[Support] Tailscale Support Thread

[dsmith44]

19 hours ago, tmchow said:

Found answer to my own question:

https://gist.github.com/auth/github/callback?return_to=https://gist.github.com/shayne/25e194e068751e281937ef68edefb99b&browser_session_id=fd34397b87999ea789b8fe352a941bd934d618392aa50b2c010b21c5cc417eff&code=5e94e3bb523a98b3e868&state=64cadd3d745b45ef88123c51d63a6fa2cf87cda1cb9c517d93b4d6768ab1462a

 

If you don't use Tailscale ssh then you will connect to the host and not the container, as the container is running in host networking mode.

 

This is how I run it, so I can just ssh to my unraid server using the tailscale ip address.

[dsmith44]

On 12/11/2022 at 10:05 PM, Cyborg said:

My goal is to host Nextcloud and Bitwarden local and make it available by Tailscale for me and my invited friends/family. 

I thought that I could use the cert in a reverie proxy and activate the Tailscale app + reverse proxy, then use Nextcloud from a mobile with Tailscale? 

I get this: 
/app # ./tailscale  cert unraid.not-mine.ts.net
500 Internal Server Error: invalid domain "XXXXXXX.ts.net"; must be one of ["XXXXXX.ts.net" "XXXXXXXX.ts.net"]
/app # Wrote public cert to unraid.not-mine.ts.net.crt
sh: Wrote: not found
/app # Wrote private key to unraid.not-mine.ts.net.key
sh: Wrote: not found

The domain must be the one you setup in the tailscale admin portal, under DNS->Tailnet name. Nothing else will work.

[dsmith44]

On 12/21/2022 at 6:39 PM, tmchow said:

 

This is really just making sure you understand this that isn’t just exposing the container to your tailnet, but rather your entire Unraid server.  That said, this should be expected in the way most, if not all, want tailscale to work on Unraid by installing this container anyways.

 

As long as you are following the default configuration of your tailnet, or your customizations to your ACL config is secure, you should be fine.

That's spot on.

 

Security will be down to the ACLs you have setup in tailscale, which I think by default is any<>any, but doesn't have to be.

 

This is a bit of a rabbit hole though, and not something we can really provide support on here.

 

Tailscale ACL documentation

[dsmith44]

Latest = 1.34.1 = 1.34

[Oublieux]

On 11/23/2021 at 4:45 PM, dsmith44 said:

Unless you are doing something funky and giving Docker containers their own IP address it should just work.

Are you using the IP address of the tailscale interface, and not the one you see in the console? The links in the console won’t work as they assume you are on the LAN.

It’ll start 100.x.x.x.

If I am doing this funky thing and giving Docker containers their own IP address via the Unraid br0 network... is there a way I can still use Tailscale and access the Docker containers remotely?

Edited December 24, 2022 by Oublieux

[tmchow]

25 minutes ago, Oublieux said:

If I am doing this funky thing and giving Docker containers their own IP address via the Unraid br0 network... is there a way I can still use Tailscale and access the Docker containers remotely?

can you just access them via the unraid server’s iP with the port number mapped to the container?

[dsmith44]

If I am doing this funky thing and giving Docker containers their own IP address via the Unraid br0 network... is there a way I can still use Tailscale and access the Docker containers remotely?

You are into advanced and unsupported, but if you add —advertise-routes= to the command line you will be acting as a router, then **probably**.

[Jeryd]

On 12/11/2022 at 8:16 AM, dsmith44 said:

 

Hi @ubermetroid &  @Cyborg

 

What are you trying to do here?

 

If you open a console to the docker container, and have enabled HTTPS certs and magic DNS in you tailnet it will issue a cert.

 

/app # ./tailscale  cert unraid.not-mine.ts.net
Wrote public cert to unraid.not-mine.ts.net.crt
Wrote private key to unraid.not-mine.ts.net.key
/app # 

 

What you are to do with this though I don't know, as it will just have unraid.not-mine.ts.net as a hostname.

If you tried to use this for unraid itself you will get errors if you ever connect to it without using the full tailscale address.

 

So while this works it's totally unsupported as has no sensible use case I can see.

 

Interesting. I don't know why I could not get it to work before, but I got the public cert now.

 

I'm trying to make it so I can connect to https:// (vs just http) and use a valid certificate.

[Ustrombase]

Hi guys

 

i read all the pages on this thread and I see 1 comment that says the SSL is fixed. Was this referring to using the myunraid.net SSL cert that the Limetech guys provide to us?

 

i have 2 unRAID servers that have the https set to strict which issues out a TLS cert. I know when I visit http://<my server ip> it redirect to a myunraid.net url and on my pfsense box I had to add a private domain in the DNS resolved to make it work. However with this container when I visit the Tailscale IP it redirects to the myunraid url but it leads me nowhere. 
 

the only way it works is because I also have my pfsense box on the tail net and I have subnet routing setup so since my pfsense box runs on the same vlan as my unRAID it works but on my 2nd unRAID box it doesn’t as I don’t have my pfsense box advertising the vlan where my 2nd unRAID box lives in. 
 

is there a setup to make this work or do I have to resort to not using https strict in the unRAID networking settings?

