I love Tailscale and Alex's video, but I hate using Tailscale in Docker as a sidecar for each application's ingress. Sometimes I prefer using Cloudflare Tunnel because it allows me to create self-defined DNS records that point to the related application. What Tailscale only needs to do is enable users to create their own MagicDNS records. If you agree with me, please hit the like button so the developers can see it. 👍👍👍
That's a viable use-case, but I *also* hate managing records at Cloudflare :) Especially since I already manage all the records for my local DNS. But if it's just allowing one or two services, then it's workable. To go all-in one can obviously make a wildcard A record at Cloudflare and point it at a Tailnet IP served by a reverse proxy. That's even easier than doing the docker solution proposed here, depending on the reverse proxy being used.
Thanks for finally doing multiple containers. I've been asking for this for a while. Not a huge fan of needing a tailscale sidecar per service. Would be awesome if we could leverage dns inside of docker. Have a single tailscale container doing DHCP akin to dnsmasq. I tried to figure this out on my own, but got no-where fast.
You can set up NGINX Reverse Proxy in a container alongside Tailscale, then point a wildcard at that. Now use that reverse proxy to set only the services you want - and they can be at any IP and port on your local subnet.
Hi Alex! Thank you for your really informative videos! These are great! I was able to get everything from the video up and running on my own, but I was wondering if you could include an extra video/docs on how to setup a tailscale node + cloudflare custom dns for a particular domain! I tried to follow your previous video, but somehow I can't get it working on docker
Thank you Alex for sharing. I stumbled upon you videos and I must say I'm hooked. One thing I would love to do with Tailscale and especially with the sidecar-docker container, but I have difficulties to get it to work. I want to use traefik or Nginx Proxy Manager and make 80 and 443 publicly available, but the Dashboard on the 3rd Port should only be available within my tailnet. Any Ideas on that setup?
amazing - the simplicity over a reverse proxy is appealing - of course giving up some fine control, say css injection via proxy; the more services there are the more a reverse proxy with one sidecar seems to be the way forward
I do this! And it's PERFECT for multiple Syncthing dockers and being able to sync without the relays. Personally my next step is to advertise multiple services with Traefik... And I can't gef my head around it
What’s the best process to do with when using Unraid? Unraid uses the Tailscale plugin as the suggested method. Are we just adding the environment variables into the docker setup screens for the container?
Same. Right now Im using the method Spaceinvader One has 2 videos on, that uses the plugin and the mod to slipstream tailscale into any LinuxserverIO container. So if you have containers not made by linuxserverIO, you need to setup yjr mod on yjr linuxserver swag container and configure swag config files. It works, but the mod has not been updated for a year and it seems some people think its not maintained any more so who knows when this method stops working. This official method seems to be pretty new, so hopefully someone figure it out.
In case the tailscale connection fails for some reason, the service will still connect to local internet!! Is there anyway to make sure only remote connection is possible (through the remote node I mean) ?!
Thanks for the guide! Got everything to work except the SSL certificates. Is there an ongoing issue with those? No matter what I try I cannot resolve with https. Curl domain name spits out an error.
Great stuff Alex. Is there a way of doing this for containers like vaultwarden that expose the service on port 80? I can't seem to https/certs working without using a caddy instance for it as well.
This is great. But in order to access these services, I need to be logged on my Tailnet and also have Internet access. What happens if my Internet is down? Is it possible to have the best of both worlds: a reverse proxy for local access and Tailscale for remote access?
I think this is really cool but surely it must be possible to run a sincle tailscale container and connect to multiple other docker containers on the same network instead of needing to run a tailscale docker for each service?
You can absolutely do this if you know your way around a reverse proxy with the caveat being that you’d not have individual names for services / nodes available or TLS via Serve.
@@Tailscale I am extremely interested in having a single tailscale instance for a entire compose stack. Seems like Caddy + tailscale + some DNS service would be perfect. A single solution that let's me take advantage of wildcard domain names easily. I've tried to come up with something on my own, but have never got very far.
