5 months ago
Im trying to connect a container to a tailscale network in such a way that i can make some server side requests from a nextjs app towards hosts on the tailscale network.
I have managed to get the container to connect to the network using "Userspace networking mode"
And i am able to ping or even connect to the nextjs app using the local tailscale ip.
I am however unable to make any outgoing requests using the tailscale network.
And i'm a bit stuck.
Dockerfile
FROM node:22-alpine as builder
#Environment variables
ARG DATABASE_URL
ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
ARG CLERK_SECRET_KEY
ARG NODE_ENV
ARG TAILSCALE_AUTHKEY
ENV NODE_ENV=production \
DATABASE_URL=$DATABASE_URL \
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
CLERK_SECRET_KEY=$CLERK_SECRET_KEY \
TAILSCALE_STATE_DIR=/var/lib/tailscale \
TAILSCALE_HOSTNAME=overmind \
TAILSCALE_AUTHKEY=$TAILSCALE_AUTHKEY
WORKDIR /app
COPY . .
RUN npm install
RUN npm run build
FROM node:22-alpine
WORKDIR /app
COPY --from=builder /app /app
COPY --from=builder /app/start.sh /app/start.sh
COPY --from=docker.io/tailscale/tailscale:stable /usr/local/bin/tailscaled /app/tailscaled
COPY --from=docker.io/tailscale/tailscale:stable /usr/local/bin/tailscale /app/tailscale
RUN mkdir -p /var/run/tailscale /var/cache/tailscale /var/lib/tailscale
RUN chmod +x /app/start.sh
EXPOSE 3000
CMD ["/app/start.sh"]start.sh:
#!/bin/sh
mkdir -p /tmp/tailscale
if [ -e /dev/net/tun ]; then
echo "TUN is available"
else
echo "TUN is not available."
fi
/app/tailscaled --tun=userspace-networking --socks5-server=localhost:1055 --outbound-http-proxy-listen=localhost:1055 --state=mem&
/app/tailscale up --auth-key=${TAILSCALE_AUTHKEY} --hostname=overmind --accept-routes=true --accept-dns=true
# Test network connectivity with ping
# echo "Testing network connectivity..."
# ALL_PROXY=socks5://localhost:1055 ping -c 4 100.71.207.46
http_proxy'=http://localhost:1055/ npm run start Any suggestions on how i can make this work would be greatly appreciated
6 Replies
5 months ago
This is a good starting point for sure, I bet it's just one missed configuration, I'll look into getting this to work.
5 months ago
Crossposting for visibility -
Update, it is not possible to run tailscale in a container for the purposes of connecting out to other devices on the tailnet.
The containers lack sufficient privileges to use even userspace tunneling, and this is not something we will be changing with the current runtime version.
Our next runtime, based around VMs instead of containers will allow you to do userspace or kernel tunneling, so keep an eye on our changelog for that.
Going to mark this as solved for now.
Status changed to Solved brody • 5 months ago
Status changed to Open brody • 5 months ago
5 months ago
Another update, this time with far better news -
My team member has come up with a very nice workaround in the form of port forwarding -
https://railway.com/template/railtail
Give it a Tailscale key, tell it what port to listen on and where to forward that traffic to, and then connect to the service in place of the machine on your tailnet.
Please let us know of any difficulties!
brody
Another update, this time with far better news -My team member has come up with a very nice workaround in the form of port forwarding -https://railway.com/template/railtailGive it a Tailscale key, tell it what port to listen on and where to forward that traffic to, and then connect to the service in place of the machine on your tailnet.Please let us know of any difficulties!
3 months ago
That link brings me to a 404. Is there an updated template for this?
3 months ago
Ah, we changed the template short code to a custom one - https://railway.com/template/railtail
brody
Ah, we changed the template short code to a custom one - https://railway.com/template/railtail
3 months ago
Thank you. You super sonic on that response time.
Also this worked!
Status changed to Solved brody • 3 months ago