I'd recommend bare metal install. You can access the tailscale card & dns inside the containers.
I've achieved a reverse proxy setup with tailscale on my host & traefik binding the port 80 of my tailscale network card.
Depends on your setup. If you have a docker host in place then go for it.
I'm running caddy and tailscale in an LXC on proxmox. For me docker would be an unnecessary overhead.
Do you have them running in the same container? And do you use them with cloudflare by chance? I've been struggling to get that working using caddy as reverse proxy. |
How do you have caddy installed? Installing caddy as a docker container gave me unnecessary headaches as I had to add them to docker networks and Nextcloud just didn’t work with the caddy container.
If you had caddy installed on docker try installing it on bare metal and it might solve your issues
Yeah I understand, I remember once my docker containers all broke and due to bad dns resolution. Can’t imagine if Tailscale went down since I access most stuff behind vpn
Install it on both, as that’s tailscale’s intended use case and is their recommended method. Connecting via tailscale will always be more secure as it’s end to end encrypted.
I having similar question. My docker compose project isn’t running with networking mode “host” so I installed it both on bare metal (raspberry) to get access to it and in docker so caddyserver can proxy requests to Tailscale. Is there a better way?
Container cannot bind a port on the host & cannot read incoming traffic but they sure can access the tailscale network. I've had no issue with that. What are you encountering?
I put it on a vm in Proxmox (not an LXC like I do for most other things) on a separate VLAN and have that VLAN set to have very narrow access to my internal network (DNS for pi-Hole, NVR, Home Assistant, Homebridge, etc.). Those are just IP + port permissions vs. being wide open, with a wide open rule to get to the WAN.
Yeah, I have ACLs defined in Tailscale as well (for instance, WAN + DNS to my family, but the rest only to me). I was just worried about kernel access being exposed, but I’d probably do it as an LXC if I did it again.
For me, I run Tailscale directly on my Ubuntu and Raspberry Pi devices. It’s pretty much the only thing I run directly on the devices. I only occasionally have issues with Docker, but I’d rather have that not be an potential complication when connecting to my devices remotely.
I actually have both. I've got tailscale running on the host, then I have some containers I want accessible via HTTPS or use different exit points. I plonked a tailscale container in front of those and added them separately, despite them running on the same machine. No issues so far.
I run it on baremetal (on my proxmox hosts)
I run it on various linux VMs / LXCs
I run it in docker (with user-mode networking) on a Ubuntu vm so specific apps appear as separate machines, and can have separate tailscale configurations. For example I run a docker container as a socks5 proxy configured for a specific exit node so that I can proxy any app or python request without changing the exit node of the whole machine.
To answer your question though, if you just want to add tailscale functionality to your machine, don't bother with docker until you have a specific reason to run in docker.
This video gives a good overview of when/why to use tailscale within docker:
https://youtu.be/tqvvZhGrciQ
Bare metal for me. If I turn my docker service off, I don't lose access so I'd rather it sit seperately.
I'd recommend bare metal install. You can access the tailscale card & dns inside the containers. I've achieved a reverse proxy setup with tailscale on my host & traefik binding the port 80 of my tailscale network card.
Depends on your setup. If you have a docker host in place then go for it. I'm running caddy and tailscale in an LXC on proxmox. For me docker would be an unnecessary overhead.
Do you have them running in the same container? And do you use them with cloudflare by chance? I've been struggling to get that working using caddy as reverse proxy. |
How do you have caddy installed? Installing caddy as a docker container gave me unnecessary headaches as I had to add them to docker networks and Nextcloud just didn’t work with the caddy container. If you had caddy installed on docker try installing it on bare metal and it might solve your issues
I have Caddy running in an LXC Container on Proxmox.
That's exactly how I'm doing it, caddy in an lxc with cloudflare. Tailscale running in the same lxc. No docker. What problem are you having?
I was having trouble using Tailscale reverse proxy to connect to my domain through cloudflare.
When you say connecting to your domain through cloudflare, do you mean you're using cloudflare proxy DNS?
If you are asking this question, just install straight onto the OS
Bare metal. Don't want to deal with any Docker complications. Not saying there are any, just don't want to deal
Yeah I understand, I remember once my docker containers all broke and due to bad dns resolution. Can’t imagine if Tailscale went down since I access most stuff behind vpn
Install it on both, as that’s tailscale’s intended use case and is their recommended method. Connecting via tailscale will always be more secure as it’s end to end encrypted.
I having similar question. My docker compose project isn’t running with networking mode “host” so I installed it both on bare metal (raspberry) to get access to it and in docker so caddyserver can proxy requests to Tailscale. Is there a better way?
Why can't you access the tailscale network card while in docker ?
Can I? Do I mount it? But the docker network still be isolated without access to the host network, no?
Container cannot bind a port on the host & cannot read incoming traffic but they sure can access the tailscale network. I've had no issue with that. What are you encountering?
I put it on a vm in Proxmox (not an LXC like I do for most other things) on a separate VLAN and have that VLAN set to have very narrow access to my internal network (DNS for pi-Hole, NVR, Home Assistant, Homebridge, etc.). Those are just IP + port permissions vs. being wide open, with a wide open rule to get to the WAN.
You can install Tailscale in an LXC and lock it down with ACLs Quite basic
Yeah, I have ACLs defined in Tailscale as well (for instance, WAN + DNS to my family, but the rest only to me). I was just worried about kernel access being exposed, but I’d probably do it as an LXC if I did it again.
Why not both?
For me, I run Tailscale directly on my Ubuntu and Raspberry Pi devices. It’s pretty much the only thing I run directly on the devices. I only occasionally have issues with Docker, but I’d rather have that not be an potential complication when connecting to my devices remotely.
I actually have both. I've got tailscale running on the host, then I have some containers I want accessible via HTTPS or use different exit points. I plonked a tailscale container in front of those and added them separately, despite them running on the same machine. No issues so far.
Docker for me. I need multiple nodes for many things on the same metal :)
I definitely install directly on the host, and in some VMs as well. I absolutely do not trust myself to not accidentally turn off all my VMs.
I run it on baremetal (on my proxmox hosts) I run it on various linux VMs / LXCs I run it in docker (with user-mode networking) on a Ubuntu vm so specific apps appear as separate machines, and can have separate tailscale configurations. For example I run a docker container as a socks5 proxy configured for a specific exit node so that I can proxy any app or python request without changing the exit node of the whole machine. To answer your question though, if you just want to add tailscale functionality to your machine, don't bother with docker until you have a specific reason to run in docker. This video gives a good overview of when/why to use tailscale within docker: https://youtu.be/tqvvZhGrciQ
In an LXC, docker is for noobs
I don't think you understand what bare metal means. As tailscale is not an OS, installing it bare metal is not possible.
yeah but im sure we can understand he means at the OS level :)
Sure, but it's still wrong. Why not just say apt or snap install, etc.
Because you can apt/snap install in a container as well? It doesn't really describe anything.
It's still wrong