For those of you running Linux servers or if you use docker-compose, then you can install Tailscale using our docker-compose.yml file example.
Before we create the compose
file:
If your running Proxmox LXC then go to the following page before deploying the container :
Now let's create the first docker-compose.yml
file with the nano
text editor.
After you're done editing the file, save it with ctrl+x
, type “y” and then press enter
.
Go here for the next step.
This solution will fix any VPN you want to run such as Tailscale and OpenVPN
On the proxmox host look in /etc/pve/lxc/
, for the ID of the LXC you want to use Tailscale in. For example in my case LXC ID=100. I would then edit /etc/pve/lxc/100.conf
and add the following under what is already there:
This allows the container to have access to /dev/tun
. In my case at least, this allows even an unprivileged LXC to run Tailscale or OpenVPN which makes a node.
Make sure you are in the same directory as the docker-compose.yml
file, and now we want to start up the container(s) by running the following in each directory:
If you're in another directory, then you will need to specify the compose file with the -f
argument.
Run the following to have the abilityfor your Host device to be the Exit Node
Now go here and run the section to enable IP forwarding and then your done!
Please read our disclaimer https://docs.ibracorp.io/#disclaimer.
Firstly, let's go to the Tailscale website and click Get Started
. You will have to log in with either your Google account, Microsoft account, or your GitHub account. We signed in with a GitHub account.
You should have 2FA enabled wherever you can, to protect your account.
Once you click on the Auth provider of your choice you will have to authorize the Tailscale app. This gives Tailscale enough information to link and secure your new Tailscale account using your existing log-in.
Tailscale is kind enough to offer free accounts for any individual with up to 20 devices and has many more features for free for individuals. You start with the free Personal plan.
Once you are in the dashboard, you will see a few simple menus, let's go through some of those later.
Let's get your Unraid machine connected to your new secure network.
In Unraid, go to the community apps tab and search for 'Tailscale'.
Click to install Tailscale. (We used the dsmith44's Repository)
Chose the network type, we went with the network type "host".
When you add a device to the network, it will have access to all the other devices on the network, but the rest of your traffic will be routed as normal. If you would like to be able to route traffic through this node in the future, you can add an extra flag to enable the "exit node" feature on this device.
Under the "UP_FLAGS" field, add
if you would like your Unraid device to be an exit node.
Now we are ready to run the container. Click done and wait for the container to pull the container image and start up.
Once the container has started up, check the container logs.
There will be a link to visit under the text To authenticate, visit:
. Copy and paste the link into your web browser and log in. The Unraid server is now part of your secure network!
To verify, visit the Tailscale Machines Overview and you should see your Unraid server in the list with the status connected. In case you went for the optional step and made it an exit node, a label Exit node should be under the server name.
If you now log into the admin panel, you will see your Unraid device already added to your secure network with its own new local IP. This new IP is what we will now use to connect to your Unraid server.
PLEASE NOTE
If you do not "Disable key expiry" the key used to join the device to the network will expire and so you will have to re-authenticate it after 6 months. To disable this expiry you just have to click the three dots next to the device in the admin panel and select "Disable key expiry". This device will now not need to be re-authenticated again unless you revoke access manually.
Now you may want to add your PC or phone to the network so that you can connect to your Unraid server whenever you want. Let's start with a Windows PC as I assume most of you will be running windows.
Go to the downloads page, choose Windows, and click download.
Install the app once it has finished downloading, you should now get a notification. Click the notification to log in and authenticate your machine.
A new window will pop up in your browser asking you to log in.
Once you have logged in your PC will now be on the network!
Let's check back in the admin console.
You will now see not only your Unraid server but also your PC along with its own new local IP for this new secure network!
Let's copy your new Unraid IP from this dashboard and try to SSH in with your favorite terminal app to the new IP address on our secure network. Additionally, you could try to access the Unraid web user interface using this newly allocated IP address.
As you can see we can now connect as if we were on the same network but using the new IP address.
PLEASE NOTE
You can access your devices on this network for as long as you are connected. You do not need to join an exit node to access a device. The exit node is an additional feature that will allow you to route all traffic through the chosen exit node. Regardless if the exit node is enabled or disabled you will always be able to access all devices on the secure network.
Maybe we are on the same network with our PC so let's now install it on our phone from either the iOS app store or the Play store.
