My Setup
- I have an ubuntu server
- That is running tailscale
- It is also running docker
- In docker I’m running Traefik reverse proxy
What I Want To Achieve
I want to be able to expose services in traefik and control wether or not they are publically available or only available via the tailscale vpn network.
So I wan´t to create 4 entrypoints in traefik
- web # Listens to port 80 on all interface, i.e. "is public"
- websecure # Listens to port 443 on all interface, i.e. "is public"
- vpnweb # Listens to port 80 on my vpn interface, i.e. "only on my servers tailscale ip"
- vpnwebsecure # Listens to port 443 on my vpn interface, i.e. "only on my servers tailscale ip"
What I Have Tried
I tried binding the ports to docker (docker-compose.yml
):
traefik:
image: traefik:v2.9
ports:
# The HTTP port on tailscale vpn
- "100.112.44.28:80:80"
# The HTTPS port on tailscale vpn
- "100.112.44.28:443:443"
# The HTTP port
- "80:80"
# The HTTPS port
- "443:443"
Then specifying the entrypoints in traefik.yml
entryPoints:
# Listen on the tailscale subnet
vpnweb:
address: "100.112.44.28:80"
vpnwebsecure:
address: "100.112.44.28:443"
# Public endpoints
web:
address: :80
websecure:
address: :443
What Happens
When I start docker I get the following error:
Error response from daemon: driver failed programming external connectivity on endpoint rduce-server-traefik-1 (3aa39971ba9b083e56791d3bb8def68d22e18421a1679f28c5f1847dc28d9ff5): Error starting userland proxy: listen tcp4 100.112.44.28:443: bind: address already in use
and if I check the usage of port 443 I get
❯ sudo lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tailscale 3416 root 10u IPv4 1507921 0t0 TCP myserver.localdomain:42230->ec2-34-229-201-48.compute-1.amazonaws.com:https (ESTABLISHED)
tailscale 3416 root 36u IPv4 1457760 0t0 TCP myserver.localdomain:37714->derp4g.tailscale.com:https (ESTABLISHED)
and if I check the usage of port 80 I get
❯ sudo lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tailscale 3416 root 28u IPv4 948209 0t0 TCP myserver.localdomain:51832->ec2-18-193-255-254.eu-central-1.compute.amazonaws.com:http (ESTABLISHED)
If I check tailscale status
it tells me the server is idle and my desktop connection is direct
and no DERP relay is used.
100.112.44.28 myserver andre@ linux idle; offers exit node
100.105.249.65 mydesktop andre@ windows active; direct 192.168.1.123:41641, tx 17862768 rx 2429328
Questions
- Why is tailscale using these ports when there are no derp involved?
- I post it here instead of at the Traefik forum since the docker would be blocked no matter what reverse proxy I would have chosen
- Why can I export port :80 and :443 on all interfaces, but when I pick specific ones I get a conflict?
- Am I approaching this the wrong way? I see that the Traefik beta of v3 contains some integration between Traefik and Tailscale
- What can I do to achieve my goal stated above?