No internet when using Linux (docker) as exit node

Linux
1

I am hoping to use my raspberry pi as an exit node. I set up tailscale (1.30.0) using docker with the following docker-compose:

  tailscale:
      privileged: true
      hostname: raspberrypi                                          
      network_mode: "host"
      container_name: tailscale
      image: tailscale/tailscale:latest
      volumes:
          - "./Tailscale/var_lib:/var/lib"        
          - "/dev/net/tun:/dev/net/tun"                      
      cap_add:                                              
        - net_admin
        - sys_module
      command: tailscaled
      restart: unless-stopped

However, when I select the raspberry pi as the exit node, there is no internet connectivity ( I get a server stopped responding error). Looking at the logs, I don’t see anything that would indicate a problem:

2022/09/09 13:48:45 wgengine: Reconfig: configuring userspace WireGuard config (with 0/2 peers)
2022/09/09 13:48:45 wgengine: Reconfig: configuring router
2022/09/09 13:49:03 wgengine: idle peer [zTzod] now active, reconfiguring WireGuard
2022/09/09 13:49:03 wgengine: Reconfig: configuring userspace WireGuard config (with 1/2 peers)
2022/09/09 13:49:03 magicsock: disco: node [zTzod] d:b7f02e2992a864ed now using 10.0.0.129:41641
2022/09/09 13:49:03 magicsock: disco: node [zTzod] d:b7f02e2992a864ed now using [2607:fea8:e3de:bc00:1800:89b1:3a8d:1c69]:41641
2022/09/09 13:49:03 Accept: TCP{100.81.45.10:52964 > 100.121.157.2:40886} 64 tcp ok
2022/09/09 13:49:03 Accept: TCP{100.81.45.10:52965 > 100.121.157.2:40886} 64 tcp ok
2022/09/09 13:49:03 Accept: TCP{100.81.45.10:52966 > 100.121.157.2:40886} 64 tcp ok
2022/09/09 13:49:13 Accept: TCP{100.81.45.10:52983 > 100.121.157.2:40886} 52 tcp non-syn
2022/09/09 13:49:41 Accept: TCP{100.81.45.10:52982 > 100.121.157.2:40886} 277 tcp non-syn
2022/09/09 13:49:41 Accept: TCP{100.81.45.10:52978 > 100.121.157.2:40886} 277 tcp non-syn
2022/09/09 13:50:13 Accept: TCP{100.81.45.10:52982 > 100.121.157.2:40886} 254 tcp non-syn
2022/09/09 13:50:13 Accept: TCP{100.81.45.10:52978 > 100.121.157.2:40886} 254 tcp non-syn
2022/09/09 13:50:13 Accept: TCP{100.81.45.10:52978 > 100.121.157.2:40886} 52 tcp non-syn
2022/09/09 13:50:54 Accept: TCP{100.81.45.10:52978 > 100.121.157.2:40886} 264 tcp non-syn
2022/09/09 13:50:54 Accept: TCP{100.81.45.10:52982 > 100.121.157.2:40886} 264 tcp non-syn
2022/09/09 13:50:54 Accept: TCP{100.81.45.10:52978 > 100.121.157.2:40886} 52 tcp non-syn
2022/09/09 13:51:03 magicsock: disco: node [zTzod] d:b7f02e2992a864ed now using 10.0.0.129:41641
2022/09/09 13:51:03 magicsock: disco: node [zTzod] d:b7f02e2992a864ed now using [2607:fea8:e3de:bc00::c26a]:41641
2022/09/09 13:51:03 magicsock: home is now derp-12 (ord)
2022/09/09 13:51:03 magicsock: adding connection to derp-12 for home-keep-alive
2022/09/09 13:51:03 magicsock: 2 active derp conns: derp-1=cr4h57m0s,wr4h57m0s derp-12=cr0s,wr0s
2022/09/09 13:51:03 control: NetInfo: NetInfo{varies=false hairpin=false ipv6=true udp=true icmpv4=false derp=#12 portmap= link=""}
2022/09/09 13:51:03 derphttp.Client.Recv: connecting to derp-12 (ord)
2022/09/09 13:51:03 magicsock: derp-12 connected; connGen=1
2022/09/09 13:51:14 Accept: TCP{100.81.45.10:52978 > 100.121.157.2:40886} 255 tcp non-syn
2022/09/09 13:51:14 Accept: TCP{100.81.45.10:52986 > 100.121.157.2:40886} 255 tcp non-syn
2022/09/09 13:51:24 Accept: TCP{100.81.45.10:52978 > 100.121.157.2:40886} 264 tcp non-syn
2022/09/09 13:52:06 magicsock: disco: node [zTzod] d:b7f02e2992a864ed now using [2607:fea8:e3de:bc00:f493:6e30:590a:6c82]:41641

Any help would be appreciated.

2

I was able to get tailsacle working as an exit node when running tailscale in a docker container. I first followed all of the steps in the tailscale exit node docs then I had to add some configs for the firewall. Here is the final config that I used:

Docker host (outside the container) system config:

enable ip forwarding:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

Enable firewall rules for NAT and traffic forwarding for tailscale traffic.
note: the tailscale ip range used is 100.64.0.0/10 (see docs: What are these 100.x.y.z addresses? · Tailscale )

sudo iptables -A FORWARD --in-interface tailscale0 -j ACCEPT
sudo iptables -A FORWARD --out-interface tailscale0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING --source 100.64.0.0/10 --out-interface wlan0 -j MASQUERADE

docker-compose.yaml

version: "3.9"

services:
  tailscale:
    container_name: tailscale
    hostname: my-host-name
    image: tailscale/tailscale:v1.32.3
    privileged: true
    network_mode: "host"
    volumes:
      - "./tailscale_var_lib:/var/lib"        # State data will be stored in this directory
      - "/dev/net/tun:/dev/net/tun"           # Required for tailscale to work
    cap_add:                                    # Required for tailscale to work
      - net_admin
      - sys_module
    command: tailscaled
    restart: unless-stopped
3

Does this work for more people? Unfortunately I can only access my local network because of the subnet routing I added, but I can’t access internet.

I enabled ip forwarding and set iptables rules (I changed wlan0 to eno1 for my own network card for the postrouting part, I suppose that’s correct)

I didn’t find any other solution searching the internet. I think this forum is my best bet…

4

I got it working by creating a new separate docker network for tailscale. Not sure why, but mine worked by not using the host network mode.