscale server and typing in the address for my server that Tailscale shows to me. When I boot in the GUI OS mode this works fine and the dashboard comes up and l can manage my unraid server. When I boot in normal OS mode I am unable to connect to the GUI via tailscale. Tailscale shows that the server is connected and the port 80 is in use so I believe it’s running and everything I just cant connect to it. Any idea why? I have tailscaleO set in my addition interface thing btw. I am also able to ping the server just fine.

tailscale0 is from the Docker container, not from the plugin.

 

Do you have the plugin installed? If so, please provide diagnostics from within the plugin settings.

[Gex2501]

On 3/25/2023 at 10:51 AM, EDACerton said:

I can't access the WebGUI after logging in to Tailscale

• This is usually caused by enabling the "Use Tailscale Subnets" feature. This feature isn't needed for most installs.

• Usually, if this happens the WebGUI is still accessible via the Tailscale IP/name. Try connecting via that address, then disable "Use Tailscale Subnets".

I ran into this issue recently, thanks for having this post pinned at the top of the thread. Also thanks for all your work on providing this plugin! I'd like to understand why this problem occurs. While I don't need the subnets feature I would like to utilize them. Is there a way to get it to work?

[EDACerton]

8 hours ago, Gex2501 said:

I ran into this issue recently, thanks for having this post pinned at the top of the thread. Also thanks for all your work on providing this plugin! I'd like to understand why this problem occurs. While I don't need the subnets feature I would like to utilize them. Is there a way to get it to work?

The ways that "Use Tailscale Subnets" causes problems has to do with how other Tailscale devices are set up.

 

One important thing to understand -- "Use Tailscale Subnets" has nothing to do with setting your Unraid server up as a subnet router. If you want to advertise routes from your Unraid instance, go for it -- that works just fine (and lots of people do it).

 

"Use Tailscale Subnets" is relevant when *other* devices on your network are a subnet router (for instance, folks who use things like pfSense/opnsense/etc. for their firewall/router sometimes like to install Tailscale there and use it as the subnet router). In cases like this, you can run into some asymmetric routing issues because now you'll actually have two routes to your local network (directly connected and via the Tailscale subnet router)... and Tailscale will try to force the traffic to go over the subnet router*.

 

However, the router isn't expecting that traffic, and the client isn't expecting for the traffic to come back that way either, so this can result in various (and weird) connection issues.

 

In practice, there are very few scenarios which would require "Use Tailscale Subnets" to work. Without "Use Tailscale Subnets", you can still:

• Configure Unraid as a subnet router on Tailscale to make other devices on your network accessible via Tailscale.
• Connect to Unraid via its local IP from another device via a subnet router (e.g., connecting to 192.168.1.10 from your laptop, with Tailscale installed as a subnet router on your firewall).

What you cannot do is:

• Connect from Unraid to a device in a remote subnet (e.g., if you had a subnet router running at your friends house, and you wanted to transfer files from Unraid to a device there via the subnet router).

* This seems like a bad thing, but is actually a good feature that just has unfortunate implications in this scenario. Tailscale behaves this way because many private networks share IPs, and by forcing all traffic over the subnet router, it guarantees that when you enter (for example) 192.168.1.10 it connects to your server and not some device on another network that just happens to use 192.168.1.0/24.

[Gex2501]

17 hours ago, EDACerton said:

"Use Tailscale Subnets" is relevant when *other* devices on your network are a subnet router (for instance, folks who use things like pfSense/opnsense/etc. for their firewall/router sometimes like to install Tailscale there and use it as the subnet router). In cases like this, you can run into some asymmetric routing issues because now you'll actually have two routes to your local network (directly connected and via the Tailscale subnet router)... and Tailscale will try to force the traffic to go over the subnet router*.

This is almost exactly what I have going on. I have a pi running tailscale, on the same LAN as Unraid, advertising the subnet. What I find interesting is I also have an Ubuntu VM, running on Unraid, exposed to the LAN directly, using the --accept-routes and it's working just fine... Seems weird. 🤷‍♂️

 

UPDATE: So strike that, I actually can't ping or access the VM from it's LAN ip. So same issue I guess. I've just never actually tried to do that.

Edited June 23 by Gex2501
Info update

[jwillmer]

I used the `tailscale set` command to modify the configuration. Is this configuration changes persistent @EDACerton?

[EDACerton]

4 hours ago, jwillmer said:

I used the `tailscale set` command to modify the configuration. Is this configuration changes persistent @EDACerton?

