April 17, 20242 yr Author 4 minutes ago, Duckers said: Hoi, tailscale is now all set up on my end, unraid as exit node, i can browse the web and everything. But i can't seem to access unraid's webui or anything. Nor browse the shares over SMB with x-plore. docker logs shows it's accepting, but still can't access anything of the server. Please use the plugin instead. This is only for specialist use cases now.
May 11, 20242 yr a update where nice. Thx 4 Your Work Quote Security update available This machine is running a version with a known security vulnerability. It’s recommended to update to 1.66.1.
May 21, 20242 yr 1 hour ago, blaine07 said: 1.66.4 won't stay running on my Unraid; not sure if just me or what... I had the same issue... The Log tells you what to update in the advanced setting: --advertise-exit-node --advertise-routes=192.168.1.0/24 --stateful-filtering newly added to mine. --stateful-filtering working now. Edited May 21, 20242 yr by sdballer
May 21, 20242 yr 50 minutes ago, sdballer said: I had the same issue... The Log tells you what to update in the advanced setting: --advertise-exit-node --advertise-routes=192.168.1.0/24 --stateful-filtering newly added to mine. --stateful-filtering working now. What exactly does stateful filtering do/is it for?
May 21, 20242 yr 50 minutes ago, blaine07 said: What exactly does stateful filtering do/is it for? https://tailscale.com/security-bulletins Description: Insufficient inbound packet filtering in subnet routers and exit nodes May 8, 2024 TS-2024-005 Quote Stateful packet filtering on packet-forwarding nodes On Linux packet-forwarding nodes we added stateful packet filtering. This means that these nodes keep track of forwarded connections and only allow return packets for existing outbound connections. Inbound packets that don't belong to an existing connection are dropped. Because routing is implemented differently on non-Linux platforms, this mitigation is only necessary on Linux. Stateful filtering is enabled by default....... Edited May 21, 20242 yr by sdballer
May 23, 20242 yr On 5/22/2024 at 4:50 AM, sdballer said: I had the same issue... The Log tells you what to update in the advanced setting: --advertise-exit-node --advertise-routes=192.168.1.0/24 --stateful-filtering newly added to mine. --stateful-filtering working now. Thanks mate! The fix worked for me. Edited May 23, 20242 yr by Degn
May 24, 20242 yr I’d like to ssh via Tailscale from a device on my tailnet (let’s call it “TN2”) into my Unraid server which is running the Tailscale plugin. As expected, running /app/tailscale set --ssh from the Tailscale docker container’s CLI enables my Unraid server for ssh (confirmed at my Tailscale admin console "machines" page), but (also as expected), this only grants access to files INSIDE the Tailscale docker container. As I would like access to other folders/files of my broader Unraid server array (i.e. for back-up to that other “TN2” tailnet device), does anyone have a best practice for opening up for broader array access? I can swap the direction, having the Unraid system initiate the ssh to my other tailnet device (“TN2”), but I’d prefer to orchestrated from "TN2" side into the Unraid server. Any suggestions?
May 26, 20242 yr On 5/24/2024 at 1:54 PM, Rothemich said: I’d like to ssh via Tailscale from a device on my tailnet (let’s call it “TN2”) into my Unraid server which is running the Tailscale plugin. As expected, running /app/tailscale set --ssh from the Tailscale docker container’s CLI enables my Unraid server for ssh (confirmed at my Tailscale admin console "machines" page), but (also as expected), this only grants access to files INSIDE the Tailscale docker container. As I would like access to other folders/files of my broader Unraid server array (i.e. for back-up to that other “TN2” tailnet device), does anyone have a best practice for opening up for broader array access? I can swap the direction, having the Unraid system initiate the ssh to my other tailnet device (“TN2”), but I’d prefer to orchestrated from "TN2" side into the Unraid server. Any suggestions? Nevermind ^^. I conflated docker container and plugin.
June 1, 20242 yr Author Hello everyone. At this point I want to step back from supporting this docker container, I don't use it personally at all. That was clear with the recent update that I just pushed without testing it at all, sorry but as I said I don't use this and have no interest in it anymore. For 99%+ of people the plugin is better and should be used. For the 1% of people doing odd things, you have some choices to make. Some of you take over the management of this, it's easy, run a script, push to docker hub I'l work with you and good folk at Unraid on how to best manage the transition as I have no idea You individually use the script to build your own images Something else - ideas on a postcard I'm going to put a date of the end of June for the last updates I will push to this, so after that unless someone wants to pick this up it will go stale at that point.
June 11, 20242 yr I added a template that installs the official Tailscale Docker container, it is available in CA as "Tailscale-Docker". The official container should be suitable for the advanced use cases which require a separate Tailscale instance.
June 12, 20242 yr Author @EDACerton has suggested to me that his template that uses the official docker container becomes the replacement for my container. I think this is a good idea, and thank you. We'll work together to test/document cut over and then I'll update the instructions for this to reference his.
October 11, 20241 yr Is there a way to switch from this docker to the plugin without changing Tailscale creds and IP? I have been using this docker and I have external services that depend on the Tailscale IP. It's not going to be particularly easy to switch from one to the other without breaking connectivity for some remote services.
