Compose Tailscale with Exit Node

veritas · Apr 6th 2024

Hi everyone,

Still very new to OMV, but have learned much thanks to this forum. I have Tailscale up and running, but now I'm trying to use it as an exit node. After scouring the forums (here, Tailscale, and Reddit), still no success.

Any thoughts? Do I need to advertise routes as well?

Code

---
services:
  tailscale:
    image: tailscale/tailscale:latest
    privileged: true
    hostname: rp_tailscale
    network_mode: "host"
    container_name: tailscale
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TS_EXTRA_ARGS=--advertise-exit-node
    volumes:
      - ./tailscale/state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun # Required for tailscale to work
      - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
    cap_add: # Required for tailscale to work
      - net_admin
      - sys_module
    command: tailscaled
    restart: unless-stopped

Display More

veritas · Apr 9th 2024

I was able to get my Pi/Tailscale to advertise an exit node by adding the 'advertise exit nodes' with the 'Tailscale up' command. It advertises an exit node, but there is no internet access when using it.

raulfg3 · Apr 9th 2024

Try

Code

NET_ADMIN      - NET_RAW

in Upercase and TS_USERSPACE=0 acordind to this: https://hub.docker.com/r/tailscale/tailscale final line

Code

---
services:
  tailscale:
    image: tailscale/tailscale:latest
    privileged: true
    hostname: rp_tailscale
    network_mode: "host"
    container_name: tailscale
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TS_EXTRA_ARGS=--advertise-exit-node
      - TS_USERSPACE=0
    volumes:
      - ./tailscale/state:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun # Required for tailscale to work
      - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
    cap_add: # Required for tailscale to work
      - NET_ADMIN
      - NET_RAW
    command: tailscaled
    restart: unless-stopped

Display More

revise too if is necessary:

TS_AUTHKEY: A Tailscale auth key used to authenticate the container.

Ephemeral nodes · Tailscale Docs

tailscale.com

veritas · Apr 15th 2024

@raulfg3...it worked, thank you so much taking the time to respond and share some of your knowledge!

IamGimli · Jun 2nd 2024

Sorry to resurrect this but I'm hoping one of you can help me.

I've used the code raulfg3 posted to create my Tailscale container and it worked but the logs show that the container won't authenticate with the Tailscale network, even though I've tried configuring the TS_AUTHKEY variable with my key both within the "environment:" section in the code and in the "Environment" window in the compose/file menu.

Can either of you point me to where/how I need to configure the TS_AUTHKEY variable to make the container use it to authenticate please?

raulfg3 · Jun 3rd 2024

revise that your path have enought privileges to write on it:

volumes:
- ./tailscale/state:/var/lib/tailscale

this part is your path: ./tailscale/state, you can use /srv/e2e4d874-4f11-4da3-a593-2088036d2d8c/tailscale/state whwere e2e4d874-4f11-4da3-a593-2088036d2d8c is the UUID of your data disk

IamGimli · Jun 3rd 2024

I tried that (to no avail) but I don't think that's the issue. The errors in the log don't refer to unwritable or absent directories, it specifically says it needs login.

Quote

tailscale | 2024/06/03 10:48:11 timeout waiting for initial portlist

tailscale | 2024/06/03 10:48:11 Backend: logs: be:8892e47f44bd356f62e093912729336923e6e6227f24967184eb37174ef6e363 fe:

tailscale | 2024/06/03 10:48:11 Switching ipn state NoState -> NeedsLogin (WantRunning=false, nm=false)

tailscale | 2024/06/03 10:48:11 health("overall"): error: state=NeedsLogin, wantRunning=false

tailscale | 2024/06/03 10:48:11 blockEngineUpdates(true)

IamGimli · Jul 30th 2024

Alright, I finally got my Tailscale Docker container to work with help from this Reddit thread.

It looks like the Tailscale Container ignores everything that's put in the "Environment" section of the Docker Compose file. In order to get the container configured properly, I had to do it from the SSH shell of the OpenMediaVault host.

First I had to pull then start the Tailscale container by clicking the "Up" button in the Docker Compose Files menu. Checking the container logs, that's where it failed to connect to the Tailscale network with the error:

tailscale | 2024/06/03 10:48:11 Switching ipn state NoState -> NeedsLogin (WantRunning=false, nm=false)

Then I logged in to the OpenMediaVault shell throuigh SSH. From there, I executed the following commands (assuming the name of the Tailscale container is "tailscaled"):

docker exec tailscaled tailscale status returned "logged out". This confirmed that the container was running but couldn't log in to the Tailscale network.

Then I ran the following command:

docker exec tailscaled tailscale up returned an URL where I went from my web browser and allowed me to log on the new machine into my Tailnet. If you want to use a key instead, I suppose using the command line "docker exec tailscaled tailscale up --authkey tskey-abcdef1432341818" would work but I wasn't able to test that since I used the commands that the Reddit thread referenced.

After logging on the machine into my Tailnet, it appeared in my Tailscale Admin Centre. Now I needed to advertise it as an exit node and publish a local route, so I had to run the following commands to achieve that:

docker exec tailscaled tailscale up --advertise-routes=192.168.1.0/24

then

docker exec tailscaled tailscale up --advertise-exit-node

Once all of these had been executed, the node showed up properly configured in the Tailscale Admin Centre and I was able to use it to its full potential. I can also shut down the container and restart it and it retains the correct configuration.

Hopefully this helps someone else at some point.

willnotwonka · Nov 12th 2024

This doc has a compose file at the end and that worked for me.

Compose Tailscale with Exit Node

macom Apr 6th 2024

veritas Apr 15th 2024

Participate now!

Tags