December 12, 2025Dec 12 For background, I have configured almost all docker containers with a custom br0 network sing the same subnet of my unraid server (192.168.1.x) and each have own hardcoded IP addresses in this subnet, as I use unifi equipment and macvlan so I can get stats, allocate access from vlans etc etc.I just saw space invader one's youtube on connecting individual containers to a VPN - and thought that is a good way to go.So I configured all that, and changed the containers to use wg0, and wiped out the IP address - all working fine.I repeated for my other required containers - all also working fine.Then I went out, and had to access one remotely for some 'admin' so I did my usual thing - fired up tailscale on my iphone, went to the unraid logon, logged in, went to dockers, then clicked on the conianer, and clicked webui - and nothing. I tried a few direct links also - they dont work either. Then I tried the tailscale-IP-address/port - same issue.Seems I am missing something here when mixing wireguard and tailscale.For reference, unraid is latest release. using the built in tailscale. also - the tailscale IP address cant do it either - so there is some sort of routing issue inbound from tailscale and into the docker network when using the wireguard connection to the VPM.Any ideas ?
December 12, 2025Dec 12 Author Some networking info for reference. Note, I created two wg tunnels out to two destinations (wg0 and wg1).
December 12, 2025Dec 12 Author And here is an example of a container updated like this.Do I have to enable an advertised route to the docker network for this to work or something ?
December 14, 2025Dec 14 Author I thought this may be related to another issue introduced by 7.2 with access to dockers not being allowed from a vlan.After more testing however, this is not the case. I can access another container that is NOT configured to route via wireguard from a VLAN.So where I am at now -remote iphone running tailscale can access 192.168.1.7 (unraid IP host) and get GUI, but cant access 192,168.1.7:6789 (nzbget docker routing via wg0).remote iphone running a wireguard client connecting to my router can access 192.168.1.7 (unraid IP host) and get GUI, but cant access 192,168.1.7:6789 (nzbget docker routing via wg0).I am just concentrating on one container now - as if I fix one, then the same fix will work on each.I came across this below case - and thought that may be it - adding the LAN subnet to the LAN_NETWORK key of the container, and my router wireguard network is 192.168.200.0 so I made this change -192.168.1.0/24,192.168.200.0/24but is still did not work. I am not sure what I should be put in in there for a tailscale test.Not sure is @SpaceInvaderOne reads these posts, but I imagine he needs /wants to acces these containers remotely, and I wonder how he does that ? Edited December 14, 2025Dec 14 by vw-kombi
December 17, 2025Dec 17 Author Anyone with any ideas ? I feel it is a routing issue back from the containers configured to use the vpn tunnel.But I dont have the skills to know for sure.It is a pity - as @SpaceInvaderOne showed exactly this config in his latest video, and id like to use it for sonarr/radarr - but I need remote access to those.I can live without the nzbget/qbittorrent remote access - as they are the most in need of this vpn tunnel anyway.
December 20, 2025Dec 20 Author Solution AI (specifically copilot but I guess they all know) - knew about this issue.It said there is no tailscale router back.It said to add this after I gave it all my ip and naming info - ip route add 100.64.0.0/10 dev tailscale1And it worked - so I have added that to my startup.Hope this helps someone else!Transcript - Why LAN → container works, but Tailscale → container fails✅ LAN trafficLAN devices send packets to 192.168.1.x → Unraid → wg1 containerThe container replies back to 192.168.1.x via Unraid → LANEverything works.❌ Tailscale trafficYour iPhone sends packets from 100.x.x.x → Tailscale → Unraid → wg1 containerThe container replies… but:• It has no route back to the 100.x.x.x subnet• So it sends the reply out the WireGuard VPN tunnel, not back to Unraid• Your iPhone never sees the replyThis is why it looks like the container is unreachable, even though Unraid and LAN can reach it fine.The fix: Add a return route on Unraid for the Tailscale subnetYou want Unraid to tell the container: “If you ever need to reply to a 100.x.x.x address, send it back through the Tailscale interface.”Your Tailscale subnet is always inside: 100.64.0.0/10Your Tailscale interface is: tailscale1 ✅ Run this on Unraid: ip route add 100.64.0.0/10 dev tailscale1This immediately fixes the return‑path problem. Edited December 20, 2025Dec 20 by vw-kombi
January 22Jan 22 @vw-kombi Do know if it always is "ip route add 100.64.0.0/10 dev tailscale1" ?Adding "ip route add 100.64.0.0/10 dev tailscale1" will only allow communication out to the fairphone right?So is ip route add 100.0.0.0/10 dev tailscale1" not the way to go? So that all devices can connect to the dockers?I do have the following tailscale devices:fairphone 100.64.x.x.Framework 100.94.x.xProxmox 100.78.X.xUbuntuVM 100.97.x.XI have posted the same issue at https://forums.unraid.net/topic/196689-cant-acces-docker-with-tailscale-addres-trough-imported-wireguard-setup/#comment-1603519
January 22Jan 22 This solved it for me to, Would me nice to get a option in tailscale plugin or fix for this.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.