Edit - not sure what the underlying issue ended up being, it never did fully work for me, but I set up a separate machine (a Pi) that advertised subroutes and everything started to work. I imagine someone running VMs through proxmox/etc would not have similar issues. As another commenter noted, running the docker tailscale sidecars as separate machines would also likely work easily (best done if you don’t have your services set up already).

Back again with another request for help.

I’m trying to set up Tailscale, with the ultimate goal of having a relatively simple way to access all my self hosted services when I’m not at home. My (naive) assumption was that once my device was in I connected to my home network by using my server as an exit node, I could just go to my 196.x.x.x:port address or friendly service.mydomain.xyz url and access things that way. That isn’t happening.

I’m running Tailscale in Docker and have Nginx Proxy Manager routing my friendly names to the right place. My services are all run in Docker as well, and most are set up as Proxy Hosts in NPM except one that I added more recently to see if I could access it/if NPM was the issue.

I have set up Tailscale both on my server and phone, I’m able to connect to my server as an exit node, but I don’t seem to be able to connect to services on the server. Tailscale is set to use subnets (added TS_ROUTES=192.168.0.0/24 to my compose file), but on my Tailscale Machines tab there is an exclamation mark next to both the Subnets and Exit Node saying the machine is misconfigured and that I need to enable IP forwarding. I double checked, it is enabled (as I understand it, that must be true for docker containers to forward from their 172.x.x.x addresses to 192), but the warning persists and I can’t access services (either by the friendly URL, normal IP, tailscale URL, or 100.x.x.x IP).

This is my compose file: services: tailscale-authkey1: image: tailscale/tailscale:latest hostname: myhost environment: - TS_AUTHKEY=xx - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes - TS_ROUTES=192.168.0.0/24 volumes: - ts-authkey-test:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - SYS_MODULE restart: unless-stopped nginx-authkey-test: image: nginx network_mode: service:tailscale-authkey1

I’m not sure what I should do - I’m seeing this page (https://tailscale.com/kb/1406/quick-guide-subnets) that talks about creating a config file, but that’s clearly if you’re running on bare metal. I’ve also looked at their options for running a sidecar (https://tailscale.com/kb/1282/docker), where each service is spun up as a separate TS machine, but that’s way more work than I want to do (seems like cloudflare tunnels might be simpler at that point).

Thanks for any help!

    • pirateMonkey@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Thanks, I did check that my machine had IP forwarding enabled, and it does. I also ran those lines to create the config file as well, but that didn’t change anything. And I do have the lines in my compose file to advertise routes.

      • Codemichael@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        If it’s enable then this command should produce a 1 in the output

        cat /proc/sys/net/ipv4/ip_forward
        
        • pirateMonkey@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          Yes, it does (been checking with sysctl net.ipv4.ip_forward, but guess it’s the same thing). It seems like the issue may be that IPv6 may not be enabled within the container. It’s enabled on the host, but the docker logs say ipv6 forwarding is not enabled.

            • pirateMonkey@lemmy.worldOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 month ago

              Yes, I believe I made the stupid mistake of not restarting after enabling. Once I did that the warning went away and I was able to enable subnets, but I’m still not able to see my local services (where I try to access via the IP of the host given by Tailscale or the magicDNS address). So, progress!

              ETA: I also had removed the advertise exit nodes line and restarted the container with the --reset flag. After the warning went away I re-added the exit node option and I get the warning that it is misconfigured again.

  • dustyData@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 month ago

    I also tried tailscale in a docker container as a subnet handler and realized I was out of my depth. Net engineering is abstract and hard. There’s a reason there are pros making bank just doing that for big corps.

    Followed a way simpler setup. Now tailscale runs on the server bare metal and podman handles the routing automatically. I just use the magicDNS address given by tailscale and everything just works as intended. All my services are available, and apps run no issue, no matter where I am as long as I’m connected to tailscale. I will make the setup more complex as I learn more and acquire the need for more features. But so far this has met all my expectations.

    • lankydryness@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      I also do this. Just run Tailscale on bare metal and then I can access my all my services the same as if I was on my LAN, essentially.

      • pirateMonkey@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        I may be (probably am) worrying too much about this, but doesn’t that remove much of the benefit of running services in containers? My understanding is that one benefit of containerization is so that if one service is somehow compromised, the others remain isolated, but running the service that allows you inside on bare metal gives single point access to the drives that those other services rely on, and that’s from the most likely point someone could get into your network. Alternatively, if Tailscale is containerized and someone gets in, they have access to the other services’ front ends but not the data they rely on since Tailscale itself doesn’t have that access.

        • lankydryness@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          You could be right. I am not a pro so I don’t really want to speak on the best practice approach. Really the only reason I containerize my services is the ease-of-deployment and the ease of potential re-deployment if my server did crash.

          I personally am not too stressed about bad actors, being as this is a hobby server and the payout for a bad actor would be pretty low.

