dsmith44 Posted April 7, 2020 Share Posted April 7, 2020 (edited) Introduction If you want to access your unraid server over tailscale at this point you are better using the plugin. Unraid Tailscale Plugin I will continue to update this for thos using tailscale to, for example, connect groups of docker containers on private networks into tailsacle. Please use the plugin otherwise, use for direct access to unraid is considered deprecated, support will not be provided by me. This is the support thread for deasmi/unraid-tailscale docker CA. If you have a feature request or bug report please also try and add an issue on github https://github.com/deasmi/unraid-tailscale If you find this useful please consider donating to my chosen charity, Cancer Research. https://www.justgiving.com/fundraising/unraid-tailscale Thank you to those that have already donated. Latest version of tailscale included: Please see last page of posts for update This supports TLS certificates and Downloads, see below for instructions Please note I normally skip 1.xx.0 releases as there are often bug fix releases shortly afterwards. In any event I will wait at least two weeks after a 1.xx.0 release before updating latest, or normally even pushing a build. What is this? Quote TailScale - Private networks made easy Connect all your devices using WireGuard,® without the hassle. Tailscale makes it as easy as installing an app and signing in. This container sets up tailscale for unraid. Tailscale is a managed point to point VPN using wireguard. It is intended to allow you to access services of your unraid server over tailscale, it does not, and is not intended to, provide a VPN gateway to your LAN. If you can contact unraid services over tailscale this is working as intended. For clarity I cannot provide support for use of --advertise-routes or other custom setups, and in all likelehood it will not behave as you expect. Due to the way docker works, and arp works, and switches work you will potentially have a nasty time. **If you want a tailscale gateway to your lan use your firewall or a raspberry pi or anything else at all other than this container. We cannot support you at all if you are using --advertise-routes, please do not ask** Communications are limited to services that listen on all interfaces on the host itself via standard bridge or host networking. Installation and setup Before you start it is a good idea to make sure you have already registered with Tailscale and installed tailscale onto another computer. https://login.tailscale.com/start Then install this app on Unraid and start it up, there are no config changes needed for the detault setup however it will register as hostname unraid, if you want to change that see 'Extra Parameters' in the container config and change to the hostname you would like before you start up. This can be changed later. ** IMPORTANT When you first start this container you must check the log file for the logon URL and then enter it into a browser and logon to tail scale. I would then also advise setting the keys to not expire for your unraid host ** You need to look for the following in the log Quote To authenticate, visit: https://login.tailscale.com/a/<LONGHEXNUMBER> ** Note that this will expose your whole server into your tailscale VPN network ** The container runs with docker host networking, and so it shares a network stack with the underlying host, so any services you can see on the LAN you'll be able to see on tailscale. Do not do this if you do not understand what that means. Downloads Starting with release 1.24.2-downloads you can now support automatic downloads with taildrop. If you have already installed tailscale you will need to add some extra paramaters manually as shown below. TLS Certificates If you want to use TLS certificates as per https://tailscale.com/kb/1153/enabling-https/ you will need to connect to the console of the docker container and issue the tailscale cert command. External Links Ibracorp have a guide with video on how to set all this up, as well as some advanced topics like exit nodes. https://docs.ibracorp.io/tailscale/ Edited August 9 by dsmith44 Add Ibracorp guide 1 Quote Link to comment
Octa Posted April 8, 2020 Share Posted April 8, 2020 Hello and thank you. With this, do we need an account with admin rights to launch the client on Windows systems like in the 'regular' WireGuard client? Quote Link to comment
dsmith44 Posted April 8, 2020 Author Share Posted April 8, 2020 5 hours ago, Octa said: Hello and thank you. With this, do we need an account with admin rights to launch the client on Windows systems like in the 'regular' WireGuard client? I have no idea I'm afraid, I would suggest a quick download of the client from https://tailscale.com to check. Quote Link to comment