[plantsandbinary]

Can someone help with this? I am running the container in "host" mode so there should not be any port-forwarding needed?

Yet I am getting these complaints in the logs:

 

2023/01/02 10:48:55 portmapper: failed to get PCP mapping: PCP response not ok, code 8
2023/01/02 10:48:55 magicsock: endpoints changed: 85.xxx.xxx.249:57588 (stun), [2001:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:f0e5]:51047 (stun), 172.17.0.1:54030 (local), 172.18.0.1:54030 (local), 192.168.1.50:54030 (local), [2001:999:484:47a3::19a]:54030 (local), [2001:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2428]:54030 (local), [2001xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:f0e5]:54030 (local)
2023/01/02 10:48:55 portmapper: failed to get PCP mapping: PCP response not ok, code 8
2023/01/02 10:48:55 portmapper: PMP probe failed due result code: {OpCode:128 ResultCode:NetworkFailure SecondsSinceEpoch:2830 MappingValidSeconds:0 InternalPort:0 ExternalPort:0 PublicAddr:0.0.0.0}

 

How do I fix this?

[Trian1618]

hi, i have Tailscale docker installed, i want to change the account i use in first place, how i logout/login? I know, noob question 😅

[nry320i]

How can I run the command

tailscale cert

in order to enable HTTPS according to https://tailscale.com/kb/1153/enabling-https/

I have tried running the above command inside the unRAID tailscale docker container, after enabling MagicDNS and HTTPS from inside the settings of my tailscale account but I'm not able to run the command from inside of docker. I'm using the option to click on the running container in UnRAID and open a console and then I try to run:
 

/app # tailscale cert
sh: tailscale: not found

Do I need to SSH into the container and then run the command? If so how do I SSH into the container? Any help is very much appreciated!

[Luca Vignati]

On 1/14/2023 at 3:57 AM, nry320i said:

How can I run the command

tailscale cert

in order to enable HTTPS according to https://tailscale.com/kb/1153/enabling-https/

I have tried running the above command inside the unRAID tailscale docker container, after enabling MagicDNS and HTTPS from inside the settings of my tailscale account but I'm not able to run the command from inside of docker. I'm using the option to click on the running container in UnRAID and open a console and then I try to run:
 

/app # tailscale cert
sh: tailscale: not found

Do I need to SSH into the container and then run the command? If so how do I SSH into the container? Any help is very much appreciated!

Try:

./tailscale cert

From what I can see, Tailscale is not installed "systemwide" inside this docker, instead there is the tailscale binary in the /app folder.

For this reason, you need to prepone "./" before the name of the program, to tell the shell to run the program found in the current folder instead of looking for it inside the folders listed in the PATH environment variable.

[nry320i]

44 minutes ago, Luca Vignati said:

Try:

./tailscale cert

From what I can see, Tailscale is not installed "systemwide" inside this docker, instead there is the tailscale binary in the /app folder.

For this reason, you need to prepone "./" before the name of the program, to tell the shell to run the program found in the current folder instead of looking for it inside the folders listed in the PATH environment variable.

That worked thanks! ./ makes sense now that I think about it because ./ is used in Linux to run a locally executable file.

[karldonteljames]

Hi, I’ve setup Tailscale on my unraid server and I’m also running the Up_flags:
 

--advertise-ex-route --advertise-routes=HomeVlan,IoTVlan

I’ve enabled the routes and the exit node in the admin console. I’ve also installed Tailscale on my laptop.
From my laptop (remotely) I can get to physical devices on my ‘IoTvlan’ and my 'HomeVlan' however I’m not able to access any of the docker containers running in unraid on the either of the vlans.

e.g from my laptop I can access my smart switches directly, but I’m not able to access HomeAssistant or Sonarr / Radarr etc. Each of my docker containers are assigned their own IP address on interface either br0 (safe vlan), or br0.12, my IoT vlan) - Locally this works with no issues. I use individual ip's on each of the dockers so that I can use port forwarding and firewall rules on my UDMP accordingly.

 

I’ve tried:

Assigning Tailscale it’s own ip in both vlans (one at a time)

Running Tailscale as Bridge and hosts

(Both of the options above throw a warning about IPv6 routing not working - despite being able to access physical device.)

I’ve enabled host device has access to custom networks.
I've ensured that the subnets are enabled in tailscale admin.

I've enabled the exit route on the remote device.

 

From the tailscale docker container console I’m able to ping all of the containers and physical devices on both vlan's by their IP addresses with no issues, from the connected clients I can ping other devices on the two subnets / vlands, but none of the docker containers.

 

I assume that any traffic coming from the tailscale network will appear to be coming from the unraid server if being looked at internally (i.e. from the perspective of the UDMP); so I do not believe this is a UDMP/Firewall issue.

 

I’m now out of ideas. - Can anyone advise how I might be able to fix this please? Thank you.

 

Edited January 23, 2023 by karldonteljames
Missing key information.

