[Support] Tailscale Support Thread


49 posts in this topic Last Reply

Recommended Posts

This is the support thread for deasmi/unraid-tailscale docker CA.

 

Latest version of tailscale included: 1.8.0

 

TailScale - Private networks made easy

Connect all your devices using WireGuard,® without the hassle.
Tailscale makes it as easy as installing an app and signing in.

 

This container sets up tailscale for unraid. Tailscale is a managed point to point VPN using wireguard.

 

It is intended to allow you to access services of your unraid server over tailscale, it does not, and is not intended to, provide a VPN gateway to your LAN.

Communications are limited to services that listen on all interfaces on the host itself via standard bridge or host networking.

 

It will register as hostname unraid, if you want to change that see 'Extra Parameters' in the container config and change to the hostname you would like.

 

** IMPORTANT When you first start this container you must check the log file for the logon URL and then enter it into a browser and logon to tail scale. I would then also advise setting the keys to not expire for your unraid host **

 

You need to look for the following in the log

 

Quote

To authenticate, visit:

https://login.tailscale.com/a/<LONGHEXNUMBER> 
 

 

** Note that this will expose your whole server into your tailscale VPN network **

 

Do not do this if you do not understand what that means.

Edited by dsmith44
Update version
Link to post

Man I feel like an idiot, but which log am I supposed to be checking? I didn't see any URL in the syslog. I didn't see any log in the appdata folder either. Any direction you can provide to help me find it would be helpful!

 

 

Update:

I figured it out.  I never did find anything in the logs. What I had to do was to go in to Docker > click on the TailScale icon > go to Console > When the console opens type "tailscale up". This will print out the URL you are supposed to use to register unraid. > Go to the URL, create an account or login and you should be set. Mine now shows up in my console under Machines as "unraid".

 

 

 

Edited by Ragemachinest
Link to post

Adding on from my previous post, I wanted to access to other machines in my home network that I can't install tailscale on (IP cameras, etc). To solve for this, I made sure the "Network Type" was set to "bridge". I went in to the console for the Tailscale docker container and ran the following (my home network is 192.168.1.0/24 - change this to match your network):

tailscale up --advertise-routes=192.168.1.0/24

 

After running this, I logged in to the Tailscale admin portal at https://login.tailscale.com/admin/machines and for my unraid box clicked the ... on the menu on the far right and click "Enable subnet routes"

 

Back in the docker console I ran: vi /etc/sysctl.d/00-alpine.conf

I added a line: net.ipv4.ip_forward=1 then saved the file.

 

I ran the command: echo 0 | tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter

 

I ran the command: iptables -t nat -A POSTROUTING -j MASQUERADE

 

I could then hit my internal IPs from an iPhone on LTE e.g. http://192.168.1.145 let me hit my IP cams web interface

 

I rebooted and the settings persisted, so it seems to be a permanent setup now.

 

Edited by Ragemachinest
Link to post
6 hours ago, dubbly said:

Why use this as opposed to just the basic wireguard install?

For my use case, it was ease of which I could get through a double NAT to access my home network. After I worked out the harder part of this docker image in my posts above, it was basically installing the client, clicking a link, authenticating, then doing the same on my other devices.

Edited by Ragemachinest
Link to post
12 hours ago, Ragemachinest said:

For my use case, it was ease of which I could get through a double NAT to access my home network. After I worked out the harder part of this docker image in my posts above, it was basically installing the client, clicking a link, authenticating, then doing the same on my other devices.

I am curious. What causes a double NAT in your situation?

Link to post
7 hours ago, dubbly said:

I am curious. What causes a double NAT in your situation?

My ISP, which is a local WISP, has a single public IP for the whole service. The IP coming in to my network from the ISP is an assigned private/internal IP address. Because of that, I cannot get an inbound connection to my network because it's blocked by the ISP; I have no control over ports.

Link to post
  • 3 weeks later...
On 4/17/2020 at 1:40 AM, Ragemachinest said:

Man I feel like an idiot, but which log am I supposed to be checking? I didn't see any URL in the syslog. I didn't see any log in the appdata folder either. Any direction you can provide to help me find it would be helpful!

