I was able to get tailsacle working as an exit node when running tailscale in a docker container. I first followed all of the steps in the tailscale exit node docs then I had to add some configs for the firewall. Here is the final config that I used:
Docker host (outside the container) system config:
enable ip forwarding:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
Enable firewall rules for NAT and traffic forwarding for tailscale traffic.
note: the tailscale ip range used is 100.64.0.0/10 (see docs: What are these 100.x.y.z addresses? · Tailscale )
sudo iptables -A FORWARD --in-interface tailscale0 -j ACCEPT
sudo iptables -A FORWARD --out-interface tailscale0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING --source 100.64.0.0/10 --out-interface wlan0 -j MASQUERADE
docker-compose.yaml
version: "3.9"
services:
tailscale:
container_name: tailscale
hostname: my-host-name
image: tailscale/tailscale:v1.32.3
privileged: true
network_mode: "host"
volumes:
- "./tailscale_var_lib:/var/lib" # State data will be stored in this directory
- "/dev/net/tun:/dev/net/tun" # Required for tailscale to work
cap_add: # Required for tailscale to work
- net_admin
- sys_module
command: tailscaled
restart: unless-stopped