[coasterman]

I have tailscale instal;ed and all working on various clients but a side effect my remote Plex users can no longer access my Plex server content.  

 

Plex and Tailscale are bothe installed on 'host' network 

 

Is there any way to make Plex an exception so Plex would be accessible as before?   Willing to dig into this if anyone can give me some basic instructions to get me started

 

 

[karldonteljames]

On 1/23/2023 at 5:36 PM, coasterman said:

I have tailscale instal;ed and all working on various clients but a side effect my remote Plex users can no longer access my Plex server content.  

 

Plex and Tailscale are bothe installed on 'host' network 

 

Is there any way to make Plex an exception so Plex would be accessible as before?   Willing to dig into this if anyone can give me some basic instructions to get me started

 

 

I think this is similar to the issue i have above.

[karldonteljames]

Is there no solution or support to this particular issue?

 

 

 

[dsmith44]

3 hours ago, karldonteljames said:

Is there no solution or support to this particular issue?

 

 

 

 

Ok, anything to do with advertise routes is specifically unsupported. It's custom networking, and at that point you need the tailscale forums, not unraid. I've added some more info to the front page to make this clear.

 

However on the plex front I'm not even sure what you are saying exactly.

 

Are you saying with a vanilla tailscale setup, no routes, no extra flags, when tailscale is running remote users can't use plex ?

They wouldn't be going over tailscale in this instance anyway.

 

Mine works completly fine in this situation, so if your install isn't we can try and debug that, but not with routes, sorry.

Edited February 2, 2023 by dsmith44

[karldonteljames]

Yes I am using routes, but i'm not having issues with plex. My issue is the inability to access ANY docker images via their ip address, but I CAN access other physical devices on the network. (As outlined above on the 22nd January)

 

The issue I am having seems to be very similar to the one posted after with the plex issue and being able access docker images.

[dsmith44]

2 hours ago, karldonteljames said:

Yes I am using routes, but i'm not having issues with plex. My issue is the inability to access ANY docker images via their ip address, but I CAN access other physical devices on the network. (As outlined above on the 22nd January)

 

The issue I am having seems to be very similar to the one posted after with the plex issue and being able access docker images.

 

If you want to use routes, and get onto you network, I can only advise not using unraid as the place to run tailscale, put it on your firewall or even a raspberry pi. It's not the inteded use.

 

If someone wanted to add tailscale network vpn to unraid, should be in a plugin, not a container.

 

Running a vpn endpoint, inside a docker container, on a NAS, is asking for trouble/complexity.

 

I would connect to the console of the tailscale docker, and see if you can ping the other thing, if you can't this isn't a tailscale issue, it's a docker networking issue.

 

This may also be a place to start to get it running outside of docker.

https://gist.github.com/shayne/25e194e068751e281937ef68edefb99b

 

 

[dsmith44]

4 hours ago, dsmith44 said:

 

If you want to use routes, and get onto you network, I can only advise not using unraid as the place to run tailscale, put it on your firewall or even a raspberry pi. It's not the inteded use.

 

If someone wanted to add tailscale network vpn to unraid, should be in a plugin, not a container.

 

Running a vpn endpoint, inside a docker container, on a NAS, is asking for trouble/complexity.

 

I would connect to the console of the tailscale docker, and see if you can ping the other thing, if you can't this isn't a tailscale issue, it's a docker networking issue.

 

This may also be a place to start to get it running outside of docker.

https://gist.github.com/shayne/25e194e068751e281937ef68edefb99b

 

 

Last follow up on this, I connected to the console of my tailscale docker container and tried to ping another container that I have with a static ip address on my lan.

 

I cannot ping this, and so there is no hope of tailscale being able to route traffic to it.

 

I think the reason for this is:-

arp packets will be sent onto the ethernet from tailscale to get the mac address of the host with the ip addres, these arp packets will hit your ethernet switch, where it will broadcast them to all ports, except will not send them back the way they came and so the docker container never sees them, and doesn't respond. So the tailscale docker never sees an arp response, so can't send the packet to the right mac address, so cannot connect to it.

 

As I said, this isn't supported, and in fact cannot ever work now I've thought about it.

 

[dsmith44]

For those that would like it you can pull 1.36.(0), I will tag latest in a few weeks if there isn't a 1.36.1

[sammyxd98]

On 2/4/2023 at 4:54 AM, dsmith44 said:

For those that would like it you can pull 1.36.(0), I will tag latest in a few weeks if there isn't a 1.36.1

how do i do that?

[dsmith44]

On 2/5/2023 at 8:36 AM, sammyxd98 said:

how do i do that?

You can change the version of any docker container you pull in the settings.

 

Where it says deasmi/unraid-tailscale or deasmi/unraid-tailscale:latest change it to deasmi/unraid-tailscale:<VERSION>

 

Note that you will not get updates if you do that without manually changing it again. 

 

Unless there is something in 1.36 you desperately need, and looking at the release notes I'm not sure what that could be, I would leave it alone and you'll get it after a few weeks anyway.