Skip to content

Commit

Permalink
Update tailscale.md (#207)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ljm42
ljm42 authored Nov 18, 2024
2 parents 6febc98 + e70e622 commit 3ce5931
Showing 1 changed file with 19 additions and 19 deletions.
38 changes: 19 additions & 19 deletions docs/unraid-os/manual/security/tailscale.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,14 @@ Keep in mind that HTTPS Certificates are public, so make sure you are comfortabl

### Subnet routing (optional)

If you would prefer to access the system by it's main IP when connected to the Tailnet, or if you want to access Docker containers that are on their own IPs:
If you would prefer to access the system by its main IP when connected to the Tailnet, or if you want to access Docker containers that are on their own IPs:

1. Navigate to ***Settings → Tailscale***, click the **Viewing** button and **Sign In**
2. Click **Subnet router** and add either:
1. Your Unraid server's IP address in the format `192.168.0.12/32`
2. Or your whole network's subnet in the format `192.168.0.0/24`
3. Then click **Advertise routes**
4. You will see a *Pending approval* message, and a link where you can approve the route
4. You will see a *Pending approval* message and a link where you can approve the route
5. Once you approve the route, other machines on your Tailnet will be able to access either:
1. Your Unraid server by its main IP
2. Or everything on your network
Expand All @@ -56,19 +56,19 @@ If you would prefer to access the system by it's main IP when connected to the T

New to Unraid 7.0.0-rc.1

You can optionally add Tailscale to pretty much any Docker container managed by Unraid! Some of the benefits of doing this are:
You can optionally add Tailscale to almost any Docker container managed by Unraid! Some of the benefits of doing this are:

* The container will appear as a unique machine on your Tailnet, which means you can share just that container with other people without having to give them access to your whole server. See [Sharing](https://tailscale.com/kb/1084/sharing.)
* You can setup a VPN container to be an Exit Node, which any other machine on your Tailnet (or anyone you have shared this machine with) can use. See [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes).
* The container will appear as a unique machine on your Tailnet, which means you can share just that container with other people without giving them access to your whole server. See [Sharing](https://tailscale.com/kb/1084/sharing.)
* You can set up a VPN container to be an Exit Node, which any other machine on your Tailnet (or anyone you have shared this machine with) can use. See [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes).
* You can configure the container to send its outgoing Internet traffic through an Exit Node on your Tailnet (or one that has been shared with you.) See [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes).
* If the container has a website, enable Tailscale Serve to access it from your Tailnet via a friendly https url with a full certificate. No port is necessary! See [Serve](https://tailscale.com/kb/1312/serve).
* If the container has a website, enable Tailscale Serve to access it from your Tailnet via a friendly https URL with a full certificate. No port is necessary! See [Serve](https://tailscale.com/kb/1312/serve).
* Or you can even make the container's website available on the Internet using Tailscale Funnel. See [Funnel](https://tailscale.com/kb/1223/funnel).

### Install Tailscale everywhere

If you plan to use Tailscale in your Docker containers we recommend installing it on any computer that needs to access these containers. The **Tailscale WebUI** URLs are much nicer than the default **WebUI** URLs, and in certain configurations ([see below](#userspace-networking)) the original container **WebUI** URLs stop working, requiring you to be on the Tailnet to access the container.
If you plan to use Tailscale in your Docker containers, we recommend installing it on any computer that needs to access these containers. The **Tailscale WebUI** URLs are much nicer than the default **WebUI** URLs, and in certain configurations ([see below](#userspace-networking)) the original container **WebUI** URLs stop working, requiring you to be on the Tailnet to access the container.

The Tailscale plugin for Unraid is technically *not required* for Docker integration, but for the best experience we recommend installing it and signing in to Tailscale on your Unraid server.
The Tailscale plugin for Unraid is technically *not required* for Docker integration, but for the best experience, we recommend installing it and signing in to Tailscale on your Unraid server.

### Install Tailscale in a Docker container

Expand All @@ -84,29 +84,29 @@ The Tailscale plugin for Unraid is technically *not required* for Docker integra

:::

5. Specify whether this container will **Be an Exit Node** or not, this is most useful for containers that connect to commercial VPN services. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes).
5. Specify whether this container will **Be an Exit Node** or not; this is most useful for containers that connect to commercial VPN services. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes).
6. Specify whether this container should **Use an Exit Node** for its outgoing Internet traffic. If you have the Tailnet plugin installed on your server you will see a list of Exit Nodes to choose from. If not, you will need to provide the IP address of the Exit Node to use. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes).
7. If you chose to **Use an Exit Node**, specify whether the container should also have access to your LAN.
8. Depending on your previous choices, the **Tailscale Userspace Networking** field may already be set for you. If not, you will probably want to leave it **disabled**. [See below](#userspace-networking) for details.
9. Specify whether or not to enable **Tailscale SSH**. This is similar to the Docker **Console** option in the Unraid webGUI, except you connect with an SSH client and authenticate via Tailscale. For more details, see the [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh) documentation.
10. Enable **Serve** to easily reverse proxy a website in the container at a friendly https url with a full certificate. For more details, see the [Tailscale Serve](https://tailscale.com/kb/1312/serve) documentation. Or enable **Funnel** to make the container's website available on the open Internet (use with care as the container is likely to be attacked!) See the [Tailscale Funnel](https://tailscale.com/kb/1223/funnel) documentation.
10. Enable **Serve** to easily reverse proxy a website in the container at a friendly https URL with a full certificate. For more details, see the [Tailscale Serve](https://tailscale.com/kb/1312/serve) documentation. Or enable **Funnel** to make the container's website available on the open Internet (use with care as the container is likely to be attacked!) See the [Tailscale Funnel](https://tailscale.com/kb/1223/funnel) documentation.

