this post was submitted on 18 Jan 2024
26 points (90.6% liked)

Selfhosted

40728 readers
633 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
26
Tailscale help needed (self.selfhosted)
submitted 11 months ago* (last edited 11 months ago) by butt_mountain_69420 to c/selfhosted
 

I've just about got this Docker thing licked. After hundreds of hours, I finally get it, and my dusty millenial ass has joined the 21st century.

-but we have issues

==============================xxxx==============================

The environment:

I have multiple containers running on my local network, including photoprism, Kavita, and Filebrowser. I also installed Heimdall as a startpage. On the local network everything works great.

The entire goal of this project is to have these services accessible from outside the house, from my mobile devices but also with the ability to share links and files with friends.

==============================xxxx==============================

The problem:

Enter Tailscale. I tried port forwarding, having a domain, all that jazz, but it ended up being way too complicated. I don't want just anyone to access my shit, I only want a handful to be able to use services of my choosing in accordance with the user permissions I set up for them. Tailscale was the first thing I tried that worked.

I added my docker instance to tailscale, and when you access the machine, you are correctly taken to my Heimdal start page. Unfortunately, when you click on the icons for my docker services, the browser gives you an "unable to connect" error.

Under my Tailscale admin panel, the services are listed along with their port and IP information. Heimdall (443) and Portainer(8000) are listed as https and http under "type", as expected. The remaining services are listed as "other." (the portainer link doesn't work either)

  • Has anyone else dealt with this?

  • If this has to do with ports, is there an easy way to configure ports without having to re-run the images and make new containers?

all 19 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 11 months ago* (last edited 11 months ago) (2 children)

I think...

You need to change the Heimdall urls to the the tailscale urls. I'll update this post soon.

My old set up has openmediavault as the base system.

I installed tailscale directly to that base system. (The OS)

My old ip links in Heimdall stopped working.

From memory... You need to go to the tail scale website dashboard. Iirc by default you have some random numbers as your tailscale URL. The other option is to use their magic DNS which gives you random words as a URL. Either way you will need to edit you Heimdall links. So if it's currently http://192.167.1.1:8096 you need to change it to http://buffalo-cow.tailscale:8096. (Or something to that effect.)

What I did was just duplicate my current Heimdall and used a different port number... Then change all the urls to the tailscale urls.

Your current containers should remain untouched aside from the the Heimdall one with the correct app urls.

Edit: I think an example of the tailscale URL with magic DNS enabled would be something like this. https://amelie-workstation.pango-lin.ts:8096

[–] butt_mountain_69420 2 points 11 months ago* (last edited 11 months ago) (2 children)

Except that the services are "unable to open" and "other" even from the tailscale admin panel. The top two services, heimdal and portainer, are the only ones with an "open" link.

edit: if I stop heimdall in Docker, the situation is the same, except no start page.

[–] nickknack 5 points 11 months ago

OP here’s a troubleshooting approach i would take:

  1. ensure services can be reached locally, thus eliminating tailscale as a variable. test on the host itself as well as another device on the same network.

  2. attempt connecting, with tailscale enabled, to the services directly. meaning, go to the hosts’s tailscale IP:port in a browser and NOT through heimdall

  3. if the above work, then it’s an issue with heimdall. edit the config as previously mentioned to link the services to the host’s tailscale IP:port, or have two instances of heimdall - one for local and one for remote

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago) (1 children)

Hmm... I'm not sure. If your making it to Heimdall and portainer I don't see why the other containers wouldn't work. I just remember having to redo my Heimdall links.

Is tailscale installed on the base operating system?

[–] butt_mountain_69420 1 points 11 months ago (1 children)

Tailscale is on both the base OS and I have the docker extension, which required the base OS install IIRC.

[–] [email protected] 1 points 11 months ago

Fwiw I never used a tailscale docker. I just had it on the base OS.

[–] butt_mountain_69420 1 points 11 months ago (1 children)

Do these port numbers tell you anything at all? I'm very new to all of this.

https://pasteboard.co/PLxJfeT7AV3g.png

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago) (1 children)

The port numbers seem fine. They shouldn't effect the issue you're having to my knowledge.

[–] butt_mountain_69420 0 points 11 months ago

I think I figured it out, just have to implement the fix. I think the problem is the lack of 443's published by the containers. Looks like I may be able to modify the ports easily in Portainer.

[–] ArbiterXero 7 points 11 months ago (1 children)

What do the links look like on the start page?

The problem is that Tailscale gives your server a “magic” ip, which isn’t the same one as on your local network. On your local network, do you access them by port? Or reverse proxy?

Machine:8080 or service.machine.localdomain

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago)

I think this is what you should look into. Are the services in Heimdall listed with the local IP or host names? Or are they referenced with the tailscale IP?

Three things I want to add here:

  • On tailscale I can only access my home lab's root page with the services being accessible with something like domain.tld/service.
  • service.domain.tld is not supported by tailscale. (See github issue)
  • The local domain is different to the tailscale domain. If you want to use them with a reverse proxy (nginx, caddy) you need to have rules configured for your tailscale magic DNS domain too.

I hope this helps.

[–] [email protected] 3 points 11 months ago

Tailscale has been nothing but pain for me.

What I have is a vps with wireguard and nginx proxy manager. Traffic comes in though the vps and is routed internally. I have firewalls and isolation for everything that is in the danger zone if something gets compromised.

[–] [email protected] 3 points 11 months ago

Are all services running on the same machine? You mentioned same network… you also said you added your “docker instance” to tailscale. I think some clarifications on what those two things mean could help narrow down the problem.

E.g. do you have multiple physical machines running docker containers? Each one you want to access needs to be added to tailscale, OR, set up a tailscale gateway?

[–] butt_mountain_69420 2 points 11 months ago
[–] [email protected] 2 points 11 months ago (1 children)

Have you looked at using the Funnel feature in Tailscale, instead of port mapping? This gets external traffic onto your Tailscale network (for anyone who doesn't have Tailscale) for specific resources, courtesy of Tailscale servers.

If you're just going to open ports to the world, Tailscale isn't really necessary (it's useful for you and anyone on TS, since you can use the Serve feature to permit other Tailscale networks to have access to specific resources).

[–] butt_mountain_69420 1 points 11 months ago

This sounds like exactly what I need. If I wanted to share my Linux Distros share with my dad, he wouldn't need to install tailscale and feck with all that?

[–] [email protected] 1 points 11 months ago

Set up Tailscale as exit node to your local network.

Make sure that your network is not standard 192.168.0.x or 192.168.1.x IP address range, but something like 192.168.101.x so you don't have IP conflicts when accessing from a friend's house or workplace wifi.

Set up Nginx to redirect your home server IP (eg. 192.168.101.5) to the correct port for your dashboard like Heimdall or Dashy.

That's it. Works like a charm for me if set up this way.

Addendum: if you have trouble on Android, disable MagicDNS.

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #435 for this sub, first seen 18th Jan 2024, 04:35] [FAQ] [Full list] [Contact] [Source code]