Skip to content

Instantly share code, notes, and snippets.

@bnhf

bnhf/README.md

Last active May 5, 2024 17:30
Show Gist options
  • Star 14 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save bnhf/fed4cc3035f32a0f086b1da074a3d50b to your computer and use it in GitHub Desktop.
Save bnhf/fed4cc3035f32a0f086b1da074a3d50b to your computer and use it in GitHub Desktop.
Download ZIP
Tailscale - Deploying with Docker and Portainer
Raw
README.md

Just thought I'd put together some detail on deploying Tailscale using Docker and Portainer. These bits-and-pieces are available elsewhere, but not together, so hopefully this will save someone a bit of time if you'd like to add Tailscale to an existing Docker install:

Here's my annotated recommended docker-compose, to use with Portainer-Stacks. Note that I'm not using a pre-made Auth Key. I started that way, but realized it was very easy to simply check the Portainer log for the tailscaled container once the stack is running. In that log you'll see the standard Auth link that you can use to authorize the container. This way you don't need to create a key in advance, or create a reusable key that introduces a security risk:

version: '3.9'
services:
  tailscale:
    image: tailscale/tailscale
    container_name: tailscaled
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
#      - TS_HOSTNAME=${TS_HOSTNAME} # Usually not necessary for your hostname to be the same name on the tailscale network
#      - TS_AUTHKEY=${TS_AUTHKEY} # Generate auth keys here: https://login.tailscale.com/admin/settings/keys
#      - TS_ROUTES=${TS_ROUTES} # Creates a subnet router for Tailscale. Use your subnet's CIDR in the form: 192.168.1.0/24
#      - TS_ACCEPT_DNS=${TS_ACCEPT_DNS} # Set to false for Pi-hole Docker setups
      - TS_SOCKET=${TS_SOCKET} # Specifying the /var/lib/tailscale/tailscaled.sock location allows use of standard Tailscale commands 
      - TS_EXTRA_ARGS=${TS_EXTRA_ARGS} # Add any other supported arguments in the docker commandline style: e.g. --advertise-exit-node
      - TS_STATE_DIR=${TS_STATE_DIR} # Required to create a persistent container state that will survive reboots
    volumes:
      - /data:/var/lib # Creates a tailscale directory under /data for persistence
      - /dev/net/tun:/dev/net/tun
    network_mode: host
    restart: unless-stopped

These are the minimum environment variables you'll want to define in the Portainer-Environment section:

TS_SOCKET=/var/run/tailscale/tailscaled.sock
TS_EXTRA_ARGS=--accept-routes
TS_STATE_DIR=/var/lib/tailscale

With these variables, you'll be able to exec into the container to run commands like "tailscale version" and "tailscale status". Your container will accept routes advertised by a designated node, and your setup (including authorization) will persist across reboots.

@MichaelMichaelMichaelMichaelMichael
Copy link

Thank you - works fine!

@mrlopezco
Copy link

Thanks mate!

@z1haze
Copy link

z1haze commented May 5, 2024
edited

Hi, thank you for sharing this. I'm pretty new to this, so do you mind explaining this var, and what it would be used for? I have a pihole server running in a container and I am wanting to use tailscale with it as my dns. I did see where you said to set accept dns to false, which I've done, but what is this one for? - TS_ROUTES=${TS_ROUTES} # Creates a subnet router for Tailscale. Use your subnet's CIDR in the form: 192.168.1.0/24. I will share my entire file if it helps:

version: "3"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "8080:80/tcp"
    environment:
      TZ: 'America/Somewhere'
      WEBPASSWORD: 'REDACTED'
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    cap_add: []
    restart: unless-stopped
  tailscale:
    image: tailscale/tailscale
    container_name: tailscaled
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
#      - TS_HOSTNAME=${TS_HOSTNAME} # Usually not necessary for your hostname to be the same name on the tailscale network
#      - TS_AUTHKEY=${TS_AUTHKEY} # Generate auth keys here: https://login.tailscale.com/admin/settings/keys
#      - TS_ROUTES=${TS_ROUTES} # Creates a subnet router for Tailscale. Use your subnet's CIDR in the form: 192.168.1.0/24
      - TS_ACCEPT_DNS=${TS_ACCEPT_DNS}
      - TS_SOCKET=${TS_SOCKET}
      - TS_EXTRA_ARGS=${TS_EXTRA_ARGS}
      - TS_STATE_DIR=${TS_STATE_DIR}
    volumes:
      - /data:/var/lib
      - /dev/net/tun:/dev/net/tun
    network_mode: host
    restart: unless-stopped

@bnhf
Copy link
Author

bnhf commented May 5, 2024

Hi, thank you for sharing this. I'm pretty new to this, so do you mind explaining this var, and what it would be used for? I have a pihole server running in a container and I am wanting to use tailscale with it as my dns. I did see where you said to set accept dns to false, which I've done, but what is this one for? - TS_ROUTES=${TS_ROUTES} # Creates a subnet router for Tailscale. Use your subnet's CIDR in the form: 192.168.1.0/24. I will share my entire file if it helps:

@z1haze

In Tailscale, setting up a subnet router allows you access to devices on your LAN (by IP address), when you're remote. Installing Tailscale directly on devices is preferred, but since that's not possible for every device on a given network, a subnet router fills the gap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment