[Plugin] Tailscale

[EDACerton]

On 7/24/2024 at 10:06 AM, abstrakONE said:

I've been using Unraid for several months now on 2 of my machines and it’s been working great. I've recently started using Tailscale and it's Unraid Plugin and wanted to start using it with my Docker containers I have running on my Unraid servers. Is there a good resource explaining how to go about using Tailscale with Docker containers so I can offer them up as Tailscale "Machines"? can this be done using the standard Unraid interface for docker? I’d like to be able to specify the hostname for the machine for my tailnet and use tailnet serve to do the reverse proxy.  How do I do this?

This can be done using the Unraid interface for Docker, but it's not a setting that can be "selected" per se.

1. Create a Tailscale Docker container for the container you want to provide as a Tailscale "machine".
2. Configure the network for the container that you are trying to connect to Tailscale:
   1. Switch to advanced view for the container settings.
   2. Set the "Network Type" to "None".
   3. Set "Extra Parameters" to "--network container:nameofyourtailscalecontainer"

If you want more support for that, please post over on the support thread for the Docker container:

 

[EDACerton]

21 hours ago, cinereus said:

I have this issue again but the button popup isn't working at all now.

 

I can click the reauthenticate button 100 times but nothing happens and in the meantime lots of things on my server are broken.

 

 

How else can I reauthenticate other than by this broken button?

Running:

tailscale up --force-reauth

from the CLI will allow you to reauthenticate. I have a request in with Tailscale to improve the reauthentication behavior via the web interface, but I'm not sure when that will be worked on.

[--Kyle--]

I'm hoping to route my iphone traffic through my home network, allowing me to connect to my local networks instance of Jellyfin, connect to my Unraid tower gui, and otherwise appear to be on my home network even when I'm using my mobile LTE provider. I have set up Tailscale Plugin on my Unraid tower as an exit node, and set up Tailscale on my iphone. Using ipleak, my iphone shows my home network even when I'm on LTE, thus I believe I am connected. However I am unable to access Unraid GUI or Jellyfin on my iphone when on LTE. I have set NETBios to "no" as well. I have no doubt this is just a setting I'm missing, but any thoughts as to what might be tripping me up here?

[EDACerton]

On 7/28/2024 at 2:38 PM, --Kyle-- said:

I'm hoping to route my iphone traffic through my home network, allowing me to connect to my local networks instance of Jellyfin, connect to my Unraid tower gui, and otherwise appear to be on my home network even when I'm using my mobile LTE provider. I have set up Tailscale Plugin on my Unraid tower as an exit node, and set up Tailscale on my iphone. Using ipleak, my iphone shows my home network even when I'm on LTE, thus I believe I am connected. However I am unable to access Unraid GUI or Jellyfin on my iphone when on LTE. I have set NETBios to "no" as well. I have no doubt this is just a setting I'm missing, but any thoughts as to what might be tripping me up here?

Please provide diagnostics from inside the plugin settings.

 

You can also try restarting the plugin (there's a button inside the Tailscale settings), that fixes some issues too.

[EDACerton]

Just a fun update here... 10K active installs for the plugin! 🎉

 

[caras]

Just wanted to say, great plugin.

I have one small problem, I advertised subnets, to be able to access from unraid my pihole and router that are on different subnet.

I can access router remotely, but cant access pihole. I entered ip correctly, 192.168.0.1/32 for router, and 192.168.0.50/32 for pihole.

Where did I make a mistake? 

 

 

[EDACerton]

3 hours ago, caras said:

Just wanted to say, great plugin.

I have one small problem, I advertised subnets, to be able to access from unraid my pihole and router that are on different subnet.

I can access router remotely, but cant access pihole. I entered ip correctly, 192.168.0.1/32 for router, and 192.168.0.50/32 for pihole.

Where did I make a mistake?

The advertised routes look fine.

 

Based on your statement about the router/pihole being on a different subnet, I'd probably look at the rules on the router/firewall... the traffic might be getting blocked there.

[caras]

I just checked, Pihole is only one unreachable. My unraid server is 192.168.0.25, and when I am accessing webui via desktop pc, I can access everything, all dockers, including pi on 192.168.0.50. When I do that on the phone, and phone is on wifi, I can access everything on 192.168.0.25, all docker apps, but not pihole on 192.168.0.50. So I guess it has nothing to do with tailscale it self. 

[caras]

11 hours ago, EDACerton said:

The advertised routes look fine.

 

Based on your statement about the router/pihole being on a different subnet, I'd probably look at the rules on the router/firewall... the traffic might be getting blocked there.

I checked a little bit more, whatever is on br0 (pihole, filebrowser) is not accessible vith tailscale and subnets. 

Solution for me was to enable host access to custom networks in docker settings. Now, I can access everything.

 

One question, is this maybe some kind of security risk?

Edited August 2 by caras
Found the solution meanwhile

[EDACerton]

9 hours ago, caras said:

I checked a little bit more, whatever is on br0 (pihole, filebrowser) is not accessible vith tailscale and subnets. 

Solution for me was to enable host access to custom networks in docker settings. Now, I can access everything.

 

One question, is this maybe some kind of security risk?