@@codeman99-dev If you're using Caddy, or Traefik or NPM you can definitely do this. Ingress is via a single Tailnet IP tied to your reverse proxy via wildcard domain or subdomain. I have it working with NPM inside an LXC running on Unraid - just as easy in Proxmox and there are a couple of guides out there for that. The reverse proxy then points to the services I want exposed. DNS in my case is AdGuard Home (docker) + Unbound with overrides (on pfSense firewall appliance)
I use Unraid so Im not used to read or understand docker compose files, but if I understood this correct, the service in the stack (say nginx) network get set directly to the Tailscale-node network? So if you have more than one service under tailscale in the same stack they cant be on same port, correct?
@@Tailscale yeah I have it mostly working with tailscale on the host, but it only mostly works. Trying to get remote access to home assistant without being on the tailscale network, but using tailscale for the VPN
Same question here Alex. I heard you talk on the selfhosted podcast about a similar issue... Do you have a solution for this? Let's say there is a notes app with documentation about the home network, but then the internet goes down and you need access to your notes tot fix it, bit you can't because... the internet is down? 😊
So basically we need to spin an extra tailscale container for each other container we need to use!? why not use a single tailscale instance and run all the containers we need on a different port?
thanks for the great video! I'm thinking of creating a home server using my M1 Mac mini, which is running Talescale client. Within the Mac mini, I want to run a whole bunch of container services such as Stirling-PDF, self-hosted object store, and etc. My question is that as long as my Mac mini server is running on my Talenet, no matter where I'm in the world, I should be able to access my services, right?
@@Tailscale how might the volume mounts might require tweaking for Mac? I've successfully followed this up to the part where Stirling is having SSL certs provisioned, thats where it falls over for me.
Just tried it out and everything worked up until the certificate bit. For some reason I'm getting errors related to connection refused (while the http address works just fine)
I’m having the same issue, I got the certificates, they show up on each container in Tailscale, but I can’t access them via https on my iPhone, http works fine
Same here http works when I have 8080 at the end and for some reason the conatiner is not getting a lets encrypt cert. Tried with Both NixOS and Ubuntu server.
I'm adding to comment thread as I have the same issue/experience. I got AudioBookshelf (ABS) setup by replacing the Mealie config with ABS and it works over HTTP while HTTPS is refused. The Tailscale console admin shows that TLS cert was requested and displays expiry information.
Yep. Specify any args you'd normally supply to "tailscale set" or "tailscale up" in the - "TS_EXTRA_ARGS=--advertise-exit-node" env var. you can string them together with a space between each arg.
@@Tailscale Nice got it working first time. Don't need the nginx service so removed that stuff and deployed it via a Portainer stack for ease of management and all appears to work nicely. Nice one! 👍
That sounds overcomplicated to be honest. What if I already have nginx and the local DNS configured that resolves app_name.banana.home to my local IP and application port in my local network and I just want to expose it to the tailscale network. I don't want to run an additional tailscale container per each application 🙈
I love Tailscale and Alex's video, but I hate using Tailscale in Docker as a sidecar for each application's ingress. Sometimes I prefer using Cloudflare Tunnel because it allows me to create self-defined DNS records that point to the related application. What Tailscale only needs to do is enable users to create their own MagicDNS records. If you agree with me, please hit the like button so the developers can see it. 👍👍👍
That's a viable use-case, but I *also* hate managing records at Cloudflare :) Especially since I already manage all the records for my local DNS. But if it's just allowing one or two services, then it's workable. To go all-in one can obviously make a wildcard A record at Cloudflare and point it at a Tailnet IP served by a reverse proxy. That's even easier than doing the docker solution proposed here, depending on the reverse proxy being used.
Thanks for finally doing multiple containers. I've been asking for this for a while.
Not a huge fan of needing a tailscale sidecar per service. Would be awesome if we could leverage dns inside of docker. Have a single tailscale container doing DHCP akin to dnsmasq. I tried to figure this out on my own, but got no-where fast.
