April 7, 20206 yr THIS IS DEPRECATED NO SUPPORT IS PROVIDED - DO NOT USE YOU ALMOST ALWAYS WANT THE TAILSCALE PLUGIN NOT THIS DOCKER CONTAINER Following 7.0.0. release which has built in support for Tailscale in docker I will update this for three more months after which it will be replaced with a non functioning container. You should use the plugin or built in support, see here @EDACerton has a solution for using the official containers from Tailscale here I have pushed the last version of this today - 1.80.2 - I will not push any more versions. 3rd March 2025 DO NOT START USING THIS CONTAINER STOP USING THIS CONTAINER ----------------------- HISTORICAL ONLY ------------------------ Introduction If you want to access your unraid server over tailscale at this point you are better using the plugin. Unraid Tailscale Plugin I have continued to update this for those using tailscale to, for example, connect groups of docker containers on private networks into tailsacle. I will stop support end of June 2024. Please use the plugin otherwise, use for direct access to unraid is considered deprecated, support will not be provided by me. This is the support thread for deasmi/unraid-tailscale docker CA. If you have a feature request or bug report please also try and add an issue on github https://github.com/deasmi/unraid-tailscale If you find this useful please consider donating to my chosen charity, Cancer Research. https://www.justgiving.com/fundraising/unraid-tailscale Thank you to those that have already donated. Latest version of tailscale included: Please see last page of posts for update This supports TLS certificates and Downloads, see below for instructions Please note I normally skip 1.xx.0 releases as there are often bug fix releases shortly afterwards. In any event I will wait at least two weeks after a 1.xx.0 release before updating latest, or normally even pushing a build. What is this? Quote TailScale - Private networks made easy Connect all your devices using WireGuard,® without the hassle. Tailscale makes it as easy as installing an app and signing in. This container sets up tailscale for unraid. Tailscale is a managed point to point VPN using wireguard. It is intended to allow you to access services of your unraid server over tailscale, it does not, and is not intended to, provide a VPN gateway to your LAN. If you can contact unraid services over tailscale this is working as intended. For clarity I cannot provide support for use of --advertise-routes or other custom setups, and in all likelehood it will not behave as you expect. Due to the way docker works, and arp works, and switches work you will potentially have a nasty time. **If you want a tailscale gateway to your lan use your firewall or a raspberry pi or anything else at all other than this container. We cannot support you at all if you are using --advertise-routes, please do not ask** Communications are limited to services that listen on all interfaces on the host itself via standard bridge or host networking. Installation and setup Before you start it is a good idea to make sure you have already registered with Tailscale and installed tailscale onto another computer. https://login.tailscale.com/start Then install this app on Unraid and start it up, there are no config changes needed for the detault setup however it will register as hostname unraid, if you want to change that see 'Extra Parameters' in the container config and change to the hostname you would like before you start up. This can be changed later. ** IMPORTANT When you first start this container you must check the log file for the logon URL and then enter it into a browser and logon to tail scale. I would then also advise setting the keys to not expire for your unraid host ** You need to look for the following in the log Quote To authenticate, visit: https://login.tailscale.com/a/<LONGHEXNUMBER> ** Note that this will expose your whole server into your tailscale VPN network ** The container runs with docker host networking, and so it shares a network stack with the underlying host, so any services you can see on the LAN you'll be able to see on tailscale. Do not do this if you do not understand what that means. Downloads Starting with release 1.24.2-downloads you can now support automatic downloads with taildrop. If you have already installed tailscale you will need to add some extra paramaters manually as shown below. TLS Certificates If you want to use TLS certificates as per https://tailscale.com/kb/1153/enabling-https/ you will need to connect to the console of the docker container and issue the tailscale cert command. External Links Ibracorp have a guide with video on how to set all this up, as well as some advanced topics like exit nodes. https://docs.ibracorp.io/tailscale/ Edited April 30, 20251 yr by dsmith44 Add Ibracorp guide
April 8, 20206 yr Hello and thank you. With this, do we need an account with admin rights to launch the client on Windows systems like in the 'regular' WireGuard client?