You found the solution that I was going to give you

 

Technically, any network access is a security risk, but I wouldn't be concerned about the docker setting

[caras]

7 hours ago, EDACerton said:

You found the solution that I was going to give you

 

Technically, any network access is a security risk, but I wouldn't be concerned about the docker setting

Thank you so much for your help. Your plugin is a lifesaver. 

[Elmojo]

First off, thanks for the awesome plugin!

Second, I'm so sorry if this was already covered somewhere back on page 20 or whatever.

I read the last 3-4 pages and didn't see anything...

Anyway, here's the issue:
TS is up and running, and I can access my unraid GUI and shares remotely.  However, this is only the case if I disable my Windows firewall on my client machine.  I thought TS was supposed to pierce firewalls and such? 
I use Malwarebytes Windows Firewall Control (awesome free software, btw), which allows me to quickly toggle states on and off.  If I toggle it off (or even lower the profile from 'medium' to 'low' filtering), I can connect without issue.  If I go back to my default 'medium' filtering state, it blocks TS completely, and I get a Windows "unable to connect"-type error. 
I've already given TS express permission for both inbound and outbound traffic, so I'm not sure why it's not working.  Any ideas?

[EDACerton]

40 minutes ago, Elmojo said:

First off, thanks for the awesome plugin!

Second, I'm so sorry if this was already covered somewhere back on page 20 or whatever.

I read the last 3-4 pages and didn't see anything...

Anyway, here's the issue:
TS is up and running, and I can access my unraid GUI and shares remotely.  However, this is only the case if I disable my Windows firewall on my client machine.  I thought TS was supposed to pierce firewalls and such? 
I use Malwarebytes Windows Firewall Control (awesome free software, btw), which allows me to quickly toggle states on and off.  If I toggle it off (or even lower the profile from 'medium' to 'low' filtering), I can connect without issue.  If I go back to my default 'medium' filtering state, it blocks TS completely, and I get a Windows "unable to connect"-type error. 
I've already given TS express permission for both inbound and outbound traffic, so I'm not sure why it's not working.  Any ideas?

This is a problem on your Windows machine, not something that the plugin can fix. 
 

Tailscale does allow for connections through to traverse NAT, but it can still be blocked by a firewall, especially on the client. You’ll have to look at the Windows Firewall configuration/logs to see why the client is preventing Tailscale communication. 

[bluecat]

Recently, Tailscale stopped working for me after I could use it for some months. I just can't connect to the unraid dashboard via Tailscale anymore.

Using the latest version Tailscale 1.70.0-t0e0a21241-g26f80df92

Unraid 6.12.11

 

I'm not aware of any changes I made, but it came to my mind, that it's maybe related to my ISP change. With the new ISP, I seem not go to get a public ip4 address (on the modem, the ipv4 is different from the one at a website like https://browserleaks.com/ip). Is this not supported by Tailscale?

After I found out, that I couldn't connect anymore, I looked at the Unraid settings again. Tailscale plug-in shows this warning on the "Viewbing Button": Cannot access this device’s Tailscale IP. Make sure you are connected to your tailnet, and that your policy file allows access.

I used the feature "Erase Tailscale Configuration" and logged in again. All settings are standard.

 

 

On the admin console at login.tailscale.com the unraid server shows as online. But still, I can't open with my phone or WinPC the unraid admin page (with connected Tailscale).  I tried using the direct ip and machine name. It didn't work.

 

I have also created a Tailscale diagnostic log. Is it safe to post it public?

 

 

  

 

Edited August 5 by bluecat

[EDACerton]

Posting diagnostics is common on the forums, so I wouldn't be worried about it, but if you're concerned you can PM me the diagnostics file instead. (I will respond here though for the benefit of search/other folks in the future.)

[EDACerton]

6 hours ago, bluecat said:

Recently, Tailscale stopped working for me after I could use it for some months. I just can't connect to the unraid dashboard via Tailscale anymore.

Using the latest version Tailscale 1.70.0-t0e0a21241-g26f80df92

Unraid 6.12.11

 

I'm not aware of any changes I made, but it came to my mind, that it's maybe related to my ISP change. With the new ISP, I seem not go to get a public ip4 address (on the modem, the ipv4 is different from the one at a website like https://browserleaks.com/ip). Is this not supported by Tailscale?

After I found out, that I couldn't connect anymore, I looked at the Unraid settings again. Tailscale plug-in shows this warning on the "Viewbing Button": Cannot access this device’s Tailscale IP. Make sure you are connected to your tailnet, and that your policy file allows access.

I used the feature "Erase Tailscale Configuration" and logged in again. All settings are standard.

 

On the admin console at login.tailscale.com the unraid server shows as online. But still, I can't open with my phone or WinPC the unraid admin page (with connected Tailscale).  I tried using the direct ip and machine name. It didn't work.

 

I have also created a Tailscale diagnostic log. Is it safe to post it public?

