this post was submitted on 19 Sep 2025
36 points (100.0% liked)

Selfhosted

52461 readers
1234 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Edit - not sure what the underlying issue ended up being, it never did fully work for me, but I set up a separate machine (a Pi) that advertised subroutes and everything started to work. I imagine someone running VMs through proxmox/etc would not have similar issues. As another commenter noted, running the docker tailscale sidecars as separate machines would also likely work easily (best done if you don't have your services set up already).

Back again with another request for help.

I'm trying to set up Tailscale, with the ultimate goal of having a relatively simple way to access all my self hosted services when I'm not at home. My (naive) assumption was that once my device was in I connected to my home network by using my server as an exit node, I could just go to my 196.x.x.x:port address or friendly service.mydomain.xyz url and access things that way. That isn't happening.

I'm running Tailscale in Docker and have Nginx Proxy Manager routing my friendly names to the right place. My services are all run in Docker as well, and most are set up as Proxy Hosts in NPM except one that I added more recently to see if I could access it/if NPM was the issue.

I have set up Tailscale both on my server and phone, I'm able to connect to my server as an exit node, but I don't seem to be able to connect to services on the server. Tailscale is set to use subnets (added TS_ROUTES=192.168.0.0/24 to my compose file), but on my Tailscale Machines tab there is an exclamation mark next to both the Subnets and Exit Node saying the machine is misconfigured and that I need to enable IP forwarding. I double checked, it is enabled (as I understand it, that must be true for docker containers to forward from their 172.x.x.x addresses to 192), but the warning persists and I can't access services (either by the friendly URL, normal IP, tailscale URL, or 100.x.x.x IP).

This is my compose file: services: tailscale-authkey1: image: tailscale/tailscale:latest hostname: myhost environment: - TS_AUTHKEY=xx - TS_STATE_DIR=/var/lib/tailscale - TS_USERSPACE=false - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes - TS_ROUTES=192.168.0.0/24 volumes: - ts-authkey-test:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - NET_ADMIN - SYS_MODULE restart: unless-stopped nginx-authkey-test: image: nginx network_mode: service:tailscale-authkey1

I'm not sure what I should do - I'm seeing this page (https://tailscale.com/kb/1406/quick-guide-subnets) that talks about creating a config file, but that's clearly if you're running on bare metal. I've also looked at their options for running a sidecar (https://tailscale.com/kb/1282/docker), where each service is spun up as a separate TS machine, but that's way more work than I want to do (seems like cloudflare tunnels might be simpler at that point).

Thanks for any help!

top 37 comments
sorted by: hot top controversial new old
[–] codemichael@lemmy.world 13 points 1 month ago (1 children)

Read this section on setting up forwarding on Linux. You’ll want to do this on the host that is running docker and it should carry down into the container itself.

https://tailscale.com/kb/1019/subnets?q=forwarding#connect-to-tailscale-as-a-subnet-router

[–] pirateMonkey@lemmy.world 2 points 1 month ago (1 children)

Thanks, I did check that my machine had IP forwarding enabled, and it does. I also ran those lines to create the config file as well, but that didn't change anything. And I do have the lines in my compose file to advertise routes.

[–] codemichael@lemmy.world 2 points 1 month ago (1 children)

If it’s enable then this command should produce a 1 in the output

cat /proc/sys/net/ipv4/ip_forward
[–] pirateMonkey@lemmy.world 1 points 1 month ago (1 children)

Yes, it does (been checking with sysctl net.ipv4.ip_forward, but guess it's the same thing). It seems like the issue may be that IPv6 may not be enabled within the container. It's enabled on the host, but the docker logs say ipv6 forwarding is not enabled.

[–] codemichael@lemmy.world 1 points 1 month ago (1 children)

Did you end up enabling ipv6 as well? Did that help?

[–] pirateMonkey@lemmy.world 1 points 1 month ago* (last edited 1 month ago)

Yes, I believe I made the stupid mistake of not restarting after enabling. Once I did that the warning went away and I was able to enable subnets, but I'm still not able to see my local services (where I try to access via the IP of the host given by Tailscale or the magicDNS address). So, progress!

ETA: I also had removed the advertise exit nodes line and restarted the container with the --reset flag. After the warning went away I re-added the exit node option and I get the warning that it is misconfigured again.

