Tailscale
Secure mesh VPN networking with Tailscale on Unraid
Video IBRACORP Tailscale Tutorial
Useful Links
Related Videos Check IBRACORP YouTube channel for latest tutorials
Thank you for choosing to collaborate with IBRACORP π
Please read our disclaimer https://docs.ibracorp.io/#disclaimer
Creditsβ
Role | Contributor |
---|---|
Writer / Producer | IBRACORP |
Video Recording and Voice | IBRACORP |
Contributor | Tailscale Team |
Testing / Proofreading | IBRACORP Community |
Feature Listβ
Tailscale Mesh VPN Features:
- Zero-configuration mesh VPN networking
- End-to-end encryption using WireGuard protocol
- Magic DNS for easy device discovery
- Cross-platform support (Windows, macOS, Linux, iOS, Android)
- Subnet routing for entire network access
- Exit node functionality for internet routing
- NAT traversal and firewall bypassing
- Multi-user and team management
- Access control lists and device sharing
- Free tier for personal use (up to 20 devices)
Prerequisitesβ
System Requirements:
- Unraid Server: Version 6.9+ recommended
- Internet Connection: Stable connection for initial setup
- Authentication Account: Google, Microsoft, or GitHub account
- Devices: Client devices to connect to the network
Account Prerequisites:
- Tailscale Account: Free registration at https://tailscale.com/
- Identity Provider: Google, Microsoft, or GitHub account for SSO
Installationβ
Unraid Installationβ
Tailscale / Community Applications / Networking
Installation Steps:
- Head to the Community Applications store in Unraid
- Search for and click to install Tailscale
- Configure the container settings:
- Network Type: Host (required for proper functionality)
- Privileged: Yes (required for network access)
- Config Path:
/mnt/user/appdata/tailscale
- Configure Environment Variables:
- TS_EXTRA_ARGS: Additional startup arguments
- TS_STATE_DIR:
/var/lib/tailscale
(default)
- Click Apply and wait for the container to start
Docker Compose Installationβ
version: '3.8'
services:
tailscale:
image: tailscale/tailscale:latest
container_name: tailscale
restart: unless-stopped
network_mode: host
privileged: true
environment:
- TS_AUTHKEY=tskey-your-auth-key-here
- TS_EXTRA_ARGS=--advertise-routes=192.168.1.0/24
- TS_STATE_DIR=/var/lib/tailscale
volumes:
- ./tailscale-data:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun
cap_add:
- NET_ADMIN
- SYS_MODULE
Installation Steps:
- Save the above configuration as
docker-compose.yml
- Generate an auth key from Tailscale admin console
- Update the
TS_AUTHKEY
environment variable - Start the container:
docker compose up -d
Configurationβ
Initial Setup and Authenticationβ
Account Creation:
- Visit https://tailscale.com/ and click "Get started for free"
- Authentication Options:
- Google Account
- Microsoft Account
- GitHub Account
- Complete account setup and email verification
Device Authentication:
-
Access Container Console:
docker exec -it tailscale tailscale up
-
Follow Authentication URL:
- Copy the provided URL
- Open in web browser
- Complete device authentication
- Name your device appropriately
-
Verify Connection:
docker exec tailscale tailscale status
Basic Network Configurationβ
Enable IP Forwarding:
# Enable IP forwarding on Unraid
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf
sysctl -p
Advertise Subnet Routes:
# Advertise local subnet to other Tailscale devices
docker exec tailscale tailscale up --advertise-routes=192.168.1.0/24
Configure Exit Node:
# Set device as exit node for internet traffic
docker exec tailscale tailscale up --advertise-exit-node
Advanced Configurationβ
Custom Startup Arguments:
# Environment variables for Docker
environment:
- TS_EXTRA_ARGS=--advertise-routes=192.168.1.0/24,10.0.0.0/24 --advertise-exit-node --ssh
Magic DNS Configuration:
# Enable Magic DNS (usually enabled by default)
docker exec tailscale tailscale up --accept-dns=true
SSH Server Integration:
# Enable Tailscale SSH server
docker exec tailscale tailscale up --ssh
Client Device Setupβ
Windows Clientβ
Installation Steps:
- Download Tailscale from https://tailscale.com/download/windows
- Run installer with administrator privileges
- Launch Tailscale and sign in with same account
- Device appears in admin console automatically
Windows Configuration:
# Enable subnet routing on Windows
tailscale up --accept-routes
# Use specific exit node
tailscale up --exit-node=unraid-server
macOS Clientβ
Installation Steps:
- Download from Mac App Store or https://tailscale.com/download/mac
- Install and launch application
- Sign in with Tailscale account
- Grant necessary permissions for VPN
macOS Configuration:
