Jump to content
dsmith44

[Support] Tailscale Support Thread

28 posts in this topic Last Reply

Recommended Posts

Posted (edited)

This is the support thread for deasmi/unraid-tailscale docker CA.

 

TailScale - Private networks made easy

Connect all your devices using WireGuard,® without the hassle.
Tailscale makes it as easy as installing an app and signing in.

 

This container sets up tailscale for unraid. Tailscale is a managed point to point VPN using wireguard.

 

It will register as hostname unraid, if you want to change that see 'Extra Parameters' in the container config and change to the hostname you would like.

 

** IMPORTANT When you first start this container you must check the log file for the logon URL and then enter it into a browser and logon to tail scale. I would then also advise setting the keys to not expire for your unraid host **

 

You need to look for the following in the log

 

Quote

To authenticate, visit:

https://login.tailscale.com/a/<LONG HEX NUMBER>
 

 

** Note that this will expose your whole server into your tailscale VPN network **

 

Do not do this if you do not understand what that means.

Edited by dsmith44

Share this post


Link to post

Hello and thank you. With this, do we need an account with admin rights to launch the client on Windows systems like in the 'regular' WireGuard client?

Share this post


Link to post
5 hours ago, Octa said:

Hello and thank you. With this, do we need an account with admin rights to launch the client on Windows systems like in the 'regular' WireGuard client?

I have no idea I'm afraid, I would suggest a quick download of the client from https://tailscale.com to check.

Share this post


Link to post
Posted (edited)

Man I feel like an idiot, but which log am I supposed to be checking? I didn't see any URL in the syslog. I didn't see any log in the appdata folder either. Any direction you can provide to help me find it would be helpful!

 

 

Update:

I figured it out.  I never did find anything in the logs. What I had to do was to go in to Docker > click on the TailScale icon > go to Console > When the console opens type "tailscale up". This will print out the URL you are supposed to use to register unraid. > Go to the URL, create an account or login and you should be set. Mine now shows up in my console under Machines as "unraid".

 

 

 

Edited by Ragemachinest

Share this post


Link to post
Posted (edited)

Adding on from my previous post, I wanted to access to other machines in my home network that I can't install tailscale on (IP cameras, etc). To solve for this, I made sure the "Network Type" was set to "bridge". I went in to the console for the Tailscale docker container and ran the following (my home network is 192.168.1.0/24 - change this to match your network):

tailscale up --advertise-routes=192.168.1.0/24

 

After running this, I logged in to the Tailscale admin portal at https://login.tailscale.com/admin/machines and for my unraid box clicked the ... on the menu on the far right and click "Enable subnet routes"

 

Back in the docker console I ran: vi /etc/sysctl.d/00-alpine.conf

I added a line: net.ipv4.ip_forward=1 then saved the file.

 

I ran the command: echo 0 | tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter

 

I ran the command: iptables -t nat -A POSTROUTING -j MASQUERADE

 

I could then hit my internal IPs from an iPhone on LTE e.g. http://192.168.1.145 let me hit my IP cams web interface

 

I rebooted and the settings persisted, so it seems to be a permanent setup now.

 

Edited by Ragemachinest

Share this post


Link to post

Why use this as opposed to just the basic wireguard install?

Share this post


Link to post
Posted (edited)
6 hours ago, dubbly said:

Why use this as opposed to just the basic wireguard install?

For my use case, it was ease of which I could get through a double NAT to access my home network. After I worked out the harder part of this docker image in my posts above, it was basically installing the client, clicking a link, authenticating, then doing the same on my other devices.

Edited by Ragemachinest

Share this post


Link to post
12 hours ago, Ragemachinest said:

For my use case, it was ease of which I could get through a double NAT to access my home network. After I worked out the harder part of this docker image in my posts above, it was basically installing the client, clicking a link, authenticating, then doing the same on my other devices.

I am curious. What causes a double NAT in your situation?

Share this post


Link to post
7 hours ago, dubbly said:

I am curious. What causes a double NAT in your situation?

My ISP, which is a local WISP, has a single public IP for the whole service. The IP coming in to my network from the ISP is an assigned private/internal IP address. Because of that, I cannot get an inbound connection to my network because it's blocked by the ISP; I have no control over ports.

Share this post


Link to post
On 4/17/2020 at 1:40 AM, Ragemachinest said:

Man I feel like an idiot, but which log am I supposed to be checking? I didn't see any URL in the syslog. I didn't see any log in the appdata folder either. Any direction you can provide to help me find it would be helpful!

 

 

Update:

I figured it out.  I never did find anything in the logs. What I had to do was to go in to Docker > click on the TailScale icon > go to Console > When the console opens type "tailscale up". This will print out the URL you are supposed to use to register unraid. > Go to the URL, create an account or login and you should be set. Mine now shows up in my console under Machines as "unraid".

