this post was submitted on 22 Apr 2024
18 points (95.0% liked)

Selfhosted

40152 readers
538 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I set up Headscale and Tailscale using Docker on a VPS, which I want to use as my public IPv4 and Reverse Proxy to route incoming traffic to my local network and e. g. my home server. I also set up Tailscale using Docker on my home server and connected both to my Headscale server.
I am able to ping on Tailscale container from the other and vice versa and set up --advertise-routes=192.168.178.0/24 on my home server as well as --accept-routes on my VPS, but I can't ping local IP addresses from my VPS. What am I missing?
Both container are connected to the host network, I have opened UDP ports 41641 and 3478 on my VPS.

all 31 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 6 months ago (1 children)
[–] [email protected] 1 points 6 months ago (1 children)
[–] [email protected] 3 points 6 months ago (1 children)

image: tailscale/tailscale:v1.60.1

To pull that version of tailscale. Latest broke subnets.

[–] [email protected] 1 points 6 months ago (1 children)
[–] [email protected] 2 points 6 months ago (1 children)

You might have other issues then, but I'd use that version of tailscale since it was the last version to work with subnets. Also, only the owner's account works cuz sharing subnets broke even longer ago, and I'm positive neither has been fixed. Good luck!

[–] [email protected] 2 points 6 months ago (1 children)

Subnets seem to work for me with 1.62.0 docker image. In what way were they broken?

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago) (1 children)

I reported it the day the update was released cuz all of my containers are on their own ip. Got that update and nothing was reachable till I rolled back.

GitHub

[–] [email protected] 2 points 6 months ago (1 children)

Did you enable the route in the admin web ui?

[–] [email protected] 1 points 6 months ago (1 children)

I'm using Headscale, but yes.

[–] [email protected] 2 points 6 months ago (1 children)

That should be all that's required. Are you using ACLs? If so you need to provide access to the subnet router as well as a rule to the IP behind it

[–] [email protected] 1 points 6 months ago (1 children)
[–] [email protected] 2 points 6 months ago (1 children)

Can your nodes ping each other on the tailscale ips? Check tailscale status and make sure the nodes see each other listed there.

Try tailscale ping 1.2.3.4 with the internal IP addresses and see what message it gives you.

tailscale debug netmap is useful to make sure your clients are seeing the routes that headscale pushes.

[–] [email protected] 1 points 6 months ago (1 children)

Yes, both clients can tailscale ping each other and after doing so the status shows active; relay "ams".

Using tailcale ping 192.168.178.178 also works for some reason.

Not sure what to do with the output of netmap.

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago) (1 children)

Relay "ams" means you're using tailscales DERP node in amsterdam, this is expected if you don't have direct connectivity through your firewall. Since you opened the ports that's unusual and worth looking into, but I'd worry about that after you get basic connectivity.

So to confirm your behavior, you can tailscale ping each other fine and tailscale ping to the internal network. You cannot however ping from the OS to the remote internal network?

Have you checked your routing tables to make sure the tailscale client added the route properly?

Also have you checked your firewall rules? If you're using ipfw or something, try just turning off iptables briefly and see if that lets you ping through.

[–] [email protected] 1 points 6 months ago (1 children)

So to confirm your behavior, you can tailscale ping each other fine and tailscale ping to the internal network. You cannot however ping from the OS to the remote internal network?

Exactly.

Have you checked your routing tables to make sure the tailscale client added the route properly?

How do I do this? I use Headscale and headscale routes list shows the following:

ID | Machine | Prefix           | Advertised | Enabled | Primary
1  | server  | 0.0.0.0/0        | false      | false   | -
2  | server  | ::/0             | false      | false   | -
3  | server  | 192.168.178.0/24 | true       | true    | true

Also have you checked your firewall rules? If you’re using ipfw or something, try just turning off iptables briefly and see if that lets you ping through.