Ragemachinest Posted April 17, 2020 Share Posted April 17, 2020 (edited) Man I feel like an idiot, but which log am I supposed to be checking? I didn't see any URL in the syslog. I didn't see any log in the appdata folder either. Any direction you can provide to help me find it would be helpful! Update: I figured it out. I never did find anything in the logs. What I had to do was to go in to Docker > click on the TailScale icon > go to Console > When the console opens type "tailscale up". This will print out the URL you are supposed to use to register unraid. > Go to the URL, create an account or login and you should be set. Mine now shows up in my console under Machines as "unraid". Edited April 17, 2020 by Ragemachinest Quote Link to comment
Ragemachinest Posted April 17, 2020 Share Posted April 17, 2020 (edited) Adding on from my previous post, I wanted to access to other machines in my home network that I can't install tailscale on (IP cameras, etc). To solve for this, I made sure the "Network Type" was set to "bridge". I went in to the console for the Tailscale docker container and ran the following (my home network is 192.168.1.0/24 - change this to match your network): tailscale up --advertise-routes=192.168.1.0/24 After running this, I logged in to the Tailscale admin portal at https://login.tailscale.com/admin/machines and for my unraid box clicked the ... on the menu on the far right and click "Enable subnet routes" Back in the docker console I ran: vi /etc/sysctl.d/00-alpine.conf I added a line: net.ipv4.ip_forward=1 then saved the file. I ran the command: echo 0 | tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter I ran the command: iptables -t nat -A POSTROUTING -j MASQUERADE I could then hit my internal IPs from an iPhone on LTE e.g. http://192.168.1.145 let me hit my IP cams web interface I rebooted and the settings persisted, so it seems to be a permanent setup now. Edited May 15, 2020 by Ragemachinest 4 Quote Link to comment
dubbly Posted April 19, 2020 Share Posted April 19, 2020 Why use this as opposed to just the basic wireguard install? Quote Link to comment
Ragemachinest Posted April 19, 2020 Share Posted April 19, 2020 (edited) 6 hours ago, dubbly said: Why use this as opposed to just the basic wireguard install? For my use case, it was ease of which I could get through a double NAT to access my home network. After I worked out the harder part of this docker image in my posts above, it was basically installing the client, clicking a link, authenticating, then doing the same on my other devices. Edited April 19, 2020 by Ragemachinest Quote Link to comment
dubbly Posted April 19, 2020 Share Posted April 19, 2020 12 hours ago, Ragemachinest said: For my use case, it was ease of which I could get through a double NAT to access my home network. After I worked out the harder part of this docker image in my posts above, it was basically installing the client, clicking a link, authenticating, then doing the same on my other devices. I am curious. What causes a double NAT in your situation? Quote Link to comment
Ragemachinest Posted April 20, 2020 Share Posted April 20, 2020 7 hours ago, dubbly said: I am curious. What causes a double NAT in your situation? My ISP, which is a local WISP, has a single public IP for the whole service. The IP coming in to my network from the ISP is an assigned private/internal IP address. Because of that, I cannot get an inbound connection to my network because it's blocked by the ISP; I have no control over ports. Quote Link to comment
dsmith44 Posted May 9, 2020 Author Share Posted May 9, 2020 On 4/17/2020 at 1:40 AM, Ragemachinest said: Man I feel like an idiot, but which log am I supposed to be checking? I didn't see any URL in the syslog. I didn't see any log in the appdata folder either. Any direction you can provide to help me find it would be helpful! Update: I figured it out. I never did find anything in the logs. What I had to do was to go in to Docker > click on the TailScale icon > go to Console > When the console opens type "tailscale up". This will print out the URL you are supposed to use to register unraid. > Go to the URL, create an account or login and you should be set. Mine now shows up in my console under Machines as "unraid". Apologies, I wasn't watching this topic for some reason. The log in question is the docker log, just click the log button on the far right of the docker screen in the tailscale row. Quote Link to comment