April 8, 20206 yr Author 5 hours ago, Octa said: Hello and thank you. With this, do we need an account with admin rights to launch the client on Windows systems like in the 'regular' WireGuard client? I have no idea I'm afraid, I would suggest a quick download of the client from https://tailscale.com to check.
April 17, 20206 yr Man I feel like an idiot, but which log am I supposed to be checking? I didn't see any URL in the syslog. I didn't see any log in the appdata folder either. Any direction you can provide to help me find it would be helpful! Update: I figured it out. I never did find anything in the logs. What I had to do was to go in to Docker > click on the TailScale icon > go to Console > When the console opens type "tailscale up". This will print out the URL you are supposed to use to register unraid. > Go to the URL, create an account or login and you should be set. Mine now shows up in my console under Machines as "unraid". Edited April 17, 20206 yr by Ragemachinest
April 17, 20206 yr Adding on from my previous post, I wanted to access to other machines in my home network that I can't install tailscale on (IP cameras, etc). To solve for this, I made sure the "Network Type" was set to "bridge". I went in to the console for the Tailscale docker container and ran the following (my home network is 192.168.1.0/24 - change this to match your network): tailscale up --advertise-routes=192.168.1.0/24 After running this, I logged in to the Tailscale admin portal at https://login.tailscale.com/admin/machines and for my unraid box clicked the ... on the menu on the far right and click "Enable subnet routes" Back in the docker console I ran: vi /etc/sysctl.d/00-alpine.conf I added a line: net.ipv4.ip_forward=1 then saved the file. I ran the command: echo 0 | tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter I ran the command: iptables -t nat -A POSTROUTING -j MASQUERADE I could then hit my internal IPs from an iPhone on LTE e.g. http://192.168.1.145 let me hit my IP cams web interface I rebooted and the settings persisted, so it seems to be a permanent setup now. Edited May 15, 20206 yr by Ragemachinest
April 19, 20206 yr 6 hours ago, dubbly said: Why use this as opposed to just the basic wireguard install? For my use case, it was ease of which I could get through a double NAT to access my home network. After I worked out the harder part of this docker image in my posts above, it was basically installing the client, clicking a link, authenticating, then doing the same on my other devices. Edited April 19, 20206 yr by Ragemachinest
April 19, 20206 yr 12 hours ago, Ragemachinest said: For my use case, it was ease of which I could get through a double NAT to access my home network. After I worked out the harder part of this docker image in my posts above, it was basically installing the client, clicking a link, authenticating, then doing the same on my other devices. I am curious. What causes a double NAT in your situation?
April 20, 20206 yr 7 hours ago, dubbly said: I am curious. What causes a double NAT in your situation? My ISP, which is a local WISP, has a single public IP for the whole service. The IP coming in to my network from the ISP is an assigned private/internal IP address. Because of that, I cannot get an inbound connection to my network because it's blocked by the ISP; I have no control over ports.
May 9, 20206 yr Author On 4/17/2020 at 1:40 AM, Ragemachinest said: Man I feel like an idiot, but which log am I supposed to be checking? I didn't see any URL in the syslog. I didn't see any log in the appdata folder either. Any direction you can provide to help me find it would be helpful! Update: I figured it out. I never did find anything in the logs. What I had to do was to go in to Docker > click on the TailScale icon > go to Console > When the console opens type "tailscale up". This will print out the URL you are supposed to use to register unraid. > Go to the URL, create an account or login and you should be set. Mine now shows up in my console under Machines as "unraid". Apologies, I wasn't watching this topic for some reason. The log in question is the docker log, just click the log button on the far right of the docker screen in the tailscale row.
May 9, 20206 yr Author On 4/17/2020 at 8:11 AM, Ragemachinest said: Adding on from my previous post, I wanted to access to other machines in my home network that I can't install tailscale on (IP cameras, etc). To solve for this, I went in to the console for the Tailscale docker container and ran the following (my home network is 192.168.1.0/24 - change this to match your network): tailscale up --advertise-routes=192.168.1.0/24 After running this, I logged in to the Tailscale admin portal at https://login.tailscale.com/admin/machines and for my unraid box clicked the ... on the menu on the far right and click "Enable subnet routes" Back in the docker console I ran: vi /etc/sysctl.d/00-alpine.conf I added a line: net.ipv4.ip_forward=1 then saved the file. I ran the command: echo 0 | tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter I ran the command: iptables -t nat -A POSTROUTING -j MASQUERADE I could then hit my internal IPs from an iPhone on LTE e.g. http://192.168.1.145 let me hit my IP cams web interface I rebooted and the settings persisted, so it seems to be a permanent setup now. I had not intended this to be used for network access, to me tailscale is about point to point communications, so I run it everywhere. However that's just me, I'm glad you got it to work, and I might have a look at including an environmental variable to enable network routing when I get a moment. This is a slightly kludgy solution using NAT on the outbound though rather than seting up full network routability. Edited May 9, 20206 yr by dsmith44
May 9, 20206 yr Author On 4/19/2020 at 1:22 AM, dubbly said: Why use this as opposed to just the basic wireguard install? Tailscale is, in my view, scratching a sligtly different itch. It is still wireguard, but it's wireguard plus NAT busting and zero management of many to many connections. I'm not just using this to connect to my unraid server, but also virtual servers. Unraid is joining my mesh here, this isn't providing access to my LAN remotely. If you want a hub and spoke model I'd suggest still using out of the box wireguard, if you want genuine point to point this is much easier to setup. Edited May 9, 20206 yr by dsmith44
May 10, 20206 yr I just updated to 0.98 and it won't start up. I tried deleting everything and starting fresh and still can't get it to start. The error in the log I see is: "Failed to connect to connect to tailscaled. (safesocket.Connect: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory)" Is anyone else getting this?
May 10, 20206 yr Author 4 hours ago, Ragemachinest said: I just updated to 0.98 and it won't start up. I tried deleting everything and starting fresh and still can't get it to start. The error in the log I see is: "Failed to connect to connect to tailscaled. (safesocket.Connect: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory)" Is anyone else getting this? My apologies, I shouldn't have pushed this as hadn't tested myself, thinking just a simple point update. This is broken currently and I don't know why. The STUN process isn't working in 0.98 in this docker container, I am going to build using their official Dockerfile and test outside of Unraid. If it doesn't work there either will submit a bug report, if it does then at least I can start narrowing down the cause. For now please use deasmi/unraid-tailscale:0.97 Update: I have recreated the issue on stand alone Ubuntu server and submitted issue to tailscale https://github.com/tailscale/tailscale/issues/368 Edited May 10, 20206 yr by dsmith44
May 11, 20206 yr 19 hours ago, dsmith44 said: My apologies, I shouldn't have pushed this as hadn't tested myself, thinking just a simple point update. This is broken currently and I don't know why. The STUN process isn't working in 0.98 in this docker container, I am going to build using their official Dockerfile and test outside of Unraid. If it doesn't work there either will submit a bug report, if it does then at least I can start narrowing down the cause. For now please use deasmi/unraid-tailscale:0.97 Update: I have recreated the issue on stand alone Ubuntu server and submitted issue to tailscale https://github.com/tailscale/tailscale/issues/368 Awesome! Thank you for the response and update!
May 12, 20206 yr Author Version 0.98.1 is now available which contains the upstream fix for the issues in 0.98 :latest will contain this fix, 0.98.1 will contain this fix.
May 15, 20206 yr On 5/12/2020 at 12:37 PM, dsmith44 said: Version 0.98.1 is now available which contains the upstream fix for the issues in 0.98 :latest will contain this fix, 0.98.1 will contain this fix. Can confirm that works for me now. Thanks!