You can set up NGINX Reverse Proxy in a container alongside Tailscale, then point a wildcard at that. Now use that reverse proxy to set only the services you want - and they can be at any IP and port on your local subnet.
Finally, the guide about installing it. I find docker confusing sometimes and appreciate the video
Nice.
It would be interesting to see a video where nextcloud is configured with the same principles. Nextcloud with https via tailscale.
Hi Alex! Thank you for your really informative videos! These are great!
I was able to get everything from the video up and running on my own, but I was wondering if you could include an extra video/docs on how to setup a tailscale node + cloudflare custom dns for a particular domain! I tried to follow your previous video, but somehow I can't get it working on docker
Thank you Alex for sharing. I stumbled upon you videos and I must say I'm hooked.
One thing I would love to do with Tailscale and especially with the sidecar-docker container, but I have difficulties to get it to work.
I want to use traefik or Nginx Proxy Manager and make 80 and 443 publicly available, but the Dashboard on the 3rd Port should only be available within my tailnet.
Any Ideas on that setup?
Is there some video about external access to NAS Synology-hosted docker containers through the Tailscale?
amazing - the simplicity over a reverse proxy is appealing - of course giving up some fine control, say css injection via proxy; the more services there are the more a reverse proxy with one sidecar seems to be the way forward
I do this! And it's PERFECT for multiple Syncthing dockers and being able to sync without the relays. Personally my next step is to advertise multiple services with Traefik... And I can't gef my head around it
I'm also trying to do it with traefik. I've still unsuccessful 😢
What’s the best process to do with when using Unraid? Unraid uses the Tailscale plugin as the suggested method. Are we just adding the environment variables into the docker setup screens for the container?
Same.
Right now Im using the method Spaceinvader One has 2 videos on, that uses the plugin and the mod to slipstream tailscale into any LinuxserverIO container.
So if you have containers not made by linuxserverIO, you need to setup yjr mod on yjr linuxserver swag container and configure swag config files.
It works, but the mod has not been updated for a year and it seems some people think its not maintained any more so who knows when this method stops working.
This official method seems to be pretty new, so hopefully someone figure it out.
In case the tailscale connection fails for some reason, the service will still connect to local internet!! Is there anyway to make sure only remote connection is possible (through the remote node I mean) ?!
Thanks for the guide! Got everything to work except the SSL certificates. Is there an ongoing issue with those? No matter what I try I cannot resolve with https. Curl domain name spits out an error.
Great stuff Alex. Is there a way of doing this for containers like vaultwarden that expose the service on port 80? I can't seem to https/certs working without using a caddy instance for it as well.
This is great. But in order to access these services, I need to be logged on my Tailnet and also have Internet access. What happens if my Internet is down? Is it possible to have the best of both worlds: a reverse proxy for local access and Tailscale for remote access?
Interesting video.
My prefered setup is TS+Pi-Hole+Unbound in an LXC as a DNS and then configuring it as a subnet router.
Hey do you have any guide on how to do that? Would like to try this
I think this is really cool but surely it must be possible to run a sincle tailscale container and connect to multiple other docker containers on the same network instead of needing to run a tailscale docker for each service?
You can absolutely do this if you know your way around a reverse proxy with the caveat being that you’d not have individual names for services / nodes available or TLS via Serve.
@@Tailscale I am extremely interested in having a single tailscale instance for a entire compose stack. Seems like Caddy + tailscale + some DNS service would be perfect. A single solution that let's me take advantage of wildcard domain names easily.
I've tried to come up with something on my own, but have never got very far.
@@codeman99-dev If you're using Caddy, or Traefik or NPM you can definitely do this. Ingress is via a single Tailnet IP tied to your reverse proxy via wildcard domain or subdomain. I have it working with NPM inside an LXC running on Unraid - just as easy in Proxmox and there are a couple of guides out there for that.