Yes.

[blitzio]

On 6/13/2024 at 10:53 AM, blitzio said:

 

Ok understand thanks. I actually already followed all the instructions in the that doc and followed all the steps for my network (using Unifi). My other ports for other services are forwarding just fine but for some reason 41641 and 3478 just won't punch through.

 

I'll try asking around on the Unifi and Tailscale subreddits but it's been almost 2 months and so far no one has been able to help or figure this out. Will keep trying and hope this gets sorted one day.

 

I have a follow-up and update on this issue. I am currently in direct contact with Tailscale customer support, who have been incredibly patient and have walked me through this.

 

They asked me to check on the following, and I'm wondering if the Unraid plugin has this capability or setting somewhere, as I'm a bit lost on finding or editing that "tailscaled" config.

 

Quote

the only thing that should be preventing a direct connection to the Unraid machine is that tailscaled isn’t listening on port 41641 based on its logs, because it looks like ‘Computer 1’ and ‘iphone-14-pro’ might be taking over that port when they are online and on that same network as both show 101.xxx.xxx.xxx:41641 as an endpoint that was discovered to reach those devices at some point.

Since randomizeClientPort hasn’t been enabled in your ACL, tailscaled must have PORT=0 set causing it to choose a random port when it starts rather than sticking to the typical default port, 41641. On your Unraid machine, does the /etc/default/tailscaled file exist? If so you should be able to edit that file to configure tailscaled on that machine. If a line already exists setting the PORT environment variable you will want to make sure it’s set to PORT=41641 to ensure it’s listening on the port you’ve forwarded on the UDM.

 

If /etc/default/tailscaled doesn’t exist, do you know if tailscale on your Unraid machine is started at boot using systemd (to check, you can run systemctl status tailscaled.service, or if Unraid uses something else to manage starting its services? Wherever tailscaled is called to start it at boot, the --port=41641 argument can be added to that command to achieve the same effect if editing the environment variables in /etc/default/tailscaled isn’t possible.

 

Could anyone guide me on how I can edit this and set the port directly on my Unraid machine as per the instructions above? It might be the way to finally get it to make a direct connection which I have been struggling with for a while now. Thanks!

[mkevac]

I am struggling to update this plugin.

The main "plugin" page shows no updates.

If you go to "Apps," search for the tailscale plugin, and open its page, it shows that there is a newer version. And in the "Action" dropdown, there is even an "Upgrade" button. But after I "Upgrade," nothing changes. It's still the old version, but it says that there is a newer one.

How do I fix this?

See some screenshots...

[cinereus]

Tailscale literally suddenly stopped working. I was on my server GUI, started an array rebuild and then pressed F5 and suddenly I can't access it via tailscale magic DNS hostname. Direct IP still works.

 

When I go to Tailscale plugin I get this:

 

 

However nothing happens when I click "Reauthenticate" and in my Tailscale dashboard my server is set to never expire.

 

What's going on?

[EDACerton]

On 7/2/2024 at 11:54 PM, blitzio said:

 

I have a follow-up and update on this issue. I am currently in direct contact with Tailscale customer support, who have been incredibly patient and have walked me through this.

 

They asked me to check on the following, and I'm wondering if the Unraid plugin has this capability or setting somewhere, as I'm a bit lost on finding or editing that "tailscaled" config.

 

 

Could anyone guide me on how I can edit this and set the port directly on my Unraid machine as per the instructions above? It might be the way to finally get it to make a direct connection which I have been struggling with for a while now. Thanks!

If you switch to the "Advanced" view in the Tailscale settings, there's an option for Wireguard Port:

 

[EDACerton]

20 hours ago, mkevac said:

I am struggling to update this plugin.

The main "plugin" page shows no updates.

If you go to "Apps," search for the tailscale plugin, and open its page, it shows that there is a newer version. And in the "Action" dropdown, there is even an "Upgrade" button. But after I "Upgrade," nothing changes. It's still the old version, but it says that there is a newer one.

How do I fix this?

See some screenshots...

You seem to be stuck on a very old version of the plugin, and for some reason Unraid is "stuck" trying to install that version.