[–] dustyData@lemmy.world 5 points 1 month ago (2 children)

I also tried tailscale in a docker container as a subnet handler and realized I was out of my depth. Net engineering is abstract and hard. There's a reason there are pros making bank just doing that for big corps.

Followed a way simpler setup. Now tailscale runs on the server bare metal and podman handles the routing automatically. I just use the magicDNS address given by tailscale and everything just works as intended. All my services are available, and apps run no issue, no matter where I am as long as I'm connected to tailscale. I will make the setup more complex as I learn more and acquire the need for more features. But so far this has met all my expectations.

[–] lankydryness@lemmy.world 2 points 1 month ago (1 children)

I also do this. Just run Tailscale on bare metal and then I can access my all my services the same as if I was on my LAN, essentially.

[–] pirateMonkey@lemmy.world 1 points 1 month ago (1 children)

I may be (probably am) worrying too much about this, but doesn't that remove much of the benefit of running services in containers? My understanding is that one benefit of containerization is so that if one service is somehow compromised, the others remain isolated, but running the service that allows you inside on bare metal gives single point access to the drives that those other services rely on, and that's from the most likely point someone could get into your network. Alternatively, if Tailscale is containerized and someone gets in, they have access to the other services' front ends but not the data they rely on since Tailscale itself doesn't have that access.

[–] lankydryness@lemmy.world 1 points 1 month ago

You could be right. I am not a pro so I don’t really want to speak on the best practice approach. Really the only reason I containerize my services is the ease-of-deployment and the ease of potential re-deployment if my server did crash.

I personally am not too stressed about bad actors, being as this is a hobby server and the payout for a bad actor would be pretty low.

But your point does make sense to me.

[–] pirateMonkey@lemmy.world 1 points 1 month ago

It's true, and I was wondering if that would be the route I have to go. Good to know it has been a positive experience.

[–] pirateMonkey@lemmy.world 2 points 1 month ago (2 children)

Sorry for misformatted code.

  tailscale-authkey1:
    image: tailscale/tailscale:latest
    hostname: myhost
    environment:
      - TS_AUTHKEY=xx
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=false
      - TS_EXTRA_ARGS=--advertise-exit-node,--accept-routes
      - TS_ROUTES=192.168.0.0/24
    volumes:
      - ts-authkey-test:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped
  nginx-authkey-test:
    image: nginx
    network_mode: service:tailscale-authkey1
[–] stratself@lemdro.id 1 points 1 month ago* (last edited 1 month ago)

try adding the sysctls parameters to your docker container too

[–] F04118F@feddit.nl 0 points 1 month ago (1 children)

You're not advertising 196.x.x.x routes to your tailnet?

[–] pirateMonkey@lemmy.world 2 points 1 month ago (1 children)

No, I thought the routing was to forward the IP from the Tailscale 100.x.x.x subnet(? not sure I'm using that word correctly) to where the resources I want to access are (in my case, my local 192.168 addresses).

[–] BCsven@lemmy.ca 3 points 1 month ago

The firewall on your server may need masquerading set and IP forwarding set.

[–] Gonzako@lemmy.world 2 points 1 month ago (1 children)

Hey, if you're just looking for a reverse proxy my recommendation is Caddy. Give it port 443 and 80 and it'll reverse proxy you to wherever you want depending of the subdomain/port

[–] WbrJr@lemmy.ml 2 points 1 month ago

Caddy is nice and super simple. Only issue I had was: it can't control domains if its behind a VPN. I use hetzner and they have an API, but the feature is not native to caddy so I would have had to rebuild caddy as an docker image. Rather annoying tbh, because everything else is great about it

[–] enumerator4829@sh.itjust.works 1 points 4 weeks ago

Here I am, running separate tailscale instances and a separate reverse proxy for like 15 different services, and that’s just one VM… All in all, probably 20-25 tailscale instances in a single physical machine.

Don’t think about Tailscale like a normal VPN. Just put it everywhere. Put it directly on your endpoints, don’t route. Then lock down all your services to the tailnet and shut down any open ports to the internet.

[–] FreedomAdvocate 1 points 1 month ago (1 children)

You don’t use the local ip address to access things when you’re remote - in Tailscale you can see that it gives you a remote IP to use to access things.