 

 

 

Apologies, I wasn't watching this topic for some reason.

 

The log in question is the docker log, just click the log button on the far right of the docker screen in the tailscale row.

Share this post


Link to post
Posted (edited)
On 4/17/2020 at 8:11 AM, Ragemachinest said:

Adding on from my previous post, I wanted to access to other machines in my home network that I can't install tailscale on (IP cameras, etc). To solve for this, I went in to the console for the Tailscale docker container and ran the following (my home network is 192.168.1.0/24 - change this to match your network):

tailscale up --advertise-routes=192.168.1.0/24

 

After running this, I logged in to the Tailscale admin portal at https://login.tailscale.com/admin/machines and for my unraid box clicked the ... on the menu on the far right and click "Enable subnet routes"

 

Back in the docker console I ran: vi /etc/sysctl.d/00-alpine.conf

I added a line: net.ipv4.ip_forward=1 then saved the file.

 

I ran the command: echo 0 | tee /proc/sys/net/ipv4/conf/tailscale0/rp_filter

 

I ran the command: iptables -t nat -A POSTROUTING -j MASQUERADE

 

I could then hit my internal IPs from an iPhone on LTE e.g. http://192.168.1.145 let me hit my IP cams web interface

 

I rebooted and the settings persisted, so it seems to be a permanent setup now.

 

I had not intended this to be used for network access, to me tailscale is about point to point communications, so I run it everywhere.

 

However that's just me, I'm glad you got it to work, and I might have a look at including an environmental variable to enable network routing when I get a moment.

 

This is a slightly kludgy solution using NAT on the outbound though rather than seting up full network routability.

Edited by dsmith44

Share this post


Link to post
Posted (edited)
On 4/19/2020 at 1:22 AM, dubbly said:

Why use this as opposed to just the basic wireguard install?

Tailscale is, in my view, scratching a sligtly different itch.

 

It is still wireguard, but it's wireguard plus NAT busting and zero management of many to many connections. I'm not just using this to connect to my unraid server, but also virtual servers.

Unraid is joining my mesh here, this isn't providing access to my LAN remotely.

 

If you want a hub and spoke model I'd suggest still using out of the box wireguard, if you want genuine point to point this is much easier to setup.

Edited by dsmith44

Share this post


Link to post

I just updated to 0.98 and it won't start up. I tried deleting everything and starting fresh and still can't get it to start. The error in the log I see is:

"Failed to connect to connect to tailscaled. (safesocket.Connect: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory)"

 

Is anyone else getting this?

Share this post


Link to post
Posted (edited)
4 hours ago, Ragemachinest said:

I just updated to 0.98 and it won't start up. I tried deleting everything and starting fresh and still can't get it to start. The error in the log I see is:

"Failed to connect to connect to tailscaled. (safesocket.Connect: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory)"

 

Is anyone else getting this?

My apologies, I shouldn't have pushed this as hadn't tested myself, thinking just a simple point update.

This is broken currently and I don't know why.

 

The STUN process isn't working in 0.98 in this docker container, I am going to build using their official Dockerfile and test outside of Unraid.

 

If it doesn't work there either will submit a bug report, if it does then at least I can start narrowing down the cause.

 

For now please use deasmi/unraid-tailscale:0.97

 

Update: I have recreated the issue on stand alone Ubuntu server and submitted issue to tailscale

https://github.com/tailscale/tailscale/issues/368

Edited by dsmith44

Share this post


Link to post
19 hours ago, dsmith44 said:

My apologies, I shouldn't have pushed this as hadn't tested myself, thinking just a simple point update.

This is broken currently and I don't know why.

 

The STUN process isn't working in 0.98 in this docker container, I am going to build using their official Dockerfile and test outside of Unraid.

 

If it doesn't work there either will submit a bug report, if it does then at least I can start narrowing down the cause.

 

For now please use deasmi/unraid-tailscale:0.97

 

Update: I have recreated the issue on stand alone Ubuntu server and submitted issue to tailscale

https://github.com/tailscale/tailscale/issues/368

Awesome! Thank you for the response and update!

Share this post


Link to post

Version 0.98.1 is now available which contains the upstream fix for the issues in 0.98

 

:latest will contain this fix, 0.98.1 will contain this fix.

 

Share this post


Link to post
On 5/12/2020 at 12:37 PM, dsmith44 said:

Version 0.98.1 is now available which contains the upstream fix for the issues in 0.98

 

:latest will contain this fix, 0.98.1 will contain this fix.

 

Can confirm that works for me now. Thanks!

Share this post


Link to post

Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues...

 

Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP.

I'm also able to access ports that are being served from other docker containers that have network set to "host".

