Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Using wireguard on some containers to access VPN - this stops tailscale from accessing the container

Featured Replies

For background, I have configured almost all docker containers with a custom br0 network sing the same subnet of my unraid server (192.168.1.x) and each have own hardcoded IP addresses in this subnet, as I use unifi equipment and macvlan so I can get stats, allocate access from vlans etc etc.

I just saw space invader one's youtube on connecting individual containers to a VPN - and thought that is a good way to go.

So I configured all that, and changed the containers to use wg0, and wiped out the IP address - all working fine.

I repeated for my other required containers - all also working fine.

Then I went out, and had to access one remotely for some 'admin' so I did my usual thing - fired up tailscale on my iphone, went to the unraid logon, logged in, went to dockers, then clicked on the conianer, and clicked webui - and nothing. I tried a few direct links also - they dont work either. Then I tried the tailscale-IP-address/port - same issue.

Seems I am missing something here when mixing wireguard and tailscale.

For reference, unraid is latest release. using the built in tailscale. also - the tailscale IP address cant do it either - so there is some sort of routing issue inbound from tailscale and into the docker network when using the wireguard connection to the VPM.

Any ideas ?

Solved by vw-kombi

  • Author

Some networking info for reference. Note, I created two wg tunnels out to two destinations (wg0 and wg1).

image.png

image.png

  • Author

And here is an example of a container updated like this.

Do I have to enable an advertised route to the docker network for this to work or something ?

image.png

  • Author

I thought this may be related to another issue introduced by 7.2 with access to dockers not being allowed from a vlan.

After more testing however, this is not the case. I can access another container that is NOT configured to route via wireguard from a VLAN.

So where I am at now -

remote iphone running tailscale can access 192.168.1.7 (unraid IP host) and get GUI, but cant access 192,168.1.7:6789 (nzbget docker routing via wg0).

remote iphone running a wireguard client connecting to my router can access 192.168.1.7 (unraid IP host) and get GUI, but cant access 192,168.1.7:6789 (nzbget docker routing via wg0).

I am just concentrating on one container now - as if I fix one, then the same fix will work on each.

I came across this below case - and thought that may be it - adding the LAN subnet to the LAN_NETWORK key of the container, and my router wireguard network is 192.168.200.0 so I made this change -

192.168.1.0/24,192.168.200.0/24

but is still did not work. I am not sure what I should be put in in there for a tailscale test.

Not sure is @SpaceInvaderOne reads these posts, but I imagine he needs /wants to acces these containers remotely, and I wonder how he does that ?

Edited by vw-kombi

  • Author

Anyone with any ideas ? I feel it is a routing issue back from the containers configured to use the vpn tunnel.

But I dont have the skills to know for sure.

It is a pity - as @SpaceInvaderOne showed exactly this config in his latest video, and id like to use it for sonarr/radarr - but I need remote access to those.

I can live without the nzbget/qbittorrent remote access - as they are the most in need of this vpn tunnel anyway.

  • Author
  • Solution

AI (specifically copilot but I guess they all know) - knew about this issue.

It said there is no tailscale router back.

It said to add this after I gave it all my ip and naming info - ip route add 100.64.0.0/10 dev tailscale1

And it worked - so I have added that to my startup.

Hope this helps someone else!

Transcript -

Why LAN → container works, but Tailscale → container fails
LAN traffic
LAN devices send packets to 192.168.1.x → Unraid → wg1 container
The container replies back to 192.168.1.x via Unraid → LAN
Everything works.
Tailscale traffic
Your iPhone sends packets from 100.x.x.x → Tailscale → Unraid → wg1 container
The container replies… but:
• It has no route back to the 100.x.x.x subnet
• So it sends the reply out the WireGuard VPN tunnel, not back to Unraid
• Your iPhone never sees the reply
This is why it looks like the container is unreachable, even though Unraid and LAN can reach it fine.

The fix: Add a return route on Unraid for the Tailscale subnet
You want Unraid to tell the container: “If you ever need to reply to a 100.x.x.x address, send it back through the Tailscale interface.”
Your Tailscale subnet is always inside: 100.64.0.0/10
Your Tailscale interface is: tailscale1

Run this on Unraid: ip route add 100.64.0.0/10 dev tailscale1
This immediately fixes the return‑path problem.

Edited by vw-kombi

  • 1 month later...

@vw-kombi Do know if it always is "ip route add 100.64.0.0/10 dev tailscale1" ?

Adding "ip route add 100.64.0.0/10 dev tailscale1" will only allow communication out to the fairphone right?
So is ip route add 100.0.0.0/10 dev tailscale1" not the way to go? So that all devices can connect to the dockers?

I do have the following tailscale devices:

fairphone 100.64.x.x.
Framework 100.94.x.x

Proxmox 100.78.X.x

UbuntuVM 100.97.x.X

I have posted the same issue at https://forums.unraid.net/topic/196689-cant-acces-docker-with-tailscale-addres-trough-imported-wireguard-setup/#comment-1603519

This solved it for me to, Would me nice to get a option in tailscale plugin or fix for this.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.