 

 

Update:

I figured it out.  I never did find anything in the logs. What I had to do was to go in to Docker > click on the TailScale icon > go to Console > When the console opens type "tailscale up". This will print out the URL you are supposed to use to register unraid. > Go to the URL, create an account or login and you should be set. Mine now shows up in my console under Machines as "unraid".

 

 

 

Apologies, I wasn't watching this topic for some reason.

 

The log in question is the docker log, just click the log button on the far right of the docker screen in the tailscale row.

Link to post
On 4/17/2020 at 8:11 AM, Ragemachinest said:

Adding on from my previous post, I wanted to access to other machines in my home network that I can't install tailscale on (IP cameras, etc). To solve for this, I went in to the console for the Tailscale docker container and ran the following (my home network is 192.168.1.0/24 - change this to match your network):

tailscale up --advertise-routes=192.168.1.0/24

 

After running this, I logged in to the Tailscale admin portal at https://login.tailscale.com/admin/machines and for my unraid box clicked the ... on the menu on the far right and click "Enable subnet routes"

 

Back in the docker console I ran: vi /etc/sysctl.d/00-alpine.conf

I added a line: net.ipv4.ip_forward=1 then saved the file.

 

I ran the command: echo 0 | tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter

 

I ran the command: iptables -t nat -A POSTROUTING -j MASQUERADE

 

I could then hit my internal IPs from an iPhone on LTE e.g. http://192.168.1.145 let me hit my IP cams web interface

 

I rebooted and the settings persisted, so it seems to be a permanent setup now.

 

I had not intended this to be used for network access, to me tailscale is about point to point communications, so I run it everywhere.

 

However that's just me, I'm glad you got it to work, and I might have a look at including an environmental variable to enable network routing when I get a moment.

 

This is a slightly kludgy solution using NAT on the outbound though rather than seting up full network routability.

Edited by dsmith44
Link to post
On 4/19/2020 at 1:22 AM, dubbly said:

Why use this as opposed to just the basic wireguard install?

Tailscale is, in my view, scratching a sligtly different itch.

 

It is still wireguard, but it's wireguard plus NAT busting and zero management of many to many connections. I'm not just using this to connect to my unraid server, but also virtual servers.

Unraid is joining my mesh here, this isn't providing access to my LAN remotely.

 

If you want a hub and spoke model I'd suggest still using out of the box wireguard, if you want genuine point to point this is much easier to setup.

Edited by dsmith44
Link to post

I just updated to 0.98 and it won't start up. I tried deleting everything and starting fresh and still can't get it to start. The error in the log I see is:

"Failed to connect to connect to tailscaled. (safesocket.Connect: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory)"

 

Is anyone else getting this?

Link to post
4 hours ago, Ragemachinest said:

I just updated to 0.98 and it won't start up. I tried deleting everything and starting fresh and still can't get it to start. The error in the log I see is:

"Failed to connect to connect to tailscaled. (safesocket.Connect: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory)"

 

Is anyone else getting this?

My apologies, I shouldn't have pushed this as hadn't tested myself, thinking just a simple point update.

This is broken currently and I don't know why.

 

The STUN process isn't working in 0.98 in this docker container, I am going to build using their official Dockerfile and test outside of Unraid.

 

If it doesn't work there either will submit a bug report, if it does then at least I can start narrowing down the cause.

 

For now please use deasmi/unraid-tailscale:0.97

 

Update: I have recreated the issue on stand alone Ubuntu server and submitted issue to tailscale

https://github.com/tailscale/tailscale/issues/368

Edited by dsmith44
Link to post
19 hours ago, dsmith44 said:

My apologies, I shouldn't have pushed this as hadn't tested myself, thinking just a simple point update.

This is broken currently and I don't know why.

 

The STUN process isn't working in 0.98 in this docker container, I am going to build using their official Dockerfile and test outside of Unraid.

 

If it doesn't work there either will submit a bug report, if it does then at least I can start narrowing down the cause.

 

For now please use deasmi/unraid-tailscale:0.97

 

Update: I have recreated the issue on stand alone Ubuntu server and submitted issue to tailscale

https://github.com/tailscale/tailscale/issues/368

Awesome! Thank you for the response and update!

Link to post

Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues...