The reverse proxy then points to the services I want exposed. DNS in my case is AdGuard Home (docker) + Unbound with overrides (on pfSense firewall appliance)
Where are you setting the port? the only time i see 80 for nginx or 8080 for pdf is when you write and then delete it because it doesnt go there.
I use Unraid so Im not used to read or understand docker compose files, but if I understood this correct, the service in the stack (say nginx) network get set directly to the Tailscale-node network?
So if you have more than one service under tailscale in the same stack they cant be on same port, correct?
Unraid has a compose plugin available. Maybe that’d help?
We recommend one sidecar per service. -Alex
I would love to see a guide where you could use a NPM front and then expose some containers on your tailnet though that container lets say on a VPS.
So the front end is in one physical location and the backend in another? Sure we can try take a look at a video like that. -Alex
I'm trying to do this with Traefik, since it can be all defined in the Docker compose! Thx
@@Tailscale yeah I have it mostly working with tailscale on the host, but it only mostly works. Trying to get remote access to home assistant without being on the tailscale network, but using tailscale for the VPN
will my docker containers be accessible on my LAN if my internet connection is down?
Same question here Alex. I heard you talk on the selfhosted podcast about a similar issue... Do you have a solution for this? Let's say there is a notes app with documentation about the home network, but then the internet goes down and you need access to your notes tot fix it, bit you can't because... the internet is down? 😊
So basically we need to spin an extra tailscale container for each other container we need to use!? why not use a single tailscale instance and run all the containers we need on a different port?
You can do that too.
Build tailscale into an reverse proxy and configure it
thanks for the great video! I'm thinking of creating a home server using my M1 Mac mini, which is running Talescale client. Within the Mac mini, I want to run a whole bunch of container services such as Stirling-PDF, self-hosted object store, and etc. My question is that as long as my Mac mini server is running on my Talenet, no matter where I'm in the world, I should be able to access my services, right?
Yep! Should work the same as shown in the video with the caveat that volume mounts in macos might require some slight tweaking. -Alex
@@Tailscale how might the volume mounts might require tweaking for Mac? I've successfully followed this up to the part where Stirling is having SSL certs provisioned, thats where it falls over for me.
Just tried it out and everything worked up until the certificate bit. For some reason I'm getting errors related to connection refused (while the http address works just fine)
My issue is that I do have tailscale on the host as well.
I’m having the same issue, I got the certificates, they show up on each container in Tailscale, but I can’t access them via https on my iPhone, http works fine
Same here http works when I have 8080 at the end and for some reason the conatiner is not getting a lets encrypt cert. Tried with Both NixOS and Ubuntu server.
@@pablillocea its an ACL issue. look at example-acls.hujson in the docker guid examples and look for funnel.
I'm adding to comment thread as I have the same issue/experience. I got AudioBookshelf (ABS) setup by replacing the Mealie config with ABS and it works over HTTP while HTTPS is refused. The Tailscale console admin shows that TLS cert was requested and displays expiry information.
Is it possible to run a Tailscale exit node in a Docker container? Last time I tried it wasn't possible.
Yep. Specify any args you'd normally supply to "tailscale set" or "tailscale up" in the - "TS_EXTRA_ARGS=--advertise-exit-node" env var. you can string them together with a space between each arg.
@@Tailscale Thank you for taking the time to reply! I will give this a try tomorrow 😃
@@Tailscale Nice got it working first time. Don't need the nginx service so removed that stuff and deployed it via a Portainer stack for ease of management and all appears to work nicely. Nice one! 👍
What are the advantages of hosting tailscale in docker?
Isolation.
If you share connection with others you can share one and one service instead of the entire server or network
❤👍
Nah, portainer was good
That sounds overcomplicated to be honest.
What if I already have nginx and the local DNS configured that resolves app_name.banana.home to my local IP and application port in my local network and I just want to expose it to the tailscale network. I don't want to run an additional tailscale container per each application 🙈