Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Fix local IP Access for Tailscale enabled Containers when subnet routing is used

Featured Replies

Hey there,

thought I'd post my solution for this problem here, because I've been rather annoyed with it over the past few days and finally found a good solution.

This issue affects you if you have a tailscale subnet router on the same network your containers are using.

If so, if you use tailscale in your containers, you won't be able to actually reach your containers local ips anymore once they are online.

Also explained (including the solution) in this tailscale KB article: https://tailscale.com/kb/1023/troubleshooting#lan-traffic-prioritization-with-overlapping-subnet-routes

Anyway, getting the fix applied to a docker container isn't the easiest unless we patch the tailscale container hook. Which is what I'm doing here.

If you have a need for this fix, you can find the patch here:

tailscale_container_hook.patch

diff --git a/tailscale_container_hook b/usr/local/share/docker/tailscale_container_hook
index 817e22e..7a70a18 100755
--- a/tailscale_container_hook
+++ b/tailscale_container_hook
@@ -82,12 +82,16 @@ elif [ ! -f /usr/bin/tailscale ] || [ ! -f /usr/bin/tailscaled ]; then
    echo "Installing additional packages: $(echo "${PACKAGES_TROUBLESHOOTING}" | sed 's/[[:blank:]]*$//' | sed 's/ /, /g')"
  fi
 
+  if [ "${TAILSCALE_LOCAL_ROUTE}" = "true" ]; then
+    INSTALL_IPROUTE2="iproute2 "
+  fi
+
  echo "Installing packages..."
  echo "Please wait..."
  if [ ! -z "${PACKAGES_UPDATE}" ]; then
    UPDATE_LOG=$(${PACKAGES_UPDATE} 2>&1)
  fi
-  INSTALL_LOG=$(${PACKAGES_INSTALL} jq wget ca-certificates ${INSTALL_IPTABLES}${PACKAGES_TROUBLESHOOTING} 2>&1)
+  INSTALL_LOG=$(${PACKAGES_INSTALL} jq wget ca-certificates ${INSTALL_IPTABLES}${INSTALL_IPROUTE2}${PACKAGES_TROUBLESHOOTING} 2>&1)
  INSTALL_RESULT=$?
 
  if [ "${INSTALL_RESULT}" -eq 0 ]; then
@@ -351,6 +355,17 @@ if [ ! -z "${TAILSCALE_ADVERTISE_ROUTES}" ]; then
  fi
fi
 
+if [ "${TAILSCALE_LOCAL_ROUTE}" = "true" ]; then
+  if ! [ -x "$(command -v ip)" ]; then
+    echo 'ERROR: ip command is not available.'
+  else
+    DEFAULT_INT=$(ip route list default | awk '{ for(i=1;i<=NF;i++) if($i=="dev") print $(i+1); }')
+    LOCAL_SUBNET=$(ip r | grep -v default | grep "$default_interface" | awk '{ print $1 }')
+    echo "Fixing Routing to local subnet $LOCAL_SUBNET"
+    ip rule add to "$LOCAL_SUBNET" priority 2500 lookup main
+  fi
+fi
+
if [ ! -z "${TAILSCALE_SERVE_PORT}" ]; then
  if [ ! -z "${TAILSCALE_SERVE_PATH}" ]; then
    TAILSCALE_SERVE_PATH="=${TAILSCALE_SERVE_PATH}"

Go to the /usr/local/share/docker/ directory and apply the patch via

git apply /dir/with/tailscale_container_hook.patch


You'll then need to add the "TAILSCALE_LOCAL_ROUTE" variable to your docker container you want the fix applied in like this:
image.png

Next time you restart the container (or fully apply the variable), the fix will be applied.

I've currently only tested it in debian/ubuntu containers to fully work. (arch based containers should also be fine)

The fix relies on iproute2 being available, and while I try to install it automatically via the patch, I don't know if the package is called the same in apk based installs.

So if its not, you'll see an error in your Container logs: "ERROR: ip command is not available."

If so, tell me and Ill try to fix it.

Other than that, this wont survive an Unraid reboot. You'll need to put this into a userscript or the like and apply it at boot.

Edited by Feyo

  • 4 weeks later...

Hi tried it and I get a error: corrupt patch at line 25 when trying to apply the patch.

Any idea why?

  • 2 weeks later...

Now getting a corrupt patch at line 40...

  • Author

Line 40 is the end of the file, so it sounds like some issue with an empty line or something maybe?

I uploaded the file directly from my Unraid installation to this comment here. If that doesnt work, there must be something else broken.

tailscale_container_hook.patch

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.