On my server, I use Traefik to route public traffic to the right containers. Currently, I have an Authentik middleware sitting between the internet and my containers, but since I’m using Tailscale I thought I could get rid of that middleware as long as I’m connected via VPN.
But I ran into a problem, how do I make sure the route without the middleware is only accessible if I’m connected via Tailscale? Let me walk you through my current setup:
services:
whoami:
image: containous/whoami:latest
container_name: whoami
hostname: whoami
networks:
- traefik-network
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls.certresolver=le"
- "traefik.http.routers.whoami.middlewares=authentik-proxy@docker"
- "traefik.http.routers.whoami.tls.domains[0].main=*.example"
- "traefik.http.routers.whoami-vpn.rule=Host(`whoami.example.me`)"
- "traefik.http.routers.whoami-vpn.entrypoints=websecure"
- "traefik.http.routers.whoami-vpn.tls.certresolver=le"
- "traefik.http.routers.whoami-vpn.tls.domains[0].main=*.example.me"
networks:
traefik-network:
external: true
name: traefik
I control both the example.com and example.me domains and I have successfully created TLS certificates for both of them using the built-in Let’s Encrypt. The example.me domain should be used for internal traffic only so no DNS records are published on Cloudflare. The opposite is true for the example.com domain which has a wildcard record that points to my server.
On my Tailscale network, I also have a DNS server (AdGuard Home) configured which I use to publish an internal DNS record (whoami.example.me → 100.64.209.68 (the servers Tailscale IP)). Using this setup I can use whoami.example.me when I’m connected via Tailscale and whoami.example.com even if I’m not connected.
The problem is, anyone can run a DNS server and set up a DNS record that points whoami.radmacher.me to my server’s public IP address. So my solution is to just allow traffic from my Tailscale IP to the “insecure” endpoint:
- "traefik.http.routers.whoami-vpn.rule=Host(`whoami.example.me`) && ClientIP(`100.64.0.0/10`)"
But when I open up the whoami page, I see that my IP is something different:
Hostname: whoami
IP: 127.0.0.1
IP: 172.18.0.11
RemoteAddr: 172.18.0.6:45710
GET / HTTP/1.1
Host: whoami.example.me
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.51
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 172.18.0.1
X-Forwarded-Host: whoami.example.me
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik
X-Real-Ip: 172.18.0.1
So I guess my question is two-fold:
Is this the correct way to achieve such a setup?
- If not, how should I do this?
- If yes, why am I seeing that
172.18.0.1IP address instead of my Tailscale IP?
Excuse me if there are any technical problems with my question, I’m quite new to setting up VPNs and Tailscale specifically.