this post was submitted on 19 Sep 2025
36 points (100.0% liked)

Selfhosted

52461 readers
1234 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Edit - not sure what the underlying issue ended up being, it never did fully work for me, but I set up a separate machine (a Pi) that advertised subroutes and everything started to work. I imagine someone running VMs through proxmox/etc would not have similar issues. As another commenter noted, running the docker tailscale sidecars as separate machines would also likely work easily (best done if you don't have your services set up already).

Back again with another request for help.

I'm trying to set up Tailscale, with the ultimate goal of having a relatively simple way to access all my self hosted services when I'm not at home. My (naive) assumption was that once my device was in I connected to my home network by using my server as an exit node, I could just go to my 196.x.x.x:port address or friendly service.mydomain.xyz url and access things that way. That isn't happening.

I'm running Tailscale in Docker and have Nginx Proxy Manager routing my friendly names to the right place. My services are all run in Docker as well, and most are set up as Proxy Hosts in NPM except one that I added more recently to see if I could access it/if NPM was the issue.

I have set up Tailscale both on my server and phone, I'm able to connect to my server as an exit node, but I don't seem to be able to connect to services on the server. Tailscale is set to use subnets (added TS_ROUTES=192.168.0.0/24 to my compose file), but on my Tailscale Machines tab there is an exclamation mark next to both the Subnets and Exit Node saying the machine is misconfigured and that I need to enable IP forwarding. I double checked, it is enabled (as I understand it, that must be true for docker containers to forward from their 172.x.x.x addresses to 192), but the warning persists and I can't access services (either by the friendly URL, normal IP, tailscale URL, or 100.x.x.x IP).

This is my compose file: services: tailscale-authkey1: image: tailscale/tailscale:latest hostname: myhost environment: - TS_AUTHKEY=xx - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes - TS_ROUTES=192.168.0.0/24 volumes: - ts-authkey-test:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - SYS_MODULE restart: unless-stopped nginx-authkey-test: image: nginx network_mode: service:tailscale-authkey1

I'm not sure what I should do - I'm seeing this page (https://tailscale.com/kb/1406/quick-guide-subnets) that talks about creating a config file, but that's clearly if you're running on bare metal. I've also looked at their options for running a sidecar (https://tailscale.com/kb/1282/docker), where each service is spun up as a separate TS machine, but that's way more work than I want to do (seems like cloudflare tunnels might be simpler at that point).

Thanks for any help!

you are viewing a single comment's thread
view the rest of the comments
[–] pirateMonkey@lemmy.world 2 points 1 month ago (2 children)

Sorry for misformatted code.

  tailscale-authkey1:
    image: tailscale/tailscale:latest
    hostname: myhost
    environment:
      - TS_AUTHKEY=xx
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=false
      - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes
      - TS_ROUTES=192.168.0.0/24
    volumes:
      - ts-authkey-test:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped
  nginx-authkey-test:
    image: nginx
    network_mode: service:tailscale-authkey1
[–] stratself@lemdro.id 1 points 1 month ago* (last edited 1 month ago)

try adding the sysctls parameters to your docker container too

[–] F04118F@feddit.nl 0 points 1 month ago (1 children)

You're not advertising 196.x.x.x routes to your tailnet?

[–] pirateMonkey@lemmy.world 2 points 1 month ago (1 children)

No, I thought the routing was to forward the IP from the Tailscale 100.x.x.x subnet(? not sure I'm using that word correctly) to where the resources I want to access are (in my case, my local 192.168 addresses).

[–] BCsven@lemmy.ca 3 points 1 month ago

The firewall on your server may need masquerading set and IP forwarding set.