 

I would try going to "Plugins" -> "Install Plugin", and use this for the URL:

 

https://raw.githubusercontent.com/dkaser/unraid-tailscale/main/plugin/tailscale.plg

 

If that doesn't work, I would do the following:

1. Open the CLI.
2. Run the following command:
    

   rm /boot/config/plugins/tailscale.plg

    

3. Reboot the server.
4. Reinstall the plugin.

This will retain your Tailscale state, but will make Unraid "forget" about the plugin completely, which will hopefully clear out whatever is causing that old version to be cached.

[EDACerton]

12 hours ago, cinereus said:

Tailscale literally suddenly stopped working. I was on my server GUI, started an array rebuild and then pressed F5 and suddenly I can't access it via tailscale magic DNS hostname. Direct IP still works.

 

When I go to Tailscale plugin I get this:

 

 

However nothing happens when I click "Reauthenticate" and in my Tailscale dashboard my server is set to never expire.

 

What's going on?

Please post diagnostics from inside the Tailscale settings.

[Goonie]

Hi

I have spent a few weeks with an issue getting tailscale to work with my docker containers using the plugin. The docker containers on my unraid server run on a vlan behind an opnsense firewall. I can access the admin interface of unraid from inside and outside my network using the tailscale ip of the server. I cant access any of the docker containers from inside my network using the tailscale ip and the port of the service which work fine with the vlan ip they are given by opnsense.  I have the unraid tailscale ip as an exit node and also set --advertise-routes=10.1.20.0/24 which is the vlan for the docker containers.  Any help would be much appreciated. Thanks

 

Edited July 6 by Goonie

[EDACerton]

1 hour ago, Goonie said:

Hi

I have spent a few weeks with an issue getting tailscale to work with my docker containers using the plugin. The docker containers on my unraid server run on a vlan behind an opnsense firewall. I can access the admin interface of unraid from inside and outside my network using the tailscale ip of the server. I cant access any of the docker containers from inside my network using the tailscale ip and the port of the service which work fine with the vlan ip they are given by opnsense.  I have the unraid tailscale ip as an exit node and also set --advertise-routes=10.1.20.0/24 which is the vlan for the docker containers.  Any help would be much appreciated. Thanks

 

Please provide diagnostics from inside the plugin settings. 
 

Does the Unraid server itself have an IP on 10.1.20.0/24?

[mkevac]

15 hours ago, EDACerton said:

You seem to be stuck on a very old version of the plugin, and for some reason Unraid is "stuck" trying to install that version.

 

I thought I needed to remove the plugin and reinstall it. But because this server is not near me, and the only way I have access to it is through Tailscale, I needed a plan B.

I installed Cloudflare Tunnel, and after making sure that it worked, I removed the plugin and tried to reinstall it. It failed.

See the screenshot for the reason 🙂

 

This server is in Russia...

 

 

[Goonie]

8 hours ago, EDACerton said:

Please provide diagnostics from inside the plugin settings. 
 

Does the Unraid server itself have an IP on 10.1.20.0/24?

Thanks, do you want a portion of the diagnostic file or the full file ? The unraid server has two nics one for the admin interface local network and the second interface is for the vlans 1 vlan for the docker containers and the other vlan for the vms once i get this all working. 

[cinereus]

22 hours ago, EDACerton said:

Please post diagnostics from inside the Tailscale settings.

Do you want normal diagnostics or Tailscale log?

 

Here's diagnostics:

 

Currently server has no internet access and can't ping anything either due to tailscale.

fs-diagnostics-20240706-1426.zip

 

[EDACerton]

31 minutes ago, cinereus said:

Do you want normal diagnostics or Tailscale log?

 

Here's diagnostics:

 

Currently server has no internet access and can't ping anything either due to tailscale.

fs-diagnostics-20240706-1426.zip 269.7 kB · 0 downloads

 

 

33 minutes ago, Goonie said:

Thanks, do you want a portion of the diagnostic file or the full file ? The unraid server has two nics one for the admin interface local network and the second interface is for the vlans 1 vlan for the docker containers and the other vlan for the vms once i get this all working. 

Go into the plugin settings, there is a diagnostics button there. Post the complete file that it downloads. (This includes the normal system diagnostics plus additional data for Tailscale.)

[cinereus]

24 minutes ago, EDACerton said:

 

Go into the plugin settings, there is a diagnostics button there. Post the complete file that it downloads. (This includes the normal system diagnostics plus additional data for Tailscale.)

here:

 

(i have fixed the internet access issue as just needed to change gateway but tailscale still shows that error) and my other machines can't use the tailscale hostname to access server.

tailscale-diag.zip

[cinereus]

Okay I fixed it. The reason the button wasn't working was because no internet access. It should open a popup to tailscale dash but didn't and no error message.