:::warning

Note that when accessing the Tailscale WebUI url via **Serve** or **Funnel**, no additional authentication layer is added - the container is still responsible for managing usernames/passwords that are allowed to access it.
Note that when accessing the Tailscale WebUI URL via **Serve** or **Funnel**, no additional authentication layer is added - the container is still responsible for managing usernames/passwords that are allowed to access it.

:::

1. Unraid will automatically determine the best port to reverse proxy via **Serve** or **Funnel** based on the **WebUI** field for this container, visible by switching from **Basic View** to **Advanced View** in the upper right corner of the Edit Docker page. To override this value, enable **Tailscale Show Advanced Settings** and modify the **Tailscale Serve Port**.
2. In most cases, specifying the port is all that is needed to get **Serve** or **Funnel** working. Additional settings are available behind the **Tailscale Show Advanced Settings** switch, see the inline help and the Tailscale documentation for [Tailscale Serve Command Line](https://tailscale.com/kb/1242/tailscale-serve) for details on using those advanced settings.
2. In most cases, specifying the port is all that is needed to get **Serve** or **Funnel** working. Additional settings are available behind the **Tailscale Show Advanced Settings** switch. See the inline help and the Tailscale documentation for [Tailscale Serve Command Line](https://tailscale.com/kb/1242/tailscale-serve) for details on using those advanced settings.

## Updating Tailscale

Tailscale is updated pretty regularly, see their [changelog](https://tailscale.com/changelog).
Tailscale is updated regularly. See their [changelog](https://tailscale.com/changelog).

To update the version of Tailscale used by Unraid itself, simply update the Tailscale plugin once an update is available.

To update the version of Tailscale inside a Docker container, first hover over the Tailscale icon on the Docker listing page, it will tell you if an update is available.
To update the version of Tailscale inside a Docker container, first hover over the Tailscale icon on the Docker listing page. It will tell you if an update is available.
There are two ways to update the container:

1. On the Docker Listing page, switch from **Basic View** to **Advanced View** in the upper right corner of the page, then click the **Force update** option for this container.
Expand All @@ -118,11 +118,11 @@ There are two ways to update the container:

:::tip

You can ignore the details of **Userspace Networking** if you install Tailscale on all systems that need to access the containers, and if you always access the containers via the **Tailscale WebUI** URL.
You can ignore the details of **Userspace Networking** if you install Tailscale on all systems that need to access the containers and if you always access the containers via the **Tailscale WebUI** URL.

:::

When **Userspace Networking** is *enabled*, the container will operate in a restricted environment. Tailscale DNS will not work, and the container will not be able to initiate connections to other Tailscale machines. However, the container will be reachable by either the **Tailscale WebUI** URL or the original **WebUI** url.
When **Userspace Networking** is *enabled*, the container will operate in a restricted environment. Tailscale DNS will not work, and the container will not be able to initiate connections to other Tailscale machines. However, the container will be reachable by either the **Tailscale WebUI** URL or the original **WebUI** URL.

When **Userspace Networking** is *disabled*, the container will have full access to your Tailnet. Tailscale DNS will work, and the container can fully communicate with other machines on the Tailnet. However, the original **WebUI** may not work, details below.

Expand All @@ -145,15 +145,15 @@ Additionally, **Userspace Networking** options depends on the **Network type** o
* When **Userspace Networking** is *enabled* the container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** url
* When **Userspace Networking** is *disabled* the container will only be accessible by the **Tailscale WebUI** URL and not the original **WebUI** url
* **eth0/br0/bond0**: defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired
* The container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** url, regardless of the **Userspace Networking** setting.
* **container/wg0**: currently defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired. Note that this is untested, the usefulness of adding Tailscale here is unclear
* The container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** URL, regardless of the **Userspace Networking** setting.
* **container/wg0**: currently defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired. Note that this is untested. The usefulness of adding Tailscale here is unclear

### How does the Unraid Tailscale-Docker integration work?

When you enable the **Use Tailscale** switch and click **Apply**:

1. Unraid will extract the default **Entrypoint** and **CMD** from the container
2. The **tailscale_container_hook** script will be mounted in the container to `/opt/unraid/tailscale-hook` and the container's **Entrypoint** will be modified to call it
3. The original **Entrypoint** and **CMD** from the container, alongside with the other necessary variables for Tailscale, will be passed to the Docker run command
3. The original **Entrypoint** and **CMD** from the container, alongside the other necessary variables for Tailscale, will be passed to the Docker run command
4. When the container starts, the **tailscale_container_hook** script will be executed, which installs dependencies and then downloads and runs Tailscale
5. The **tailscale_container_hook** script will then run the original **Entrypoint** and **CMD** which was extracted in step 2 and the container will start as usual

0 comments on commit 3ce5931

Please sign in to comment.