The process of joining the network is the same, you will just need to authorize the app by logging in via the browser of your device.
Now on your phone, disconnect from your wifi to make sure you are not on the same network. Copy the IP address for the Unraid server from the Tailscale app and try to SSH in using your favorite terminal app.
As we should now see, it is the same as on the PC. You can SSH in as if you are on the same network.
While you can now connect to the Unraid server as if you are on the same network, that doesn't mean you are routing all your traffic through Unraid. Before we can do that there's are a few things we have to do.
If you have enabled the "exit node" feature as explained earlier, you will see in the admin dashboard that your Unraid server has been assigned as an exit node but is not yet enabled.
We now need to enable IP forwarding inside Unraid. To do this we simply run a few commands from the terminal inside Unraid.
In the Unraid console, copy and paste the following commands.
Click on the three dots next to your Unraid server and select "review route settings".
You can now enable "Use as exit node". You can now close this dialog box.
Your Unraid server is now ready to be used as an exit node.
On your PC you simply click the Tailscale logo in your taskbar and go to "Exit node" to choose the available servers. Your traffic will now be routed through the Unraid server.
On your phone, it's almost the same. In the app click the three dots in the top corner, then click "use exit node" and choose your Unraid server. Now you are not only able to connect to your Unraid server but you're also routing your traffic through your Unraid server.
You can add as many exit nodes as you want to this network and manually choose which one you would like to use on each device!
If you want to be able to access your devices using the hostname instead of the IP, let's enable Magic DNS.
In the admin console, click on the DNS tab.
To enable Magic DNS, we first have to add a few global Nameservers. We like to use Cloudflare nameservers for this. Add both 1.1.1.1 and 1.0.0.1 to this so you can enable Magic DNS.
Now while connected to the Tailscale network with your device, in your browser type in your hostname, for example, http://unraid. You can now access your server using its hostname through the Tailscale secure network.
You may find that you are unable to access a device or hostname. This could be because your device has a different hostname assigned in Tailscale than what you expect it to be due to it being auto-generated.
To resolve this, in your Tailscale admin dashboard, you change the name of the device by selecting the three dots beside the device and selecting "Edit machine name"
On the next screen, you can change the name of the device to suit what you want.
Now you can use this hostname to access the device while connected through Tailscale with Magic DNS active.
If you are using the container by dsmith44's Repository, be mindful that there is a parameter preset in the template which forces the hostname of the server to be 'unraid' by default:
You can change this by showing Advanced in the template options and removing or changing the parameter under 'Extra Parameters'.
There is a known bug if you try to use a device as an exit node and try to route your subnets through it. The default security policy when using an exit node is to block LAN access. This gets in the way when you try to use both the exit node and the subnet routing. We will keep an eye on this issue and update our documents once this has been resolved.
This issue is now resolved. In order to access devices on an advertised subnet while using it as an exit node, you just have to enable it on the client device that you are using "Allow LAN Access" when joining the exit node.
Tailscale works best when you install Tailscale on every client, server, or VM in your organization. That way, traffic is end-to-end encrypted, and no configuration is needed to move machines between physical locations.
However, you may have machines you don’t want to, or cannot, install Tailscale on directly. In those cases, you can set up a Tailscale “subnet router” (previously called a relay node or relaynode) to advertise whole subnets at once. Subnet routers relay all traffic from the Tailscale network onto your physical subnet.
This makes it easy to incrementally deploy Tailscale, even on legacy networks, without installing Tailscale on every individual device.
Under the "UP_FLAGS" field, add
to add your complete subnet. Use your own address. The last digit needs to be 0 to reflect the entire subnet. /24
is the subnet mask 255.255.255.0
, change if necessary.
Go back to the Tailscale Machines Overview and click on the three dots menu. Choose Review route settings...
and enable your subnet route that should now be visible.
You can now access devices, machines, or containers using the local IP address of your subnet just as if you were onsite or at home rather than the IP assigned in Tailscale.
This app uses some clever tricks to create outbound connections on both devices so we can now disable all Wireguard port forwards we previously had and still be able to access all of our devices.
We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Community Leader Hawks.
Our work sometimes takes months to research and develop. If you want to help support us please consider:
Liking and Subscribing to our Youtube channel
Joining our Discord server
Becoming a paid member on our IBRACORP website
Donating via Paypal
Thank you for being part of our community!