dsmith44 Posted May 9, 2020 Author Share Posted May 9, 2020 (edited) On 4/17/2020 at 8:11 AM, Ragemachinest said: Adding on from my previous post, I wanted to access to other machines in my home network that I can't install tailscale on (IP cameras, etc). To solve for this, I went in to the console for the Tailscale docker container and ran the following (my home network is 192.168.1.0/24 - change this to match your network): tailscale up --advertise-routes=192.168.1.0/24 After running this, I logged in to the Tailscale admin portal at https://login.tailscale.com/admin/machines and for my unraid box clicked the ... on the menu on the far right and click "Enable subnet routes" Back in the docker console I ran: vi /etc/sysctl.d/00-alpine.conf I added a line: net.ipv4.ip_forward=1 then saved the file. I ran the command: echo 0 | tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter I ran the command: iptables -t nat -A POSTROUTING -j MASQUERADE I could then hit my internal IPs from an iPhone on LTE e.g. http://192.168.1.145 let me hit my IP cams web interface I rebooted and the settings persisted, so it seems to be a permanent setup now. I had not intended this to be used for network access, to me tailscale is about point to point communications, so I run it everywhere. However that's just me, I'm glad you got it to work, and I might have a look at including an environmental variable to enable network routing when I get a moment. This is a slightly kludgy solution using NAT on the outbound though rather than seting up full network routability. Edited May 9, 2020 by dsmith44 Quote Link to comment
dsmith44 Posted May 9, 2020 Author Share Posted May 9, 2020 (edited) On 4/19/2020 at 1:22 AM, dubbly said: Why use this as opposed to just the basic wireguard install? Tailscale is, in my view, scratching a sligtly different itch. It is still wireguard, but it's wireguard plus NAT busting and zero management of many to many connections. I'm not just using this to connect to my unraid server, but also virtual servers. Unraid is joining my mesh here, this isn't providing access to my LAN remotely. If you want a hub and spoke model I'd suggest still using out of the box wireguard, if you want genuine point to point this is much easier to setup. Edited May 9, 2020 by dsmith44 Quote Link to comment
Ragemachinest Posted May 10, 2020 Share Posted May 10, 2020 I just updated to 0.98 and it won't start up. I tried deleting everything and starting fresh and still can't get it to start. The error in the log I see is: "Failed to connect to connect to tailscaled. (safesocket.Connect: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory)" Is anyone else getting this? Quote Link to comment
dsmith44 Posted May 10, 2020 Author Share Posted May 10, 2020 (edited) 4 hours ago, Ragemachinest said: I just updated to 0.98 and it won't start up. I tried deleting everything and starting fresh and still can't get it to start. The error in the log I see is: "Failed to connect to connect to tailscaled. (safesocket.Connect: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory)" Is anyone else getting this? My apologies, I shouldn't have pushed this as hadn't tested myself, thinking just a simple point update. This is broken currently and I don't know why. The STUN process isn't working in 0.98 in this docker container, I am going to build using their official Dockerfile and test outside of Unraid. If it doesn't work there either will submit a bug report, if it does then at least I can start narrowing down the cause. For now please use deasmi/unraid-tailscale:0.97 Update: I have recreated the issue on stand alone Ubuntu server and submitted issue to tailscale https://github.com/tailscale/tailscale/issues/368 Edited May 10, 2020 by dsmith44 Quote Link to comment
Ragemachinest Posted May 11, 2020 Share Posted May 11, 2020 19 hours ago, dsmith44 said: My apologies, I shouldn't have pushed this as hadn't tested myself, thinking just a simple point update. This is broken currently and I don't know why. The STUN process isn't working in 0.98 in this docker container, I am going to build using their official Dockerfile and test outside of Unraid. If it doesn't work there either will submit a bug report, if it does then at least I can start narrowing down the cause. For now please use deasmi/unraid-tailscale:0.97 Update: I have recreated the issue on stand alone Ubuntu server and submitted issue to tailscale https://github.com/tailscale/tailscale/issues/368 Awesome! Thank you for the response and update! Quote Link to comment
dsmith44 Posted May 12, 2020 Author Share Posted May 12, 2020 Version 0.98.1 is now available which contains the upstream fix for the issues in 0.98 :latest will contain this fix, 0.98.1 will contain this fix. 1 Quote Link to comment
Ragemachinest Posted May 15, 2020 Share Posted May 15, 2020 On 5/12/2020 at 12:37 PM, dsmith44 said: Version 0.98.1 is now available which contains the upstream fix for the issues in 0.98 :latest will contain this fix, 0.98.1 will contain this fix. Can confirm that works for me now. Thanks! Quote Link to comment
fserb Posted May 16, 2020 Share Posted May 16, 2020 Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues... Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP. I'm also able to access ports that are being served from other docker containers that have network set to "host". My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP. I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker. Help? Quote Link to comment