[–] pirateMonkey@lemmy.world 4 points 1 month ago (1 children)

Yeah, I've tried the 100.x.x.x IP and their tailscale URLs, neither of which work.

[–] FreedomAdvocate -2 points 1 month ago (1 children)

Can’t really help you then sorry, it’s always just worked out of the box for me with all my services so I haven’t had to troubleshoot or mess around with it.

[–] pirateMonkey@lemmy.world 3 points 1 month ago (1 children)

That's what I was counting on! Guess I just have to look at it as a learning opportunity.

[–] FreedomAdvocate -3 points 1 month ago (1 children)

Do you have an exit node specified?

[–] pirateMonkey@lemmy.world 2 points 1 month ago

Yes, the machine that is running Docker/Tailscale is serving as an exit node and it hosts all the other services I want to access, which are also in containers.

[–] Funky_Beak@lemmy.sdf.org 1 points 1 month ago* (last edited 1 month ago) (1 children)

Glad im not the only one struggling with this. I was able to get nginx to give me the congratulation page via the tailscale ip for the machine but getting that routing to work with my own custom name is giving me a headache. I am probably adding an extra unnecessary layer by trying to use adguard home as a dns rewrite. If you crack it id love to hear how you achieved it.

[–] Funky_Beak@lemmy.sdf.org 2 points 1 month ago (1 children)

My theoretical reasoning is. Make adguard be the dns server tell tailscale to use that and then parse all rewrites and dns for the tailscale netwrok through that endpoint (including exit node which is on the same machine).

[–] Funky_Beak@lemmy.sdf.org 2 points 1 month ago

I routed the dns of the vm to the tailscale adguard and it worked.

[–] Broadfern@lemmy.world 1 points 1 month ago (2 children)

This may sound crazy but do you have an AT&T router?

I have not been able to solve it myself yet unfortunately but having two routers has made it impossible for me to use Tailscale/Wireguard/ZeroTier etc. in much the same way as you’re describing.

The devices “see” each other but can’t connect no matter what configuration I follow, what firewall settings I tweak, nothing. I think there’s a pass through problem where UPnP is in conflict.

Sorry I don’t have an answer but I promise you’re not alone in your frustration.

[–] AbidanYre@lemmy.world 2 points 1 month ago (1 children)

Is that because the AT&T router uses the same subnet as tailscale? I seem to remember seeing similar issues in the past?

[–] Broadfern@lemmy.world 1 points 1 month ago

Maybe? The port setups work fine on the home router (such as accessing Steam link/Sunshine from a TV) but because it’s behind the mandatory AT&T modem it causes some nasty configuration headaches for external access.

[–] pirateMonkey@lemmy.world 2 points 1 month ago

Misery loves company! Mine is Verizon and there was a setting that was causing me trouble recently, but probably is unrelated to yours (was DNS rebind protection).

[–] billwashere@lemmy.world 1 points 1 month ago (1 children)

Not sure if this is related or not but on Linux when I have a machine on the same subnet as an advertised route that I have connected to Tailscale, I can’t access the local subnet at all. On Mac’s it’s fine, only Linux. I had to hunt down this little trick:

ip ro del table 52 <subnet>

There are other ways to solve it but I added this to the service that starts Tailscale.

You can read more about it here. https://github.com/tailscale/tailscale/issues/6231

[–] pirateMonkey@lemmy.world 1 points 1 month ago

That was an interesting rabbit hole. I'm not sure if it's related or not, but maybe I'll give it a shot once I get my head wrapped around what it really means (though by then they might have developed a fix... and I see how long that's taken so far)

[–] Tinkerer@lemmy.ca 1 points 1 month ago (1 children)

Sorry I'd this has been answered but are you running this in docker on a VM or LXC?

[–] pirateMonkey@lemmy.world 1 points 1 month ago (1 children)
[–] Tinkerer@lemmy.ca 1 points 1 month ago* (last edited 1 month ago)

Proxmox does say docker isn't officially supported in LXC. That being said I'm running 10 docker containers with no issues on an LXC. I have recently had some weird database not connecting issues and other strange new docker containers not working in an LXC for some reason. If you can I would try the same setup but in a VM and see what happens.

I recently was trying to get authentik setup via docker and it just wouldn't work. I gave up and spun up a VM, ran the same docker compose file and it worked right away.

Hopefully this helps?