 

My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP.

I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker.

 

Help?

 

Share this post


Link to post
Posted (edited)
6 hours ago, fserb said:

Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues...

 

Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP.

I'm also able to access ports that are being served from other docker containers that have network set to "host".

 

My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP.

I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker.

 

Help?

 

I was running in to this issue last night and just as a test I decided to switch the Tailscale docker to "bridge" and that solved my connectivity issues. So far I can access both bridge, host, and because I'm forwarding, all of my internal IPs as well.

Edited by Ragemachinest

Share this post


Link to post
9 hours ago, fserb said:

Hey. I can also confirm that 0.98.1 works. (as in, it connects and is part of the mesh, etc). But I'm still having some unraid specific issues...

 

Right now, with this docker running, I'm able to, for example, ssh to unraid using the Tailscale IP.

I'm also able to access ports that are being served from other docker containers that have network set to "host".

 

My problem right now is: all the other dockers that I have that are using "bridge" network, those ports are not currently available over the tailscale IP.

I'm not sure if this is Working As Intended (i.e., I need to move all my containers out of "bridge" and into "host"), if I messed up some "docker bridge" configuration (to not bind to a particular IP?), or if I need to do anything extra on the Tailscale docker.

 

Help?

 

I will do some testing and perhaps change the definition to prefer bridge networking instead, my docker networking is a bit rusty so time for some reading I think.

Share this post


Link to post
On 5/16/2020 at 3:13 AM, Ragemachinest said:

I was running in to this issue last night and just as a test I decided to switch the Tailscale docker to "bridge" and that solved my connectivity issues. So far I can access both bridge, host, and because I'm forwarding, all of my internal IPs as well.

Just setting the docker to bridge didn't work for me. I can ping the host, but not even access other services on the unraid (even the ones that did work with "host", like ssh).

I'm guess yours works as a side-effect of the ip forwarding you set up?

Share this post


Link to post

I'm pretty sure there's an issue with Tailscale's iptables rules and Unraid's docker iptables.

I've also tried using tailscale tip of tree, but no success there either.

Someone who understands Unraid iptables better would have an easier time with this.

 

dsmith, I have a suggestion for your docker-entrypoint.sh. Replace the bottom lines with:

(sleep 10; tailscape up) &

exec tailscaled --state=/state/tailscaled.state

it's much nicer than your current while loop. ;)

 

 

 

Share this post


Link to post

I figured out the problem (after pinging Tailscale folks)! The Tailscale unstable is broken for docker bridge mode. v0.98 is working fine.


It took us a while to figure, because there's another problem on this Dockerfile. 

`RUN git checkout -b v0.98` doesn't do what you think it does, either do `RUN git checkout v0.98` (for detached head mode) or `RUN git checkout -b v0.98 v0.98` :). The way it is you are just creating a new branch called v0.98 on top of master.

 

 

 

Share this post


Link to post
On 5/20/2020 at 4:35 AM, fserb said:

I figured out the problem (after pinging Tailscale folks)! The Tailscale unstable is broken for docker bridge mode. v0.98 is working fine.


It took us a while to figure, because there's another problem on this Dockerfile. 

`RUN git checkout -b v0.98` doesn't do what you think it does, either do `RUN git checkout v0.98` (for detached head mode) or `RUN git checkout -b v0.98 v0.98` :). The way it is you are just creating a new branch called v0.98 on top of master.

 

 

 

Fixed, bit embarrasing that one... thanks.

Share this post


Link to post

Re: host vs bridge mode

 

Having thought this through I feel host is the correct mode for this to operate in.

 

Host means the networking is part of the base host networking so if the host can see the port tailscale will be able to as well.

However that relies on the mapped ports listening on all addresses, which if I check my unraid server they do. 

root@unraid:~# ss -ltu
Netid              State               Recv-Q              Send-Q                                                   Local Address:Port                                     Peer Address:Port              Process
..
tcp                LISTEN              0                   128                                                                  *:8200                                                *:*
..

 

Snap1.thumb.png.2d4734afc04bea5047011a8d1d6f36c9.png

 

However the only IP address that you'll be able to access through tailscale will be the tailscale ip address itself, trying to use a LAN address, a docker bridge network address or any other address is going to fail as we aren't doing subnet forwarding.

 

I am not currently keen on even trying to add subnet forwarding to this container as it was never my intention to create a VPN gateway, just to allow access to Unraid services from tailscale.

 

I am also not sure if this is even necessarily possible without additional steps outside of the container itself; if I look in the Apps list OpenVPN server is available as a plugin but not as a container. So building a plugin is likely a better route for someone to look at, but not something I'm going to get into.

 

I would suggest using the built in wireshark support if you want to get a VPN connection to the whole network.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.