[Plugin] Tailscale

[sdballer]

22 hours ago, Stavros said:

Hello! I, like many others here, found this plugin after suddenly finding out that my Tailscale docker was no longer working properly at a very poor time. Thank you so much for creating this and putting it out there! 

 

After reading Goldmasters post a few above this one with the terminal command, I was able to get the plugin to act as an exit node and can connect to the tailnet when on cellular/off-network by accessing the IP listed in the app....

 

You have to enable the subnet via console and approve them on the tailscale.com admin page, similarly to how you did the exit node.

 

For example:

tailscale set --advertise-exit-node --advertise-routes=192.168.1.0/24 --stateful-filtering

 

FYI: adding --stateful-filtering to your docker container will fix a recent update, though the docker is discontinued starting next month unless a new developer takes over.

 

Edited June 4 by sdballer

[Stavros]

23 minutes ago, sdballer said:

 

You have to enable the subnet via console and approve them on the tailscale.com admin page, similarly to how you did the exit node.

 

For example:

tailscale set --advertise-exit-node --advertise-routes=192.168.1.0/24 --stateful-filtering

 

FYI: adding --stateful-filtering to your docker container will fix a recent update, though the docker is discontinued starting next month unless a new developer takes over.

 

Thank you, it is now working! I had done the approval, but just realized that I originally did it for 192.168.1.0 but never went back and approved for 192.168.10.x and in my console that approval was sitting there waiting. Did so any it’s back to working as it was before! Excellent!

 

I prefer the plugin as my array doesn’t have to be up for Tailscale to work, so gladly keeping this implementation. 

[EDACerton]

On 6/2/2024 at 12:58 PM, sdballer said:

@EDACerton

Is there any way to enable dark mode on the default tailscale tab? Also, what about the iframe dimensions?

Dark mode: no, the page inside the iframe is actually provided by Tailscale itself, any change there would have to be added via github.com/tailscale/tailscale.

 

Why are you asking about the iframe dimensions?

[sdballer]

7 hours ago, EDACerton said:

Dark mode: no, the page inside the iframe is actually provided by Tailscale itself, any change there would have to be added via github.com/tailscale/tailscale.

 

Why are you asking about the iframe dimensions?

 

It doesn't look integrated.

For example if my iframe was just a few pixels taller, the scroll bars would disappear, in addition, the dark mode would match my unraid theme. I already have dark mode enabled on tailscale.com, so it does not transition back to the plugin.

 

If you could inject these css changes I don't see why it wouldn't be possible.

Edited June 5 by sdballer

[runningslow]

I'm stumped, but I'll admit that I don't fully understand what I'm doing when it come to Tailscale or networking in general.

I've installed the plug-in and connected it to Tailscale.
Then I ran the following command in a terminal:
tailscale set --advertise-exit-node --advertise-routes=192.168.2.0/24 --stateful-filtering
and then approving the changes on the Admin Console.

I have successfully connected to the Unraid GUI using my local IP address and the Tailscale IP from two different devices that are not on the same local network (my Android phone using mobile network and a win10 laptop using a different internet connection). However...

On the phone, I can access my bridged Docker containers using the local IP address, but not the Tailscale IP.
On the laptop, I can't access the Docker containers at all. I can only access the Unraid GUI.

I'd be happy if they both acted like my phone.

Can anyone explain this? The only settings that I remember changing were for the server, so I don't know how two different devices on the same tailnet have different behavior with a 3rd device.

Edit: Well, nevermind. I think I just figured it out literally minutes after posting, but after having stewed on it for days. I just found the setting on the laptop to "Allow local network access" under Exit nodes.  Enabled that for my Unraid server and now I can connect to my Dockers. I guess this was automatic on the Android app?

Edited June 7 by runningslow
Update. Solved my own problem.

[EDACerton]

On 6/4/2024 at 1:24 PM, sdballer said:

 

It doesn't look integrated.