 

Please consider this a bug report for that.

 

I also had expiry disabled so don't know why it expired. Another bug report for that please.

 

However, I still get this issue

 

 

It's not obvious where to approve this.

[Goonie]

1 hour ago, EDACerton said:

 

Go into the plugin settings, there is a diagnostics button there. Post the complete file that it downloads. (This includes the normal system diagnostics plus additional data for Tailscale.)

tailscale-diag.zip

[EDACerton]

11 hours ago, cinereus said:

Okay I fixed it. The reason the button wasn't working was because no internet access. It should open a popup to tailscale dash but didn't and no error message.

 

Please consider this a bug report for that.

 

I also had expiry disabled so don't know why it expired. Another bug report for that please.

 

However, I still get this issue

 

 

It's not obvious where to approve this.

You have to approve it in the Tailscale admin console.

 

https://login.tailscale.com/

 

The expiration piece was probably just related to the server being unable to contact Tailscale; that seems to confuse the Tailscale client in some cases. Unfortunately, there's not much that I can do to resolve that part with the plugin -- I can only report back what the client tells me.

Edited July 7 by EDACerton

[EDACerton]

11 hours ago, Goonie said:

tailscale-diag.zip 169.11 kB · 0 downloads

Thanks. I think I misunderstood your original post, but looking at it again with the diagnostics I think I understand better now.

 

Using TailscaleAddress:Port only works for containers that are running on the Unraid server's IP (bridge networking). In your case, you are using ipvlan networking for your containers so that they get independent IPs.

 

For containers that have their own IPs, there are generally two approaches to connecting via Tailscale:

1. Subnet routing, which you already have configured; or
2. Running a Tailscale container to provide the networking for the service (which results in the container having its own Tailscale IP as well, it wouldn't share the host Tailscale IP).

If the local IPs are working for you via Tailscale, then you've already done what you need to connect remotely.

 

One other thing which has nothing to do with Tailscale -- I noticed that two of your Docker networks are ipvlan, but there's one macvlan network in the logs:

Unraid1 rc.docker: created network macvlan eth0 with subnets: 10.x.1.0/24; 

If this is deliberate, ignore me , but I figured I'd mention it since macvlan has a history of causing issues, and that might have been something that you meant to either remove/switch and forgot.

Edited July 7 by EDACerton

[blitzio]

On 7/5/2024 at 10:55 PM, EDACerton said:

If you switch to the "Advanced" view in the Tailscale settings, there's an option for Wireguard Port:

 

Thanks EDACerton, when I checked my advanced settings it seems my WIreguard Port was already set to the correct one and despite that and even restarting with my port forwarded, I still can't get a direct connection.

 

Before checking this, the Tailscale support suggested to modify scripts which is beyond my current knowledge and capability and I'm not sure this is even necessary given that the advanced setting above already has the correct port set.

 

This was what they said:

Quote

I took a look at the install script for the Unraid plugin and it looks like the scripts that are used by Unraid to start tailscaled automatically on boot are stored in /boot/config/plugins/tailscale/. With this different setup I doubt that an equivalent to /etc/default/tailscaled exists somewhere to configure tailscaled by environment variables, so you will probably have to modify the scripts (looks like it would mainly be restart.sh) in /boot/config/plugins/tailscale/ wherever they call tailscaled to include the --port=41641 argument to ensure that port is used by tailscaled whenever its started after a restart. After making those changes you’ll likely want to restart the tailscale plugin or run the (now modified) /usr/local/emhttp/plugins/tailscale/restart.sh script to restart the existing instance of tailscaled running on your Unraid system.

 

Still a bit lost and followed up/shared this info with the Tailscale support team, I wonder what else we can explore to get to the bottom of this.

[EDACerton]

57 minutes ago, blitzio said:

Thanks EDACerton, when I checked my advanced settings it seems my WIreguard Port was already set to the correct one and despite that and even restarting with my port forwarded, I still can't get a direct connection.

 

Before checking this, the Tailscale support suggested to modify scripts which is beyond my current knowledge and capability and I'm not sure this is even necessary given that the advanced setting above already has the correct port set.

 

This was what they said:

 

Still a bit lost and followed up/shared this info with the Tailscale support team, I wonder what else we can explore to get to the bottom of this.

Can you post diagnostics from inside the Tailscale settings?