# Command line configuration
sudo tailscale up --accept-routes --accept-dns
# Check status
tailscale status
Linux Clientβ
Installation via Package Manager:
# Ubuntu/Debian
curl -fsSL https://tailscale.com/install.sh | sh
# CentOS/RHEL
sudo yum install tailscale
sudo systemctl enable --now tailscaled
# Arch Linux
sudo pacman -S tailscale
sudo systemctl enable --now tailscaled
Linux Configuration:
# Authenticate device
sudo tailscale up
# Enable subnet routing
sudo tailscale up --accept-routes
# Check connection
tailscale status
Mobile Clientsβ
iOS Installation:
- Install Tailscale from App Store
- Sign in with account credentials
- Enable VPN configuration when prompted
- Device appears in network automatically
Android Installation:
- Install Tailscale from Google Play Store
- Sign in and grant VPN permissions
- Configure DNS and routing preferences
- Enable always-on VPN if desired
Network Administrationβ
Admin Console Managementβ
Accessing Admin Console:
- Visit https://login.tailscale.com/admin/
- Sign in with your account credentials
- View all connected devices and network status
Device Management:
device_management:
device_naming: "Assign descriptive names"
device_authorization: "Approve new device connections"
device_expiry: "Manage key expiration settings"
device_deletion: "Remove unused or compromised devices"
Access Control Lists (ACLs)β
Basic ACL Configuration:
{
"tagOwners": {
"tag:server": ["user@example.com"],
"tag:client": ["user@example.com"]
},
"acls": [
{
"action": "accept",
"src": ["tag:client"],
"dst": ["tag:server:*"]
},
{
"action": "accept",
"src": ["tag:server"],
"dst": ["tag:client:22"]
}
]
}
Advanced ACL Rules:
{
"acls": [
{
"action": "accept",
"src": ["user@example.com"],
"dst": ["192.168.1.0/24:*"]
},
{
"action": "accept",
"src": ["tag:homelab"],
"dst": ["tag:servers:80,443,22"]
},
{
"action": "deny",
"src": ["*"],
"dst": ["tag:sensitive:*"]
}
]
}
Subnet Routingβ
Configure Subnet Router:
# On Unraid (subnet router)
docker exec tailscale tailscale up \
--advertise-routes=192.168.1.0/24,192.168.50.0/24 \
--accept-dns=false
# Enable routes in admin console
# Navigate to admin console β Machines β Enable routes
Client Route Acceptance:
# On client devices to accept advertised routes
tailscale up --accept-routes
# Windows PowerShell
tailscale up --accept-routes
# Verify routes
tailscale status
ip route | grep tailscale # Linux
route print | findstr Tailscale # Windows
Exit Node Configurationβ
Setup Exit Node:
# Configure Unraid as exit node
docker exec tailscale tailscale up \
--advertise-exit-node \
--advertise-routes=192.168.1.0/24
# Enable in admin console
# Navigate to admin console β Machines β Enable exit node
Use Exit Node:
# Route all traffic through exit node
tailscale up --exit-node=unraid-server
# Route only specific traffic
tailscale up --exit-node=unraid-server --exit-node-allow-lan-access
# Disable exit node
tailscale up --exit-node=""
Advanced Featuresβ
Magic DNSβ
DNS Configuration:
# View current DNS settings
docker exec tailscale tailscale debug dns-cache
# Access devices by name
ping unraid-server
ssh user@desktop-computer
Custom DNS Settings:
{
"dns": {
"nameservers": ["1.1.1.1", "8.8.8.8"],
"domains": ["internal.company.com"],
"routes": {
"company.com": ["10.0.0.1"]
}
}
}
MagicDNS and Split DNSβ
Split DNS Configuration:
# Configure custom DNS for specific domains
tailscale up --accept-dns=false --dns=192.168.1.1
# Use Tailscale DNS only for Tailscale domains
tailscale up --accept-dns=true --dns-routing=true
Device Sharingβ
Share Device Access:
- Navigate to admin console
- Select device to share
- Click "Share" button
- Enter email addresses of users
- Set permissions and access duration
Shared Device Management:
sharing_options:
full_access: "Complete device access"
limited_ports: "Specific port access only"
time_limited: "Temporary access with expiration"
read_only: "View-only access to services"
Monitoring and Troubleshootingβ
Network Diagnosticsβ
Connection Status:
# Check Tailscale status
docker exec tailscale tailscale status
# Detailed network information
docker exec tailscale tailscale netcheck
# Debug connectivity
docker exec tailscale tailscale ping target-device
# View logs
docker logs tailscale
Network Testing:
# Test connectivity between devices
ping 100.64.0.1 # Tailscale IP
curl http://unraid-server:8080
# Trace network path
traceroute 100.64.0.1
mtr 100.64.0.1 # Linux
Performance Monitoringβ
Bandwidth Testing:
# Between Tailscale devices
iperf3 -s # On server
iperf3 -c target-device # On client
# Monitor connection quality
docker exec tailscale tailscale ping --verbose target-device