For example if my iframe was just a few pixels taller, the scroll bars would disappear, in addition, the dark mode would match my unraid theme. I already have dark mode enabled on tailscale.com, so it does not transition back to the plugin.

 

If you could inject these css changes I don't see why it wouldn't be possible.

I can look at the settings for the iframe, but I can't make any promises there. Changes to benefit one screen resolution can have side effects for other resolutions.

 

I'm not going to try to inject HTML/CSS changes into the built-in interface to add a dark mode setting. That's generally bad/last-resort practice and sets the plugin up for problems later on as Tailscale makes changes to the interface. If you want dark mode support in the Tailscale web client, please submit a PR to Tailscale to add the feature upstream.

[theone]

I have been running NGINX Proxy Manager (NPM) for a few months now with my personal registered domain for different docker apps (immich.<mydomain>.com, overseer.<mydomain>.com, jellyfin.<mydomain>.com, etc...). My domain is registered and namecheap.

 

I have lately stumbled across across tailscale (and this Plugin) while seaching to improve security and use a VPN.

I have installed this great plugin and got it working to access the unraid webui server from different remote devices.

I can also access the apps on the VPN using tower:<port number> (for example immich at tower:8080)

 

I am now trying to combine the two so I (and others that I let) can access the apps using <app>.mydomain.com.

I saw the below video but don't know how to do it for NPM and the Tailscale plugin.

I the example in the video it seems there is a dedicated server  for the reverse proxy (Caddy) but if I do this for the unraid server doesn't it expose the whole server to all allowed users?

 

Does anyone have a step-by-step tutorial for achieving this in unRAID with NPM and Tailscale plugin? If it is possible...

 

 

 

[ralop]

So what causes this notification? Been trying to get tailscale to work but sometimes its fine and sometimes it starts to give that "error". Maybe that is the cause why i can not get the streaming to work on jellyfin

Tailscale Health    Linux DNS config not ideal. /etc/resolv.conf overwritten. See https://tailscale.com/s/dns-fight

 

Commands i used when i installed the tailscale
tailscale set --advertise-exit-node --advertise-routes=192.xxx.xx.x/xx,192.xxx.xxx.x/xx
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

[EDACerton]

11 hours ago, ralop said:

So what causes this notification? Been trying to get tailscale to work but sometimes its fine and sometimes it starts to give that "error". Maybe that is the cause why i can not get the streaming to work on jellyfin

Tailscale Health    Linux DNS config not ideal. /etc/resolv.conf overwritten. See https://tailscale.com/s/dns-fight

 

Commands i used when i installed the tailscale
tailscale set --advertise-exit-node --advertise-routes=192.xxx.xx.x/xx,192.xxx.xxx.x/xx
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

I'm not sure why you would be running the sysctl commands, those aren't required with the plugin (it does all of that automatically).

 

For the DNS issue -- unless you have a reason that your Unraid server needs to be able to resolve *.ts.net names, set "Use Tailscale DNS Settings" to "No" in the advanced settings for the plugin.

[EDACerton]

23 hours ago, theone said:

I have been running NGINX Proxy Manager (NPM) for a few months now with my personal registered domain for different docker apps (immich.<mydomain>.com, overseer.<mydomain>.com, jellyfin.<mydomain>.com, etc...). My domain is registered and namecheap.

 

I have lately stumbled across across tailscale (and this Plugin) while seaching to improve security and use a VPN.

I have installed this great plugin and got it working to access the unraid webui server from different remote devices.

I can also access the apps on the VPN using tower:<port number> (for example immich at tower:8080)

 

I am now trying to combine the two so I (and others that I let) can access the apps using <app>.mydomain.com.

I saw the below video but don't know how to do it for NPM and the Tailscale plugin.

I the example in the video it seems there is a dedicated server  for the reverse proxy (Caddy) but if I do this for the unraid server doesn't it expose the whole server to all allowed users?

 

Does anyone have a step-by-step tutorial for achieving this in unRAID with NPM and Tailscale plugin? If it is possible...

 

 

 

There are a couple of solutions if you want to limit access via Tailscale:\

1. Use Tailscale ACLs. While the free plan provides limited control with ACLs, it does include "autogroup:shared", which you can use to limit access. For example, something like this:
    

   {
     "acls": [
       // Allow all connections for users joined to the tailnet.
       { "action": "accept", "src": ["autogroup:member"], "dst": ["*:*"] },
   
       // Only allow shared-in users to access the Unraid server on ports x,y,z
       { "action": "accept", "src": ["autogroup:shared"], "dst": ["my.unraid.tailscale.ip:x,y,z"] },
     ]
   }

    

2. You can create a second Tailscale node using a Docker container, then "sidecar" it to the containers that you want to share. (Note: don't do this today, the existing Docker container is being discontinued... I plan to add a template for the Tailscale official docker container for this use case, but that won't be up for another day or so.)

[ggfools]

On 6/9/2024 at 5:52 PM, theone said:

I have been running NGINX Proxy Manager (NPM) for a few months now with my personal registered domain for different docker apps (immich.<mydomain>.com, overseer.<mydomain>.com, jellyfin.<mydomain>.com, etc...). My domain is registered and namecheap.

 

I have lately stumbled across across tailscale (and this Plugin) while seaching to improve security and use a VPN.

I have installed this great plugin and got it working to access the unraid webui server from different remote devices.

I can also access the apps on the VPN using tower:<port number> (for example immich at tower:8080)

 

I am now trying to combine the two so I (and others that I let) can access the apps using <app>.mydomain.com.

I saw the below video but don't know how to do it for NPM and the Tailscale plugin.

I the example in the video it seems there is a dedicated server  for the reverse proxy (Caddy) but if I do this for the unraid server doesn't it expose the whole server to all allowed users?

 

Does anyone have a step-by-step tutorial for achieving this in unRAID with NPM and Tailscale plugin? If it is possible...

 

 

 

I accomplished very similar with Traefik, I simply set up a wildcard DNS record on my domain to my unraid machine's tailscale IP then set up traefik like normal, you will need to change the unraid UI to not use port 80 so you can open port 80 and 443 to NPM.

[blitzio]

On 5/12/2024 at 9:25 PM, blitzio said:

On a separate note, I wanted to ask if anyone else is having issues using an Exit Node getting low speeds and having your clients connect via relay instead of a direct connection? I keep getting a relay despite following the docs to forward the specified ports.

 

https://tailscale.com/kb/1082/firewall-ports

 

I ask because I have a relatively well-spec'd unraid server with gigabit fiber as my exit node and want to get fast speeds, but I keep connecting as a relay and only get 20mbps download/upload speeds.

Just following up on my previous post. I still haven't figured it out and was hoping if anyone else has any idea how to fix this. I can't seem to properly forward my ports for Tailscale.

 

Is there a setting in the plugin to do this or at least check? My firewall ports are already forwarded but I still can't get a direct connection. 

[EDACerton]

2 hours ago, blitzio said:

Just following up on my previous post. I still haven't figured it out and was hoping if anyone else has any idea how to fix this. I can't seem to properly forward my ports for Tailscale.

 

Is there a setting in the plugin to do this or at least check? My firewall ports are already forwarded but I still can't get a direct connection. 

There isn't anything that the plugin can do to fix network mapping.

 

One thing to check -- some firewalls require additional configuration to make things play nicely. Look at https://tailscale.com/kb/1181/firewalls to see if there might be more that you need to do.

[EDACerton]

13 hours ago, ggfools said:

I accomplished very similar with Traefik, I simply set up a wildcard DNS record on my domain to my unraid machine's tailscale IP then set up traefik like normal, you will need to change the unraid UI to not use port 80 so you can open port 80 and 443 to NPM.