May 16, 20206 yr Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues... Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP. I'm also able to access ports that are being served from other docker containers that have network set to "host". My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP. I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker. Help?
May 16, 20206 yr 6 hours ago, fserb said: Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues... Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP. I'm also able to access ports that are being served from other docker containers that have network set to "host". My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP. I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker. Help? I was running in to this issue last night and just as a test I decided to switch the Tailscale docker to "bridge" and that solved my connectivity issues. So far I can access both bridge, host, and because I'm forwarding, all of my internal IPs as well. Edited May 16, 20206 yr by Ragemachinest
May 16, 20206 yr Author 9 hours ago, fserb said: Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues... Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP. I'm also able to access ports that are being served from other docker containers that have network set to "host". My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP. I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker. Help? I will do some testing and perhaps change the definition to prefer bridge networking instead, my docker networking is a bit rusty so time for some reading I think.
May 19, 20206 yr On 5/16/2020 at 3:13 AM, Ragemachinest said: I was running in to this issue last night and just as a test I decided to switch the Tailscale docker to "bridge" and that solved my connectivity issues. So far I can access both bridge, host, and because I'm forwarding, all of my internal IPs as well. Just setting the docker to bridge didn't work for me. I can ping the host, but not even access other services on the unraid (even the ones that did work with "host", like ssh). I'm guess yours works as a side-effect of the ip forwarding you set up?
May 19, 20206 yr I'm pretty sure there's an issue with Tailscale's iptables rules and Unraid's docker iptables. I've also tried using tailscale tip of tree, but no success there either. Someone who understands Unraid iptables better would have an easier time with this. dsmith, I have a suggestion for your docker-entrypoint.sh. Replace the bottom lines with: (sleep 10; tailscape up) & exec tailscaled --state=/state/tailscaled.state it's much nicer than your current while loop.
May 20, 20206 yr I figured out the problem (after pinging Tailscale folks)! The Tailscale unstable is broken for docker bridge mode. v0.98 is working fine. It took us a while to figure, because there's another problem on this Dockerfile. `RUN git checkout -b v0.98` doesn't do what you think it does, either do `RUN git checkout v0.98` (for detached head mode) or `RUN git checkout -b v0.98 v0.98` . The way it is you are just creating a new branch called v0.98 on top of master.
May 23, 20206 yr Author On 5/20/2020 at 4:35 AM, fserb said: I figured out the problem (after pinging Tailscale folks)! The Tailscale unstable is broken for docker bridge mode. v0.98 is working fine. It took us a while to figure, because there's another problem on this Dockerfile. `RUN git checkout -b v0.98` doesn't do what you think it does, either do `RUN git checkout v0.98` (for detached head mode) or `RUN git checkout -b v0.98 v0.98` . The way it is you are just creating a new branch called v0.98 on top of master. Fixed, bit embarrasing that one... thanks.
May 23, 20206 yr Author Re: host vs bridge mode Having thought this through I feel host is the correct mode for this to operate in. Host means the networking is part of the base host networking so if the host can see the port tailscale will be able to as well. However that relies on the mapped ports listening on all addresses, which if I check my unraid server they do. root@unraid:~# ss -ltu Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process .. tcp LISTEN 0 128 *:8200 *:* .. However the only IP address that you'll be able to access through tailscale will be the tailscale ip address itself, trying to use a LAN address, a docker bridge network address or any other address is going to fail as we aren't doing subnet forwarding. I am not currently keen on even trying to add subnet forwarding to this container as it was never my intention to create a VPN gateway, just to allow access to Unraid services from tailscale. I am also not sure if this is even necessarily possible without additional steps outside of the container itself; if I look in the Apps list OpenVPN server is available as a plugin but not as a container. So building a plugin is likely a better route for someone to look at, but not something I'm going to get into. I would suggest using the built in wireshark support if you want to get a VPN connection to the whole network.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.