Connection Metrics:
# View connection details
docker exec tailscale tailscale debug watch-ipn
# Network statistics
docker exec tailscale tailscale debug prefs
docker exec tailscale tailscale debug daemon-logs
Common Issues and Solutionsβ
Connection Problems:
# Restart Tailscale service
docker restart tailscale
# Re-authenticate device
docker exec tailscale tailscale logout
docker exec tailscale tailscale login
# Check firewall settings
# Ensure UDP port 41641 is accessible
DNS Resolution Issues:
# Check DNS configuration
docker exec tailscale tailscale debug dns-cache
# Flush DNS cache
# Windows: ipconfig /flushdns
# macOS: sudo dscacheutil -flushcache
# Linux: sudo systemctl restart systemd-resolved
Subnet Routing Problems:
# Verify IP forwarding
cat /proc/sys/net/ipv4/ip_forward # Should return 1
# Check advertised routes
docker exec tailscale tailscale status
# Enable routes in admin console
echo "Check admin console for route approval"
Security Best Practicesβ
Access Controlβ
Device Authentication:
security_settings:
key_expiry: "Regular key rotation (90 days recommended)"
device_approval: "Manual approval for new devices"
user_management: "Regular user access review"
audit_logging: "Enable comprehensive logging"
Network Segmentation:
{
"acls": [
{
"action": "accept",
"src": ["tag:admin"],
"dst": ["*:*"]
},
{
"action": "accept",
"src": ["tag:user"],
"dst": ["tag:services:80,443"]
},
{
"action": "deny",
"src": ["tag:guest"],
"dst": ["tag:internal:*"]
}
]
}
Key Managementβ
Authentication Keys:
# Generate one-time auth key
# Via admin console: Settings β Keys β Generate auth key
# Use pre-auth key for automated deployment
docker run -d --name tailscale \
--privileged --network host \
-e TS_AUTHKEY=tskey-auth-your-key-here \
tailscale/tailscale:latest
Key Rotation:
# Regular key rotation (automated)
docker exec tailscale tailscale up --force-reauth
# Manual key refresh
docker exec tailscale tailscale logout
docker exec tailscale tailscale login
Integration Examplesβ
Home Lab Integrationβ
Complete Home Lab Setup:
home_lab_config:
unraid_server:
role: "subnet_router_exit_node"
routes: ["192.168.1.0/24"]
services: ["web_ui", "docker_containers"]
workstation:
role: "client"
access: ["full_subnet", "exit_node_optional"]
mobile_devices:
role: "client"
access: ["specific_services", "exit_node_when_traveling"]
remote_site:
role: "site_to_site"
routes: ["10.0.0.0/24"]
connection: "always_on"
Site-to-Site VPNβ
Multi-Site Configuration:
# Site A (Main office)
docker exec tailscale tailscale up \
--advertise-routes=192.168.1.0/24 \
--accept-routes
# Site B (Remote office)
docker exec tailscale tailscale up \
--advertise-routes=10.0.0.0/24 \
--accept-routes
# Enable routes in admin console for both sites
Container Network Accessβ
Docker Integration:
# Access Docker containers via Tailscale
version: '3.8'
services:
app:
image: nginx
container_name: webapp
networks:
- tailscale-net
labels:
- "tailscale.hostname=webapp"
networks:
tailscale-net:
external: true
Backup and Recoveryβ
Configuration Backupβ
Backup Tailscale State:
#!/bin/bash
# tailscale-backup.sh
BACKUP_DIR="/backup/tailscale"
STATE_DIR="/mnt/user/appdata/tailscale"
DATE=$(date +%Y%m%d_%H%M%S)
# Create backup directory
mkdir -p "$BACKUP_DIR"
# Backup Tailscale state
tar -czf "$BACKUP_DIR/tailscale-state-$DATE.tar.gz" "$STATE_DIR"
# Export device configuration
docker exec tailscale tailscale debug prefs > "$BACKUP_DIR/tailscale-prefs-$DATE.json"
# Keep only last 30 backups
find "$BACKUP_DIR" -name "tailscale-*-*.tar.gz" -mtime +30 -delete
Disaster Recoveryβ
Recovery Procedures:
# Restore Tailscale configuration
docker stop tailscale
tar -xzf /backup/tailscale/tailscale-state-latest.tar.gz -C /
docker start tailscale
# Re-authenticate if necessary
docker exec tailscale tailscale login
# Verify connectivity
docker exec tailscale tailscale status
Special Thanksβ
- Tailscale Team for providing excellent mesh VPN technology
- WireGuard Project for the underlying secure tunneling protocol
- To our fantastic Discord community and our Admins DiscDuck and Hawks for their input and documentation (as always)
Please support the developers and creators involved in this work to help show them some love. β€οΈ
Final Wordsβ
We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.
Support Usβ
Our work sometimes takes months to research and develop.
If you want to help support us please consider:
- Liking and Subscribing to our Youtube channel
- Joining our Discord server
- Becoming a paid member on our IBRACORP website
- Donating via Paypal
Thank you for being part of our community!