This is exactly how I run my containers 😀

[blitzio]

5 hours ago, EDACerton said:

There isn't anything that the plugin can do to fix network mapping.

 

One thing to check -- some firewalls require additional configuration to make things play nicely. Look at https://tailscale.com/kb/1181/firewalls to see if there might be more that you need to do.

 

Ok understand thanks. I actually already followed all the instructions in the that doc and followed all the steps for my network (using Unifi). My other ports for other services are forwarding just fine but for some reason 41641 and 3478 just won't punch through.

 

I'll try asking around on the Unifi and Tailscale subreddits but it's been almost 2 months and so far no one has been able to help or figure this out. Will keep trying and hope this gets sorted one day.

[base64]

hey,

first of all thx for answer me in the german Sektion @EDACerton

I hope you can help me.

Me and a friend of mine share a tailscale "knot".

unfortunately we can't get the docker or SMB shares of the other to work. i have to admit, i'm still a noob when it comes to networking.

The first test looks like this: My cell phone in the mobile network with the Tailscale VPN tries to log on to unraid.

Browser: Tailscaleadress:8400 (I used 8400 as http port for unraid)
and get to the login page. But if I then try tailscaleadress:8096, for example, I can't get to my jellyfin.

test two:
Tailscaile on an external PC, this tries to access a Docker of mine with an extra IP. unfortunately without success.

My guess is that I'/we have a problem with the routing
Unfortunately, I am currently a bit out of my depth

 

[MyKroFt]

Very nice plugin.....

 

Can you put on your todo list for sometime to have the admin page follow the ui theme/css settings.  White background in nearly impossible for me to read.  Am sure others would appreciate it also.

 

Thanks

Myk

[ralop]

On 6/10/2024 at 9:05 PM, EDACerton said:

I'm not sure why you would be running the sysctl commands, those aren't required with the plugin (it does all of that automatically).

 

For the DNS issue -- unless you have a reason that your Unraid server needs to be able to resolve *.ts.net names, set "Use Tailscale DNS Settings" to "No" in the advanced settings for the plugin.

Because i could not get exit node come up in the setting of the admin panel, i re-installed everything and used ibracorbs guide. Until i used the tailscale set --advertise-exit-node line it would not come up

[noahkiss]

hey @EDACerton, small suggestion in the "help" tab for the plugin. When I ran the script, I got an error that my hostname couldn't be uppercase. Since casing matters for receiving the cert, but not for using the domain, you could consider revising the script slightly:

 

FQDN=$(hostname | tr '[:upper:]' '[:lower:]').${LOCAL_TLD%%[[:cntrl:]]}

 

This worked for me, and I didn't notice any adverse effects.

 

Also, I believe I have it configured on my other server to run monthly - you could add a suggestion to configure that with the User Scripts plugin if it's needed (I assume it's still using LE here? I didn't check). 

 

Thanks!

 

edit: Also, I found it in here by chance, but for anyone trying to access the unRAID web UI over your tailnet via HTTPS, once you've completed the HTTPS setup from the Tailscale plugin's help page, go to Settings > Management Access and enable "Use SSL/TLS". Note that you'll need to use https if connecting from the IP as well, and some browsers may have a fit with that. 

Edited June 16 by noahkiss
adding HTTPS info

[EDACerton]

14 hours ago, noahkiss said:

hey @EDACerton, small suggestion in the "help" tab for the plugin. When I ran the script, I got an error that my hostname couldn't be uppercase. Since casing matters for receiving the cert, but not for using the domain, you could consider revising the script slightly:

 

FQDN=$(hostname | tr '[:upper:]' '[:lower:]').${LOCAL_TLD%%[[:cntrl:]]}

 

This worked for me, and I didn't notice any adverse effects.

 

Also, I believe I have it configured on my other server to run monthly - you could add a suggestion to configure that with the User Scripts plugin if it's needed (I assume it's still using LE here? I didn't check). 

