Hi everyone,I’ve deployed HashiCorp Vault in a Railway project and want to access the UI through the Tailscale Subnet Router.The goal is to have full access to the internal railway.internal network, not just selective ports via the forwarder.Setup (shortened)Service: Vault (official HashiCorp image)Config (excerpt):ui = true api_addr = "http://0.0.0.0:8200" listener "tcp" { address = "0.0.0.0:8200" tls_disable = true } storage "postgresql" { connection_url = "…" ha_enabled = true } disable_mlock = trueDockerfile (excerpt):FROM hashicorp/vault:1.15 COPY vault-config.hcl /vault/config/vault-config.hcl COPY docker-entrypoint.sh /docker-entrypoint.sh RUN chmod +x /docker-entrypoint.sh EXPOSE 8200 ENTRYPOINT ["/docker-entrypoint.sh"]Subnet Router: deployed via Railway templateWorkstation: Tailscale running with --accept-routes --accept-dnsObservationDNS resolution works: .railway.internal resolves to an internal addressBut connection fails:nc -zv .railway.internal 8200 → Connection refusedRailway logs show Vault starting and supposedly listening on 0.0.0.0:8200.QuestionIs EXPOSE 8200 enough for the port to be reachable via the Subnet Router?Is there any extra configuration needed on Railway to expose UI ports (HTTP) through the Subnet Router?Has anyone successfully exposed Vault or similar services (with a web UI) through the Subnet Router into their Tailnet?Thanks a lot for any pointers!

❓ Problem: Vault UI not reachable via Tailscale Subnet Router

autodynation

PROOP

6 months ago

Hi everyone,

I’ve deployed HashiCorp Vault in a Railway project and want to access the UI through the Tailscale Subnet Router.
The goal is to have full access to the internal railway.internal network, not just selective ports via the forwarder.

Setup (shortened)

Service: Vault (official HashiCorp image)

Config (excerpt):

ui = true
api_addr = "http://0.0.0.0:8200"

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = true
}

storage "postgresql" {
  connection_url = "…"
  ha_enabled     = true
}

disable_mlock = true

Dockerfile (excerpt):

FROM hashicorp/vault:1.15
COPY vault-config.hcl /vault/config/vault-config.hcl
COPY docker-entrypoint.sh /docker-entrypoint.sh
RUN chmod +x /docker-entrypoint.sh

EXPOSE 8200
ENTRYPOINT ["/docker-entrypoint.sh"]

Subnet Router: deployed via Railway template
Workstation: Tailscale running with --accept-routes --accept-dns

Observation

DNS resolution works: <service>.railway.internal resolves to an internal address

But connection fails:

nc -zv <service>.railway.internal 8200
→ Connection refused

Railway logs show Vault starting and supposedly listening on 0.0.0.0:8200.

Question

Is EXPOSE 8200 enough for the port to be reachable via the Subnet Router?
Is there any extra configuration needed on Railway to expose UI ports (HTTP) through the Subnet Router?
Has anyone successfully exposed Vault or similar services (with a web UI) through the Subnet Router into their Tailnet?

Thanks a lot for any pointers!

Solved

3 Replies

Railway

BOT

6 months ago

Hey there! We've found the following might help you get unblocked faster:

If you find the answer from one of these, please let us know by solving the thread!

brody

EMPLOYEE

6 months ago

Hello,

The private network is IPv6 only, so for the subnet router to be able to talk to services over the private network, all the target services need to be listening on IPv6. 0.0.0.0 is an IPv4 address.

https://docs.railway.com/guides/private-networking#communicating-over-the-private-network

Best,
Brody

Status changed to Awaiting User Response Railway • 6 months ago

autodynation

PROOP

6 months ago

ah thanks a lot. That fixed the issue!

Status changed to Awaiting Railway Response Railway • 6 months ago

Status changed to Solved autodynation • 6 months ago