Back again with another request for help.
I'm trying to set up Tailscale, with the ultimate goal of having a relatively simple way to access all my self hosted services when I'm not at home. My (naive) assumption was that once my device was in I connected to my home network by using my server as an exit node, I could just go to my 196.x.x.x:port address or friendly service.mydomain.xyz url and access things that way. That isn't happening.
I'm running Tailscale in Docker and have Nginx Proxy Manager routing my friendly names to the right place. My services are all run in Docker as well, and most are set up as Proxy Hosts in NPM except one that I added more recently to see if I could access it/if NPM was the issue.
I have set up Tailscale both on my server and phone, I'm able to connect to my server as an exit node, but I don't seem to be able to connect to services on the server. Tailscale is set to use subnets (added TS_ROUTES=192.168.0.0/24 to my compose file), but on my Tailscale Machines tab there is an exclamation mark next to both the Subnets and Exit Node saying the machine is misconfigured and that I need to enable IP forwarding. I double checked, it is enabled (as I understand it, that must be true for docker containers to forward from their 172.x.x.x addresses to 192), but the warning persists and I can't access services (either by the friendly URL, normal IP, tailscale URL, or 100.x.x.x IP).
This is my compose file:
services: tailscale-authkey1: image: tailscale/tailscale:latest hostname: myhost environment: - TS_AUTHKEY=xx - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes - TS_ROUTES=192.168.0.0/24 volumes: - ts-authkey-test:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - SYS_MODULE restart: unless-stopped nginx-authkey-test: image: nginx network_mode: service:tailscale-authkey1
I'm not sure what I should do - I'm seeing this page (https://tailscale.com/kb/1406/quick-guide-subnets) that talks about creating a config file, but that's clearly if you're running on bare metal. I've also looked at their options for running a sidecar (https://tailscale.com/kb/1282/docker), where each service is spun up as a separate TS machine, but that's way more work than I want to do (seems like cloudflare tunnels might be simpler at that point).
Thanks for any help!
I also do this. Just run Tailscale on bare metal and then I can access my all my services the same as if I was on my LAN, essentially.
I may be (probably am) worrying too much about this, but doesn't that remove much of the benefit of running services in containers? My understanding is that one benefit of containerization is so that if one service is somehow compromised, the others remain isolated, but running the service that allows you inside on bare metal gives single point access to the drives that those other services rely on, and that's from the most likely point someone could get into your network. Alternatively, if Tailscale is containerized and someone gets in, they have access to the other services' front ends but not the data they rely on since Tailscale itself doesn't have that access.
You could be right. I am not a pro so I don’t really want to speak on the best practice approach. Really the only reason I containerize my services is the ease-of-deployment and the ease of potential re-deployment if my server did crash.
I personally am not too stressed about bad actors, being as this is a hobby server and the payout for a bad actor would be pretty low.
But your point does make sense to me.