October 14, 20241 yr How do I access Unraid via hostname on my LAN? Since I installed Tailscale, and Tailscale didn't like SMB, I disabled SMB. I can no longer reach "http://tower" (because SMB is disabled). I can reach "http://192.168.1.7". Thank you.
October 14, 20241 yr On 10/11/2024 at 3:56 AM, warpspeed said: I have been using this docker and I have external services that depend on the Tailscale IP. 1. Never use the IP addresses for anything, use host names instead 2. Assign the same IP once you move over to the plugin - you can do this in the admin console 35 minutes ago, Jaybau said: I can no longer reach "http://tower" (because SMB is disabled). SMB doesn't affect name resolution in general and certainly not over hhtp.
October 14, 20241 yr 1 hour ago, Jaybau said: What about for machines where I do not have (cannot) Tailscale installed? Doesn't really make a difference, IF.... If you can resolve those machines by hostname on your own private LAN, you can make that work with Tailscale. Use a subnet route on at least one LAN node, defined as the CIDR for your LAN (like 10.0.0.0/24). And make sure that system is also using your local DNS. I've found the above is only needed for hosts that live outside your LAN to access your LAN as if they were local. Machines that are already inthe LAN shouldn't need the above. Example, I'm using the advertised subnet on TS running on a VPS in the US while my LAN is in Canada. I've set my local DNS (AdGuard Home) as the Global DNS in the Tailscale admin console. I'm not using Tailscale DNS on any nodes. This is what I've done to be able to access everything on my LAN. In addition however, I'm also running my own DNS resolver (upstream of AdGuard) where I give every machine and service a meaningful host name, so I don't rely only on mDNS. And for those that need it, for secure certificates on the web, I also use Nginx Proxy Manager to change ports and apply certificates. I've got Tailscale running along side that inside a container (LXC in my case) which also makes it so the tailnet sees all those proxies. Practical examples of devices I can access which don't have Tailscale: Any of my managed switches My Jailbroken PS3 and PS4 Wii-U IP cameras Commercial NVR Any of my Wifi-based home automation devices Home Assistant VM - via web or via Home Assistant app CNC controller etc Edited October 14, 20241 yr by Espressomatic
October 14, 20241 yr On machines within Tailscale, I can resolve hostnames. On a machine outside of Tailscale, I cannot resolve hostnames. I setup subnet using the IP address range of my local LAN (without Tailscale): My goal is to get the machine outside of Tailscale to resolve the hosname "tower" to 192.168.1.7. Something similar to what SMB was doing for me before I disabled SMB.
October 14, 20241 yr Easiest way: Give all those machines names via DHCP Additional suggestion: put a FQDN onto your LAN. Like "mylan.tld" - it has to be a real TLD if you want to use it from a web browser easily. Best to have your own registered domain, but you can obviously just make one up if you're not going to need to resolve it from an outside public network. Then every machine you create a name for will be reachable via name.domain.tld This all has to work on your LAN before it can work through your tailnet Like I said earlier, I don't rely on mDNS advertisements from the individual machines - that's setting an Unraid machine name inside Unraid itself like your "Tower" example and then being able to resolve that as tower.local from other LAN devices. Edited October 14, 20241 yr by Espressomatic
October 15, 20241 yr 3 hours ago, Espressomatic said: 1. Never use the IP addresses for anything, use host names instead 2. Assign the same IP once you move over to the plugin - you can do this in the admin console Thanks, in regards to 1. I would do that but the config files only accept IP addresses. In regards to 2. I wasn't aware we could do that now, must be a recent new Tailscale feature - that'd certainly solve my problem then. Thanks!
October 15, 20241 yr 3 minutes ago, warpspeed said: Thanks, in regards to 1. I would do that but the config files only accept IP addresses. Then I'd make sure you advertise your LAN route(s) to the tailnet from at least one machine and use the routes on any machine that can't normally access those ranges. Then use your LAN IPs instead of the Tailnet IPs, so long as they're reserved/static. Edited October 15, 20241 yr by Espressomatic
October 15, 20241 yr 2 minutes ago, Espressomatic said: Then I'd make sure you advertise your LAN route(s) to the tailnet from at least one machine and use the routes on any machine that can't normally access those ranges. Then use your LAN IPs instead of the Tailnet IPs, so long as they're reserved/static. Good idea, I definitely could do that. But I'd prefer not to as it's high traffic and I'd rather it not loop through my subnet routers.
March 7, 20251 yr Hello the latest update breaks the docker, it has the wrong os/arch version declared. Its linux/arm64/v8 instead of the correct linux/amd64. https://hub.docker.com/r/deasmi/unraid-tailscale/tags Dont update the docker till it is fixed, in case you already updated the docker you will need to rollback. Open the docker properties, at the top of docker properties enter the following and for the repository field: apply: deasmi/unraid-tailscale:1.78
March 7, 20251 yr Author DO NOT USE - SEE FIRST PAGE This docker container is deprecated This is now fixed, but this is the last ever update. SIX MONTHS FROM NOW DOCKER HUB IMAGES WILL BE REMOVED Edited March 7, 20251 yr by dsmith44
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.