 

Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP.

I'm also able to access ports that are being served from other docker containers that have network set to "host".

 

My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP.

I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker.

 

Help?

 

Link to post
6 hours ago, fserb said:

Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues...

 

Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP.

I'm also able to access ports that are being served from other docker containers that have network set to "host".

 

My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP.

I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker.

 

Help?

 

I was running in to this issue last night and just as a test I decided to switch the Tailscale docker to "bridge" and that solved my connectivity issues. So far I can access both bridge, host, and because I'm forwarding, all of my internal IPs as well.

Edited by Ragemachinest
Link to post
9 hours ago, fserb said:

Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues...

 

Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP.

I'm also able to access ports that are being served from other docker containers that have network set to "host".

 

My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP.

I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker.

 

Help?

 

I will do some testing and perhaps change the definition to prefer bridge networking instead, my docker networking is a bit rusty so time for some reading I think.

Link to post
On 5/16/2020 at 3:13 AM, Ragemachinest said:

I was running in to this issue last night and just as a test I decided to switch the Tailscale docker to "bridge" and that solved my connectivity issues. So far I can access both bridge, host, and because I'm forwarding, all of my internal IPs as well.

Just setting the docker to bridge didn't work for me. I can ping the host, but not even access other services on the unraid (even the ones that did work with "host", like ssh).

I'm guess yours works as a side-effect of the ip forwarding you set up?

Link to post

I'm pretty sure there's an issue with Tailscale's iptables rules and Unraid's docker iptables.

I've also tried using tailscale tip of tree, but no success there either.

Someone who understands Unraid iptables better would have an easier time with this.

 

dsmith, I have a suggestion for your docker-entrypoint.sh. Replace the bottom lines with:

(sleep 10; tailscape up) &

exec tailscaled --state=/state/tailscaled.state

it's much nicer than your current while loop. ;)

 

 

 

Link to post

I figured out the problem (after pinging Tailscale folks)! The Tailscale unstable is broken for docker bridge mode. v0.98 is working fine.


It took us a while to figure, because there's another problem on this Dockerfile. 

`RUN git checkout -b v0.98` doesn't do what you think it does, either do `RUN git checkout v0.98` (for detached head mode) or `RUN git checkout -b v0.98 v0.98` :). The way it is you are just creating a new branch called v0.98 on top of master.

 

 

 

Link to post
On 5/20/2020 at 4:35 AM, fserb said:

I figured out the problem (after pinging Tailscale folks)! The Tailscale unstable is broken for docker bridge mode. v0.98 is working fine.


It took us a while to figure, because there's another problem on this Dockerfile. 

`RUN git checkout -b v0.98` doesn't do what you think it does, either do `RUN git checkout v0.98` (for detached head mode) or `RUN git checkout -b v0.98 v0.98` :). The way it is you are just creating a new branch called v0.98 on top of master.

 

 

 

Fixed, bit embarrasing that one... thanks.

Link to post

Re: host vs bridge mode

 

Having thought this through I feel host is the correct mode for this to operate in.

 

Host means the networking is part of the base host networking so if the host can see the port tailscale will be able to as well.

However that relies on the mapped ports listening on all addresses, which if I check my unraid server they do. 

root@unraid:~# ss -ltu
Netid              State               Recv-Q              Send-Q                                                   Local Address:Port                                     Peer Address:Port              Process
..
tcp                LISTEN              0                   128                                                                  *:8200                                                *:*
..

 

Snap1.thumb.png.2d4734afc04bea5047011a8d1d6f36c9.png

 

However the only IP address that you'll be able to access through tailscale will be the tailscale ip address itself, trying to use a LAN address, a docker bridge network address or any other address is going to fail as we aren't doing subnet forwarding.

 

I am not currently keen on even trying to add subnet forwarding to this container as it was never my intention to create a VPN gateway, just to allow access to Unraid services from tailscale.

 

I am also not sure if this is even necessarily possible without additional steps outside of the container itself; if I look in the Apps list OpenVPN server is available as a plugin but not as a container. So building a plugin is likely a better route for someone to look at, but not something I'm going to get into.

 

I would suggest using the built in wireshark support if you want to get a VPN connection to the whole network.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.