          But your point does make sense to me.

    • pirateMonkey@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      It’s true, and I was wondering if that would be the route I have to go. Good to know it has been a positive experience.

  • pirateMonkey@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    Sorry for misformatted code.

      tailscale-authkey1:
        image: tailscale/tailscale:latest
        hostname: myhost
        environment:
          - TS_AUTHKEY=xx
          - TS_STATE_DIR=/var/lib/tailscale
          - TS_USERSPACE=false
          - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes
          - TS_ROUTES=192.168.0.0/24
        volumes:
          - ts-authkey-test:/var/lib/tailscale
          - /dev/net/tun:/dev/net/tun
        cap_add:
          - NET_ADMIN
          - SYS_MODULE
        restart: unless-stopped
      nginx-authkey-test:
        image: nginx
        network_mode: service:tailscale-authkey1
    
      • pirateMonkey@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        No, I thought the routing was to forward the IP from the Tailscale 100.x.x.x subnet(? not sure I’m using that word correctly) to where the resources I want to access are (in my case, my local 192.168 addresses).

        • BCsven@lemmy.ca
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 month ago

          The firewall on your server may need masquerading set and IP forwarding set.

  • Gonzako@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    Hey, if you’re just looking for a reverse proxy my recommendation is Caddy. Give it port 443 and 80 and it’ll reverse proxy you to wherever you want depending of the subdomain/port

    • WbrJr@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Caddy is nice and super simple. Only issue I had was: it can’t control domains if its behind a VPN. I use hetzner and they have an API, but the feature is not native to caddy so I would have had to rebuild caddy as an docker image. Rather annoying tbh, because everything else is great about it

  • FreedomAdvocate@lemmy.net.au
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    3
    ·
    1 month ago

    You don’t use the local ip address to access things when you’re remote - in Tailscale you can see that it gives you a remote IP to use to access things.

      • FreedomAdvocate@lemmy.net.au
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        5
        ·
        1 month ago

        Can’t really help you then sorry, it’s always just worked out of the box for me with all my services so I haven’t had to troubleshoot or mess around with it.

  • Funky_Beak@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 month ago

    Glad im not the only one struggling with this. I was able to get nginx to give me the congratulation page via the tailscale ip for the machine but getting that routing to work with my own custom name is giving me a headache. I am probably adding an extra unnecessary layer by trying to use adguard home as a dns rewrite. If you crack it id love to hear how you achieved it.

    • Funky_Beak@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      My theoretical reasoning is. Make adguard be the dns server tell tailscale to use that and then parse all rewrites and dns for the tailscale netwrok through that endpoint (including exit node which is on the same machine).

  • Tinkerer@lemmy.ca
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    Sorry I’d this has been answered but are you running this in docker on a VM or LXC?

      • Tinkerer@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 month ago

        Proxmox does say docker isn’t officially supported in LXC. That being said I’m running 10 docker containers with no issues on an LXC. I have recently had some weird database not connecting issues and other strange new docker containers not working in an LXC for some reason. If you can I would try the same setup but in a VM and see what happens.

        I recently was trying to get authentik setup via docker and it just wouldn’t work. I gave up and spun up a VM, ran the same docker compose file and it worked right away.

        Hopefully this helps?

  • Broadfern@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    This may sound crazy but do you have an AT&T router?

    I have not been able to solve it myself yet unfortunately but having two routers has made it impossible for me to use Tailscale/Wireguard/ZeroTier etc. in much the same way as you’re describing.

    The devices “see” each other but can’t connect no matter what configuration I follow, what firewall settings I tweak, nothing. I think there’s a pass through problem where UPnP is in conflict.

    Sorry I don’t have an answer but I promise you’re not alone in your frustration.

    • pirateMonkey@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Misery loves company! Mine is Verizon and there was a setting that was causing me trouble recently, but probably is unrelated to yours (was DNS rebind protection).

    • AbidanYre@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Is that because the AT&T router uses the same subnet as tailscale? I seem to remember seeing similar issues in the past?

      • Broadfern@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        Maybe? The port setups work fine on the home router (such as accessing Steam link/Sunshine from a TV) but because it’s behind the mandatory AT&T modem it causes some nasty configuration headaches for external access.

  • billwashere@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    Not sure if this is related or not but on Linux when I have a machine on the same subnet as an advertised route that I have connected to Tailscale, I can’t access the local subnet at all. On Mac’s it’s fine, only Linux. I had to hunt down this little trick:

    ip ro del table 52 <subnet>
    
    

    There are other ways to solve it but I added this to the service that starts Tailscale.

    You can read more about it here. https://github.com/tailscale/tailscale/issues/6231

    • pirateMonkey@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      That was an interesting rabbit hole. I’m not sure if it’s related or not, but maybe I’ll give it a shot once I get my head wrapped around what it really means (though by then they might have developed a fix… and I see how long that’s taken so far)