Ragemachinest Posted May 16, 2020 Share Posted May 16, 2020 (edited) 6 hours ago, fserb said: Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues... Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP. I'm also able to access ports that are being served from other docker containers that have network set to "host". My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP. I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker. Help? I was running in to this issue last night and just as a test I decided to switch the Tailscale docker to "bridge" and that solved my connectivity issues. So far I can access both bridge, host, and because I'm forwarding, all of my internal IPs as well. Edited May 16, 2020 by Ragemachinest Quote Link to comment
dsmith44 Posted May 16, 2020 Author Share Posted May 16, 2020 9 hours ago, fserb said: Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues... Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP. I'm also able to access ports that are being served from other docker containers that have network set to "host". My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP. I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker. Help? I will do some testing and perhaps change the definition to prefer bridge networking instead, my docker networking is a bit rusty so time for some reading I think. Quote Link to comment
fserb Posted May 19, 2020 Share Posted May 19, 2020 On 5/16/2020 at 3:13 AM, Ragemachinest said: I was running in to this issue last night and just as a test I decided to switch the Tailscale docker to "bridge" and that solved my connectivity issues. So far I can access both bridge, host, and because I'm forwarding, all of my internal IPs as well. Just setting the docker to bridge didn't work for me. I can ping the host, but not even access other services on the unraid (even the ones that did work with "host", like ssh). I'm guess yours works as a side-effect of the ip forwarding you set up? Quote Link to comment
fserb Posted May 19, 2020 Share Posted May 19, 2020 I'm pretty sure there's an issue with Tailscale's iptables rules and Unraid's docker iptables. I've also tried using tailscale tip of tree, but no success there either. Someone who understands Unraid iptables better would have an easier time with this. dsmith, I have a suggestion for your docker-entrypoint.sh. Replace the bottom lines with: (sleep 10; tailscape up) & exec tailscaled --state=/state/tailscaled.state it's much nicer than your current while loop. Quote Link to comment
fserb Posted May 20, 2020 Share Posted May 20, 2020 I figured out the problem (after pinging Tailscale folks)! The Tailscale unstable is broken for docker bridge mode. v0.98 is working fine. It took us a while to figure, because there's another problem on this Dockerfile. `RUN git checkout -b v0.98` doesn't do what you think it does, either do `RUN git checkout v0.98` (for detached head mode) or `RUN git checkout -b v0.98 v0.98` . The way it is you are just creating a new branch called v0.98 on top of master. Quote Link to comment
dsmith44 Posted May 23, 2020 Author Share Posted May 23, 2020 On 5/20/2020 at 4:35 AM, fserb said: I figured out the problem (after pinging Tailscale folks)! The Tailscale unstable is broken for docker bridge mode. v0.98 is working fine. It took us a while to figure, because there's another problem on this Dockerfile. `RUN git checkout -b v0.98` doesn't do what you think it does, either do `RUN git checkout v0.98` (for detached head mode) or `RUN git checkout -b v0.98 v0.98` . The way it is you are just creating a new branch called v0.98 on top of master. Fixed, bit embarrasing that one... thanks. Quote Link to comment
dsmith44 Posted May 23, 2020 Author Share Posted May 23, 2020 Re: host vs bridge mode Having thought this through I feel host is the correct mode for this to operate in. Host means the networking is part of the base host networking so if the host can see the port tailscale will be able to as well. However that relies on the mapped ports listening on all addresses, which if I check my unraid server they do. root@unraid:~# ss -ltu Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process .. tcp LISTEN 0 128 *:8200 *:* .. However the only IP address that you'll be able to access through tailscale will be the tailscale ip address itself, trying to use a LAN address, a docker bridge network address or any other address is going to fail as we aren't doing subnet forwarding. I am not currently keen on even trying to add subnet forwarding to this container as it was never my intention to create a VPN gateway, just to allow access to Unraid services from tailscale. I am also not sure if this is even necessarily possible without additional steps outside of the container itself; if I look in the Apps list OpenVPN server is available as a plugin but not as a container. So building a plugin is likely a better route for someone to look at, but not something I'm going to get into. I would suggest using the built in wireshark support if you want to get a VPN connection to the whole network. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.