Your diagnostics look fine. The WebGUI appears to be listening on the correct port:

tcp        0      0 100.120.140.x:80       0.0.0.0:*               LISTEN  

 

The plugin tests for a connection on the Tailscale IP as well, which is successful:

2024/08/05 18:36:18 rc.tailscale: Starting tailscaled: /usr/local/sbin/tailscaled -statedir /boot/config/plugins/tailscale/state -tun tailscale1 
2024/08/05 18:36:18 tailscale-watcher.php: Starting tailscale-watcher
2024/08/05 18:36:33 tailscale-watcher.php: Tailscale IP detected, applying configuration
2024/08/05 18:36:33 tailscale-watcher.php: /usr/local/sbin/tailscale set --accept-routes=false
2024/08/05 18:36:33 tailscale-watcher.php: /usr/local/sbin/tailscale set --accept-dns=false
2024/08/05 18:36:33 tailscale-watcher.php: /usr/local/sbin/tailscale set --stateful-filtering=false
2024/08/05 18:36:33 tailscale-watcher.php: Restarting Unraid services
2024/08/05 18:36:48 tailscale-watcher.php: WebGUI listening on 100.120.140.x:80
2024/08/05 18:37:48 tailscale-watcher.php: WebGUI listening on 100.120.140.x:80
2024/08/05 18:38:48 tailscale-watcher.php: WebGUI listening on 100.120.140.x:80
2024/08/05 18:39:48 tailscale-watcher.php: WebGUI listening on 100.120.140.x:80
2024/08/05 18:40:48 tailscale-watcher.php: WebGUI listening on 100.120.140.x:80
2024/08/05 18:41:48 tailscale-watcher.php: WebGUI listening on 100.120.140.x:80

Based on the error message you're describing, I would check to see if there's something weird happening with your management device. Also, make sure that you're using the new Tailscale IP for the Unraid server; it will change after running "Erase Configuration".

 

You could also try adding the Tailscale hello server to your tailnet, then try to access it from your phone/laptop just to make certain that everything there is working properly:

 

https://tailscale.com/kb/1073/hello

[DaveCR]

First of all, thank for the deployment of the plugin, so far it has been working great.

 

I have a question regarding the port that the plugin is using. I know that the tailscale default port is 41641, however, it seems that the plugin is using a random port. Tailscale documentation states that the default port can be changed in /etc/default/tailscaled but there is not such file in the unraid server, does any one of you guys know how to set a custom port for the tailscale plugin to use??

[EDACerton]

8 minutes ago, DaveCR said:

First of all, thank for the deployment of the plugin, so far it has been working great.

 

I have a question regarding the port that the plugin is using. I know that the tailscale default port is 41641, however, it seems that the plugin is using a random port. Tailscale documentation states that the default port can be changed in /etc/default/tailscaled but there is not such file in the unraid server, does any one of you guys know how to set a custom port for the tailscale plugin to use??

Switch to advanced mode in the plugin settings, there's an option there to assign a port number.

[DaveCR]

2 minutes ago, EDACerton said:

Switch to advanced mode in the plugin settings, there's an option there to assign a port number.

So easy solution! Thanks a lot!

[bluecat]

13 hours ago, DaveCR said:

First of all, thank for the deployment of the plugin, so far it has been working great.

 

I have a question regarding the port that the plugin is using. I know that the tailscale default port is 41641, however, it seems that the plugin is using a random port. Tailscale documentation states that the default port can be changed in /etc/default/tailscaled but there is not such file in the unraid server, does any one of you guys know how to set a custom port for the tailscale plugin to use??

Thank you for your quick support and looking at the diagnostic log. I rebooted everything and suddenly, it's working again. Very wired. I will monitor and see if it will stay stable. Thank you again!

[EDACerton]

For additional entertainment, what happens when @SpaceInvaderOne does a video for something?
 

 

😀

[sdballer]

On 7/9/2024 at 8:00 PM, EDACerton said:

I'd check to make certain that /var/log isn't full.

The dashboard shows a 5% utilization on logs. I do not see these glyphs anywhere else except the tailscale log. Any ideas?

Edited August 10 by sdballer

[hanquo]

Hello, I am trying to get my actual budget docker working with this plugin. I followed all the HTTPS setup instructions and I can access my webUI via my https://servername.tailscaledomain.ts.net address. However, I can't seem to figure out how to get any of my docker containers to work through HTTPS, they only work through HTTP. Is this intended They are all on the bridge subnet if that matters.

[ramjam824]

Hey @EDACerton,

 

I am having issues with switching from the docker -> plugin.

1. I feel like I have tried everything in this thread but I still cannot see my server in File Explorer (Network Tab)
2. I cannot add via 'Add Network Location' (\\servername\sharename or tailscaleIP\sharename)
3. I can view the Unraid web GUI and I can access my dockers via Tailscale IP:docker ID

I included the diag zip here.  Please let me know what else you may need to assist in resolving my issue  

RamJam-tailscale-diag-20240812-185801.zip

[EDACerton]

On 8/10/2024 at 7:05 PM, sdballer said:

The dashboard shows a 5% utilization on logs. I do not see these glyphs anywhere else except the tailscale log. Any ideas?

 

I'm not sure what to make of that... there could be something weird happening with how the Tailscale logs get redirected to the log file. Can you generate a diagnostic pack from inside the plugin settings for me?