[Support] Tailscale Support Thread


Recommended Posts

On 6/16/2022 at 5:52 PM, JM2005 said:

Just wondering how safe Tailscale is security wise? They seem to log a lot of information about what IP's , hostnames and more while connected.  

 

There quite open about how it all works, and from my understanding their piece just facilitates the setup of connections, they never see the keys.

 

 https://tailscale.com/blog/how-tailscale-works/

Link to comment
  • 2 weeks later...
On 4/7/2020 at 4:36 AM, dsmith44 said:

Introduction

 

This is the support thread for deasmi/unraid-tailscale docker CA.

If you have a feature request or bug report please also try and add an issue on github

https://github.com/deasmi/unraid-tailscale

 

If you find this useful please consider donating to my chosen charity, Cancer Research.

https://www.justgiving.com/fundraising/unraid-tailscale

Thank you to those that have already donated.

 

Latest version of tailscale included: 1.26.1

This supports TLS certificates and Downloads, see below for instructions


What is this?

 

This container sets up tailscale for unraid. Tailscale is a managed point to point VPN using wireguard.

 

It is intended to allow you to access services of your unraid server over tailscale, it does not, and is not intended to, provide a VPN gateway to your LAN.

Communications are limited to services that listen on all interfaces on the host itself via standard bridge or host networking.

 

Installation and setup

Before you start it is a good idea to make sure you have already registered with Tailscale and installed tailscale onto another computer.

https://login.tailscale.com/start

 

Then install this app on Unraid and start it up, there are no config changes needed for the detault setup however it will register as hostname unraid, if you want to change that see 'Extra Parameters' in the container config and change to the hostname you would like before you start up. This can be changed later.

 

** IMPORTANT When you first start this container you must check the log file for the logon URL and then enter it into a browser and logon to tail scale. I would then also advise setting the keys to not expire for your unraid host **

 

You need to look for the following in the log

 

 

** Note that this will expose your whole server into your tailscale VPN network **

 

Do not do this if you do not understand what that means.

 

Downloads

Starting with release 1.24.2-downloads you can now support automatic downloads with taildrop.

If you have already installed tailscale you will need to add some extra paramaters manually as shown below.

 

Instructions.thumb.PNG.32ec4ea7e6696ce076c35650ef8e81a6.PNG

 

TLS Certificates

 

If you want to use TLS certificates as per https://tailscale.com/kb/1153/enabling-https/ you will need to connect to the console of the docker container and issue the tailscale cert command.

 

External Links

 

Ibracorp have a guide with video on how to set all this up, as well as some advanced topics like exit nodes.

 

https://docs.ibracorp.io/tailscale/

 

When setting up Taildrop, I followed all the instructions but my Unraid device still shows as unavailable for downloading in share sheets. Any ideas? From this photo there is now a new instruction: "Note: You must manually set tag to above to deasmi/unraid-tailscale:download to support downloads until beta test is finished". I set this tag, but the build fails and says it cannot find that repository. Any help would be appreciated. 

Link to comment
On 7/6/2022 at 1:52 PM, macmaster28 said:

When setting up Taildrop, I followed all the instructions but my Unraid device still shows as unavailable for downloading in share sheets. Any ideas? From this photo there is now a new instruction: "Note: You must manually set tag to above to deasmi/unraid-tailscale:download to support downloads until beta test is finished". I set this tag, but the build fails and says it cannot find that repository. Any help would be appreciated. 

My experience with Taildrop has been that it's inconsistent. Sometimes won't work; i'll restart container then it will work. Unno, haven't had time to investigate nor do I have the knowledge. It absolutely does work, part of the time though.

 

Link to comment
On 7/8/2022 at 11:27 AM, blaine07 said:

My experience with Taildrop has been that it's inconsistent. Sometimes won't work; i'll restart container then it will work. Unno, haven't had time to investigate nor do I have the knowledge. It absolutely does work, part of the time though.

 

I've restarted, reinstalled, and tried every which way to get it to work, never seen it work on Unraid to date :(. did you updated repo path to :download ? or is your repo flag :latest when it does work for you?

Link to comment
On 7/9/2022 at 2:59 PM, macmaster28 said:

I've restarted, reinstalled, and tried every which way to get it to work, never seen it work on Unraid to date :(. did you updated repo path to :download ? or is your repo flag :latest when it does work for you?

It updated today; have you tried todays update?

Link to comment

I've been using the new tailscale ssh feature (works great), and ran into something with the docker on unRaid that I don't quite understand.

 

If I start tailscale up with the ssh flag, it starts. But when I connect to the IP for my unRaid server (where the docker is running), I am put in a session "inside" the docker, not inside the unRaid OS.

 

I kind of see why, but I'm not sure how to change things so that I get more of what I'm expected.

 

Anybody have a suggestion?

 

Thanks!

Link to comment
On 7/14/2022 at 10:17 AM, bdillahu said:

I've been using the new tailscale ssh feature (works great), and ran into something with the docker on unRaid that I don't quite understand.

 

If I start tailscale up with the ssh flag, it starts. But when I connect to the IP for my unRaid server (where the docker is running), I am put in a session "inside" the docker, not inside the unRaid OS.

 

I kind of see why, but I'm not sure how to change things so that I get more of what I'm expected.

 

Anybody have a suggestion?

 

Thanks!

 

Wondering the same. I doubt a container allowing full unrestricted access to the host system is a good idea though because that could easily be abused and might be a pretty bad CVE.

 

In that case, maybe we should install tailscale on the host in unRAID? Maybe with user scripts or something?

  • Like 1
Link to comment
  • 2 weeks later...
19 minutes ago, ryujin921 said:

heads up v1.28 is out

 

As I have said before....

 

Please note I normally skip 1.xx.0 releases as there are often bug fix releases shortly afterwards. In any event I will wait at least two weeks after a 1.xx.0 release before updating latest, or normally even pushing a build.

 

I have now added this to the front page of this support article.

 

However I have now pushed dev-1.28.0, but this is untested, so use at your own risk.

  • Like 1
  • Thanks 1
Link to comment
42 minutes ago, dsmith44 said:

 

As I have said before....

 

Please note I normally skip 1.xx.0 releases as there are often bug fix releases shortly afterwards. In any event I will wait at least two weeks after a 1.xx.0 release before updating latest, or normally even pushing a build.

 

I have now added this to the front page of this support article.

 

However I have now pushed dev-1.28.0, but this is untested, so use at your own risk.

Thank you, thank you for always taking good care of us fools; we appreciate your time and support mate!

Link to comment
46 minutes ago, dsmith44 said:

 

As I have said before....

 

Please note I normally skip 1.xx.0 releases as there are often bug fix releases shortly afterwards. In any event I will wait at least two weeks after a 1.xx.0 release before updating latest, or normally even pushing a build.

 

I have now added this to the front page of this support article.

 

However I have now pushed dev-1.28.0, but this is untested, so use at your own risk.

Oh gosh, my bad!

Thanks for making that clear, I totally understand why you would wait for a more "stable" release, makes perfect sense.

Really appreciate your effort!

Link to comment

Hi,

I'm having a devil of a time, and could use any insight/thoughts. I actually had it up and running flawlessly, and then my Unraid box stopped responding entirely and I did a full manual power cycle.  Since that's happened, Tailscale hasn't been happy, and I don't know why.

 

I've recreated the docker container with new appdata 3 times now.  I've linked each to my Tailscale account, I have the right settings for exit node and local subnets, and the Tailscale site correctly recognizes both.  However, I can only directly access my Unraid main server (192.168.4.XX) but not other devices on the .4.0/24 subnet.  I use .4.0/24 for all my dockers; I like separate IP's for each, rather than a ton of different ports on one main IP.  

 

When I turn on subnet routing I can access smb shares remotely; when it's off, I can't. So subnet routing is doing something, but it's only accessing the main IP.  When I try other docker containers, it fails.

 

The confusing part is - I had it working just a couple of days ago!

 

Any thoughts or insight would be helpful.  I'm genuinely scratching my head at my ability to screw things up.

 

Server Settings

--advertise-exit-node --advertise-routes=192.168.4.0/24

Linked to online admin account

I did the Ibracorp commands for ipv4 and ipv6 forwarding.

 

Online Account

Currently recognizes exit node and subnet routes, both are enabled

 

personal PC 

using exit node of the server, local connections enabled.

 

I am successfully using the exit node, but I cannot see subnet routes other than the Unraid box itself.

Link to comment

Hi all,

 

I've successfully installed this Tailscale docker image on my unRAID server and have remote access.

After reading though this article (https://tailscale.com/blog/tls-certs/), I concurred that I don't like having the browsers tell me the certificates are invalid etc and wanted to enable the Tailscale HTTPS certificates for use with my other docker containers (Jellyfin & NextCloud, however, they do nothing!?

 

I have;

  • enabled the HTTPS certificates setting on my Tailscale account.
  • accessed the Tailscale docker image and ran the below command to successfully create the .key and .cert files.
./tailscale cert unraid.<server-alias>.ts.net
  • edit NextCloud config file to add unraid.<server-alias>.ts.net to the 'trusted domains'
  • using my remotely connected phone or pc, attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net
    -> this results in a successful but insecure connection due to the certificate being selfsigned.
  • " attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net:<nextcloud_port_number>
    -> successful but insecure connection due to the CA Authority being invalid
  • " attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net:<jellyfin_port_number>
    -> unsuccessful connection... "connection refused" this does however work if I use the same address above just with 'http', but then it just complains it isn't secure.

 

Can anyone help me identify what I'm missing here and why these certificates have no affect, particularly on my docker containers?

 

I'd most prefer to get the HTTPS certificates working so the browsers don't complain... failing this, I guess it's fine to just ignore it since its all encrypted through the VPN anyway, right?

 

EDIT:

Just to clarify, the .crt and .key files are still in the location they were created... within the /app folder of the Tailscale docker container. Do these need to be moved/installed somehow?

Edited by BlueBell
more info
Link to comment
On 8/12/2022 at 4:25 AM, BlueBell said:

Hi all,

 

I've successfully installed this Tailscale docker image on my unRAID server and have remote access.

After reading though this article (https://tailscale.com/blog/tls-certs/), I concurred that I don't like having the browsers tell me the certificates are invalid etc and wanted to enable the Tailscale HTTPS certificates for use with my other docker containers (Jellyfin & NextCloud, however, they do nothing!?

 

I have;

  • enabled the HTTPS certificates setting on my Tailscale account.
  • accessed the Tailscale docker image and ran the below command to successfully create the .key and .cert files.
./tailscale cert unraid.<server-alias>.ts.net
  • edit NextCloud config file to add unraid.<server-alias>.ts.net to the 'trusted domains'
  • using my remotely connected phone or pc, attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net
    -> this results in a successful but insecure connection due to the certificate being selfsigned.
  • " attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net:<nextcloud_port_number>
    -> successful but insecure connection due to the CA Authority being invalid
  • " attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net:<jellyfin_port_number>
    -> unsuccessful connection... "connection refused" this does however work if I use the same address above just with 'http', but then it just complains it isn't secure.

 

Can anyone help me identify what I'm missing here and why these certificates have no affect, particularly on my docker containers?

 

I'd most prefer to get the HTTPS certificates working so the browsers don't complain... failing this, I guess it's fine to just ignore it since its all encrypted through the VPN anyway, right?

 

EDIT:

Just to clarify, the .crt and .key files are still in the location they were created... within the /app folder of the Tailscale docker container. Do these need to be moved/installed somehow?


same problem here!

Link to comment
On 8/10/2022 at 3:42 AM, david1564 said:

Hi,

I'm having a devil of a time, and could use any insight/thoughts. I actually had it up and running flawlessly, and then my Unraid box stopped responding entirely and I did a full manual power cycle.  Since that's happened, Tailscale hasn't been happy, and I don't know why.

 

I've recreated the docker container with new appdata 3 times now.  I've linked each to my Tailscale account, I have the right settings for exit node and local subnets, and the Tailscale site correctly recognizes both.  However, I can only directly access my Unraid main server (192.168.4.XX) but not other devices on the .4.0/24 subnet.  I use .4.0/24 for all my dockers; I like separate IP's for each, rather than a ton of different ports on one main IP.  

 

When I turn on subnet routing I can access smb shares remotely; when it's off, I can't. So subnet routing is doing something, but it's only accessing the main IP.  When I try other docker containers, it fails.

 

The confusing part is - I had it working just a couple of days ago!

 

Any thoughts or insight would be helpful.  I'm genuinely scratching my head at my ability to screw things up.

 

Server Settings

--advertise-exit-node --advertise-routes=192.168.4.0/24

Linked to online admin account

I did the Ibracorp commands for ipv4 and ipv6 forwarding.

 

Online Account

Currently recognizes exit node and subnet routes, both are enabled

 

personal PC 

using exit node of the server, local connections enabled.

 

I am successfully using the exit node, but I cannot see subnet routes other than the Unraid box itself.

Are the routes enabled in the tailscale admin console? If not they won't work.

https://tailscale.com/kb/1019/subnets/

 

If they are I'd check the networking mode of the docker container.

From your description I think you will need to ensure it's running in host mode, ie. using the network stack of the main unraid server.

 

To be honest this is unsupported config for this container.

 

If you read back in the history, and is really just there via the additional flags for people that need it, understand it and can troubleshoot. I'm just not setup to do network troublshooting.

 

My advice for exit nodes it not to run them in docker, put tailscale on a firewall/raspberry pi/anything else.

 

Inside docker, in unraid, is always going to be complicated to diagnose without intimate knowledge of how docker networking interacts with underlying unraid config, linux kernel and tailscale.

Edited by dsmith44
Link to comment
On 8/12/2022 at 1:25 PM, BlueBell said:

Hi all,

 

I've successfully installed this Tailscale docker image on my unRAID server and have remote access.

After reading though this article (https://tailscale.com/blog/tls-certs/), I concurred that I don't like having the browsers tell me the certificates are invalid etc and wanted to enable the Tailscale HTTPS certificates for use with my other docker containers (Jellyfin & NextCloud, however, they do nothing!?

 

I have;

  • enabled the HTTPS certificates setting on my Tailscale account.
  • accessed the Tailscale docker image and ran the below command to successfully create the .key and .cert files.
./tailscale cert unraid.<server-alias>.ts.net
  • edit NextCloud config file to add unraid.<server-alias>.ts.net to the 'trusted domains'
  • using my remotely connected phone or pc, attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net
    -> this results in a successful but insecure connection due to the certificate being selfsigned.
  • " attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net:<nextcloud_port_number>
    -> successful but insecure connection due to the CA Authority being invalid
  • " attempt to access the main unRAID server at https://unraid.<server-alias>.ts.net:<jellyfin_port_number>
    -> unsuccessful connection... "connection refused" this does however work if I use the same address above just with 'http', but then it just complains it isn't secure.

 

Can anyone help me identify what I'm missing here and why these certificates have no affect, particularly on my docker containers?

 

I'd most prefer to get the HTTPS certificates working so the browsers don't complain... failing this, I guess it's fine to just ignore it since its all encrypted through the VPN anyway, right?

 

EDIT:

Just to clarify, the .crt and .key files are still in the location they were created... within the /app folder of the Tailscale docker container. Do these need to be moved/installed somehow?

 

I'm sorry, this isn't really a tailscale docker issue. I would suggest talking to nextcloud maintainers and/or wider unraid community. This is behaving exactly as planned.

 

However a few comments.

 

Unraid isn't using the tailscale cert, so it exists in the docker container data in /mnt/user/appdata tailscale somewhere, but unraid won't be picking that up.

 

You may not want it to anyway as then _only_ the unraid.<server-alias>.ts.net will ever be valid.

 

If you do, I'd look into putting something inti /boot/config/go to put the certs in the right place, but you'd have to ask elsewhere for where that is.

 

 

Edited by dsmith44
Link to comment
On 8/14/2022 at 4:44 AM, bdr9 said:

Thanks for maintaining this container! It works great for accessing my Unraid server remotely. Is there any way to use this container to allow other Docker containers on my Unraid server to access other devices on my Tailscale network?

 

Maybe - You are on your own however

 

I think that if you are running tailscale in host mode, the default, then any other containers running in host mode should be able to connect to tailscale ip addresses.

 

However I have never tested this, won't be testing it, and certainly won't be support it as a use case. Sorry.

Link to comment

Quick question before I dive in. 

Is there any way to have tailscale working on unraid natively, like a plugin? So that the array does not have to be spun up to be able to connect?

 

I'm asking because if the array powers down or stops for some reason, then dockers don't run until the array starts which it may not. Which means I'll still have to have a VPN and forward ports to be able to troubleshoot (this is for a remote unraid server). But if it's native and doesn't require array to start it would be much more useful...

 

Any thoughts?

Link to comment
8 minutes ago, maxse said:

I'll still have to have a VPN and forward ports to be able to troubleshoot

Multiple communication paths are a must if you want your best chance to keep operating. Always keep a backup, preferably multiples. The more important the setup, the more redundancy you need.

Link to comment
Quick question before I dive in. 
Is there any way to have tailscale working on unraid natively, like a plugin? So that the array does not have to be spun up to be able to connect?
 
I'm asking because if the array powers down or stops for some reason, then dockers don't run until the array starts which it may not. Which means I'll still have to have a VPN and forward ports to be able to troubleshoot (this is for a remote unraid server). But if it's native and doesn't require array to start it would be much more useful...
 
Any thoughts?

I don’t think there is a Slackware build provided by tailscale.

So if you want - get golang installed, compile from source (https://github.com/tailscale/tailscale) and setup, that will probably work.

How you get it to start at boot, not stop with array etc I don’t know. Would probably warrant a plug-in being written or put in a feature request :)

Dean
Link to comment
Multiple communication paths are a must if you want your best chance to keep operating. Always keep a backup, preferably multiples. The more important the setup, the more redundancy you need.

On that subject get a cheap USB serial adapter and connect it to something else

I have mine connected to a pinhole, then I always have a serial console.
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.