Tailscale running in a container, cannot use as an exit node

narasp · February 23, 2022, 11:05pm

Running tailscale on the host OS and advertising exit node capability works well. Clients can use this node as an exit node.

When running tailscale inside a container and advertising exit node capability, clients have no Internet access.

Does exit node capability need additional configs when running inside a container?

Thanks

Jay · March 1, 2022, 3:09pm

Hello.
What is the host operating system that you’re using? I can try to reproduce your setup here and see what steps I need to take to get it working as expected.

narasp · March 1, 2022, 4:44pm

Thanks for your help, Jay. The host operating system is balenaOS (balena.io) and tailscale is running in one of the containers. Everything works as expected except for subnet routes and exit node functionality.

ouvoun · March 27, 2022, 9:35pm

@Jay I also have the same issue. Whenever I attempt to use a Tailscale exit node running within a Docker container on a Linux host, internet connectivity is lost.

I’ve tried a few different iOS clients without success. The exit node is running within Docker on an x86 Ubuntu host with the following Docker configuration:

version: "3"

services:
  tailscale:
    container_name: tailscale
    hostname: host
    image: tailscale/tailscale:latest
    command: tailscaled
    restart: always
    volumes:
      - ./config/tailscale:/var/lib
      - /dev/net/tun:/dev/net/tun
    privileged: true
    network_mode: host
    cap_add:
      - net_admin

DGentry · March 30, 2022, 4:42am

I think this is being tracked in Docker Breaks when Tailscale configured to use an exit node · Issue #3877 · tailscale/tailscale · GitHub

idy76d · April 22, 2022, 8:18pm

Facing the same issue. There are three kinds of error messages in the log for the tailscale container -

[unexpected] peerapi listen("...") error: listen tcp6 [...]:0: bind: cannot assign requested address

Drop: ICMPv4{...> ...} 56 destination not allowed

Drop: TCP{... > ...} 64 destination not allowed

Naustral · September 9, 2022, 2:36pm

Having a similar issue. It’s not the most reassuring to see that this has been a known issue for months and that no apparent action has been talen to address.

aquesnel · February 4, 2023, 6:58pm

FYI cross referencing a solution posted for getting tailscale exit nodes to work in docker containers

wpyoga · April 25, 2023, 6:25am

I’m copying my workaround from over there, just for convenience.

First, create a new bridge network:

docker network create --opt com.docker.network.driver.mtu=1280 mtu1280

Then, specify that network when creating the container:

docker run ... --network=mtu1280 ... tailscale/tailscale