Menu Close

Run tailscale in docker with exit node enabled

Considering donating if you found my post helpful ๐Ÿ˜Š

Buy Me a Coffee QR Code

Tailscale is an awesome system that allows you to communicate with all your added devices seamlessly via WireGuard connection. This opens a lot of possibility such as sitting thousands of kilometre away from your server or from any registered devices, but browsing the internet with the same IP as that device. You can also reach each devices without any complex setup.

So, what is an exit node? Exit node means that specific device will be the source of your internet. That is how you can have the same IP as a specific device in your tailnet. With no exit node, you will browse the internet with your current IP address exposed, but still able to reach all devices in your account.

Notes:

I am writing this quick guide because I had issue enabling exit node while running Tailscale within docker container. There is no conclusive solution anywhere and I thought this might help you guys.

Also since this is just a quick guide, I assume you already have your environment ready and know some basic things that I will not cover.

Tutorial

Step 1:

Register your account at Tailscale.com. Yes, it is a centralized system where all settings are managed at the website. So you need an account which you will use to log on your other devices as well.

Step 2:

I run Tailscale in docker on my local server with compose. This is my compose file. You can adjust it to suite your preferences.

services:
tailscale:
image: tailscale/tailscale:latest
hostname: tailscale-server
environment:
- TS_AUTHKEY=tskey-auth-kqB55vcw6v11CNTRL-doXfxG9GLghFeasS9CNckDFTEs9Ci5turi
- TS_EXTRA_ARGS=--advertise-tags=tag:container --advertise-exit-node
- TS_STATE_DIR=/var/lib/tailscale
- TS_USERSPACE=false
- TS_DEBUG_FIREWALL_MODE=nftables
volumes:
- ${PWD}/tailscale/state:/var/lib/tailscale
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
- sys_module
restart: unless-stopped
  • hostname – this is what your instance will be called. You can reach this machine with the hostname you defined, example:
    $ ping tailscale-server
  • TS_AUTHKEY – You can generate a key from the Settings Dashboard and use it here.
  • TS_DEBUG_FIREWALL_MODE – This is the magic to run it in docker. People are failing to run exit node in docker because the container is running in iptables mode. Leave it as nftables, or auto might work as well.

Step 3:

Enable port forward on your host machine. You need to do this on your host and not container, as container will run with the kernel on your host machine.

Since I am using Debian, the command as follows. You can open the link and find steps for your system

$ echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
$ echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
$ sudo sysctl -p

Step 4:

Approve your machine to be an exit node by going into Machines and allow the machine to be an exit node as mentioned in Guide on Tailscale website

Then you are pretty much done. Use exit nodes and you will your new IP instantly.

Hope this helps.

Considering donating if you found my post helpful ๐Ÿ˜Š

Buy Me a Coffee QR Code
5 2 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Graham

Hey Thanks the addition of the TS_DEBUG_FIREWALL_MODE=nftables and host forwarding really helped.

2
0
Would love your thoughts, please comment.x
()
x