 

Thanks!

 

edit: Also, I found it in here by chance, but for anyone trying to access the unRAID web UI over your tailnet via HTTPS, once you've completed the HTTPS setup from the Tailscale plugin's help page, go to Settings > Management Access and enable "Use SSL/TLS". Note that you'll need to use https if connecting from the IP as well, and some browsers may have a fit with that. 

Thanks for this! I'll get it added into an upcoming update. I might try to add some extra logic as well to detect if the certificate has renewed, this would let the check be run more frequently. (This is to avoid a scenario where running monthly misses the certificate renewal window, or if it gets missed for some other reason like your server being restarted for updates at the exact wrong moment, Tailscale down for a few minutes, etc.)

 

I've been meaning to look at automating the SSL configuration for the WebGUI, but I'd been hesitant to do so early on since that potentially requires changing system settings too (domain name must be the Tailnet name, enabling SSL, etc.).  I'll have to give that some more thought now that the plugin is a little more mature.

[noahkiss]

41 minutes ago, EDACerton said:

I've been meaning to look at automating the SSL configuration for the WebGUI, but I'd been hesitant to do so early on since that potentially requires changing system settings too (domain name must be the Tailnet name, enabling SSL, etc.).  I'll have to give that some more thought now that the plugin is a little more mature.

 

For sure something to think about - Following your current help page, the only part I missed was enabling TLS/SSL in the management options - I think the best option would just be to update the help page for now. I have been on a big tailscale-first kick, and even I get tripped up sometimes, so for newer users, a one-click option may just lead to more support required in this forum

 

One option could be to add a link to the help tab from the main settings page - I didn't even realize the help tab had the info I needed until I googled enabling HTTPS for the server (because who looks at help pages, right?). 

 

As great as Tailscale is, my most frequent use is accessing on my phone, but it kills my iPhone's battery if I leave it always-on, and the "switch it on when a request goes to your.ts.net" has been wonky for me, so I personally hesitate at pushing users into it too easily who haven't already struggled through at least some of the learning required to understand the way Tailscale works and the potential drawbacks... I think that's where your help docs are a perfect in-between - not fully automated, but all of the requisite info is in the same place.

 

Apologies for the stream of consciousness. And thanks for the plugin!

Edited June 16 by noahkiss
fixing markdown

[misterwiggles]

I’m a noob for Tailscale so I’m wondering if someone can give me a TLDR on why I would want to install this if I’m using the built-in WireGuard server successfully for remote VPN access to my Unraid server and home network. Just not clear what I gain in using Tailscale. Thank you!

[noahkiss]

@misterwiggles For a more correct & complete answer, view this:

 

https://tailscale.com/compare/wireguard

 

Essentially Tailscale is WireGuard, batteries-included. Instead of configuring WireGuard on every device you want to connect, you can just install the Tailscale app. There are trade-offs, of course, but generally Tailscale saves time & can minimize headaches. 

 

If you are happy with your WG setup and you don't need to fiddle with it, you won't gain anything by switching to Tailscale. On the other hand, if in the future you get annoyed when you need to add WG to a new device and try to remember all of the config options, or your networking changes and you need to update settings, or maybe you're rotating your keys, and you think to yourself, "man, this is an inconvenience!" - just remember that Tailscale is waiting for you...

[Karmaa]

Hello! I use Tailscale to access the WebGUl remotely on my unraid server. I access it by just connecting to the Tailscale server and typing in the address for my server that Tailscale shows to me. When I boot in the GUI OS mode this works fine and the dashboard comes up and l can manage my unraid server. When I boot in normal OS mode I am unable to connect to the GUI via tailscale. Tailscale shows that the server is connected and the port 80 is in use so I believe it’s running and everything I just cant connect to it. Any idea why? I have tailscaleO set in my addition interface thing btw. I am also able to ping the server just fine.

[misterwiggles]

@noahkiss Great answer! Thank you.