I'm not using a firewall, but the VPS is hosted on Hetzner, which has a firewall. But I already allowed UDP port 41641 and 41641. The wg0 rule is from the Wireguard setup I want to replace using Tailscale.

# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -s 100.64.0.0/10 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9090 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9001 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
[–] [email protected] 2 points 6 months ago (1 children)

How do I do this?

Run ip route show table all

I would expect to see a line like:

192.168.178.0/24 dev tailscale0 table 52

Out of curiosity on a remote node do tcpdump -i tailscale0 -n icmp and then do a ping from the other side, does tcpdump see the icmp packets come in?

[–] [email protected] 1 points 6 months ago (1 children)

There is no tailscale0, but also not on my home server which also runs Tailscale and which I can access remotely using my Android. Could my existing Wireguard setup interfere with Tailscale?

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago) (1 children)

The tailscale client should have created an interface, but I've never used it on a box also running wg. You don't have a tailscale specific interface in ip addr show at all? That's.... odd.

Do you have a device at /dev/net/tun?

[–] [email protected] 1 points 6 months ago

I'm not sure the Docker container is even using a tailscale interface, because there is none on my VPS or my home server.

And how do I see whether I have a device at /dev/net/tun?

[–] [email protected] 2 points 6 months ago

I ran into a similar problem with tailscale. It looked like I needed to disable source NAT but that didn’t appear to be implemented in the FreeBSD package so it didn’t work for me. If you’re in Linux it might be worth a shot.

--snat-subnet-routes=false

“Disables source NAT. In normal operations, a subnet device will see the traffic originating from the subnet router. This simplifies routing, but does not allow traversing multiple networks. By disabling source NAT, the end machine sees the LAN IP address of the originating machine as the source.”

https://tailscale.com/kb/1214/site-to-site

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
IP Internet Protocol
NAT Network Address Translation
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

5 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.

[Thread #703 for this sub, first seen 22nd Apr 2024, 16:55] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 6 months ago (1 children)

Sometimes these issues happen because of the IP range you're using. If your local network and your remote network both use the 192.168.x.x range, then there can be conflicts and issues like this. This is a thing that happens generally with VPNs, not sure how Tailscale specifically functions with this issue.

Even if that's not what's going on here, you might try setting up your remote node as an exit node, and configuring your local node to route all traffic through it. Theoretically that shouldn't be necessary, and it will also slow down your traffic if you're routing EVERYTHING through Tailscale. But it could work in a pinch.

Actually, I'm looking at Tailscale documentation now and I see that they recommend setting up subnet routers instead of exit nodes in most cases. Maybe go that route instead, that makes more sense to me. That way you're only routing necessary traffic through the remote node, rather than everything.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago)

Thanks, that's what I'm trying to do. :)

And my VPS doesn't have any IPs in the same range as my home server.

[–] [email protected] 1 points 6 months ago (1 children)

'ip route show' on all machines. Make sure they know how to get to each other.

[–] [email protected] 1 points 6 months ago (1 children)

How do I make sure of this? What am I supposed to see using the command?

[–] [email protected] 2 points 6 months ago (1 children)

You expect to see the subnet of the VPN network mentioned, and the wg0 interface as it's gateway. Also might want to make sure your wg0 interface even exists and is up with 'ip addr show'

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

Are you sure Tailscale in Docker is creating a wg0 interface? Because I got a working connection between my smartphone and my home server and the home server is not showing any interface related to Tailscale?

default via 192.168.178.1 dev ens18 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.178.0/24 dev ens18 proto kernel scope link src 192.168.178.178 
[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

Are you running it in a container? Then you'll be seeing the docker0 interface as you see there, and the container will route through that.

[–] [email protected] 1 points 6 months ago

Yes I'm running it on Docker and therefore have the docker0 interface.

[–] [email protected] -2 points 6 months ago

New Lemmy Post: [Tailscale] Can't connect VPS to local network? (https://lemmyverse.link/lemmy.dbzer0.com/post/18911194)
Tagging: #SelfHosted

(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)

I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md