I set up Headscale and Tailscale using Docker on a VPS, which I want to use as my public IPv4 and Reverse Proxy to route incoming traffic to my local network and e. g. my home server. I also set up Tailscale using Docker on my home server and connected both to my Headscale server.
I am able to ping on Tailscale container from the other and vice versa and set up –advertise-routes=192.168.178.0/24 on my home server as well as –accept-routes on my VPS, but I can’t ping local IP addresses from my VPS. What am I missing?
Both container are connected to the host network, I have opened UDP ports 41641 and 3478 on my VPS.

  • Dataprolet@lemmy.dbzer0.comOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 months ago

    Yes, both clients can tailscale ping each other and after doing so the status shows active; relay “ams”.

    Using tailcale ping 192.168.178.178 also works for some reason.

    Not sure what to do with the output of netmap.

    • Shadow@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      8 months ago

      Relay “ams” means you’re using tailscales DERP node in amsterdam, this is expected if you don’t have direct connectivity through your firewall. Since you opened the ports that’s unusual and worth looking into, but I’d worry about that after you get basic connectivity.

      So to confirm your behavior, you can tailscale ping each other fine and tailscale ping to the internal network. You cannot however ping from the OS to the remote internal network?

      Have you checked your routing tables to make sure the tailscale client added the route properly?

      Also have you checked your firewall rules? If you’re using ipfw or something, try just turning off iptables briefly and see if that lets you ping through.

      • Dataprolet@lemmy.dbzer0.comOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        So to confirm your behavior, you can tailscale ping each other fine and tailscale ping to the internal network. You cannot however ping from the OS to the remote internal network?

        Exactly.

        Have you checked your routing tables to make sure the tailscale client added the route properly?

        How do I do this? I use Headscale and headscale routes list shows the following:

        ID | Machine | Prefix           | Advertised | Enabled | Primary
        1  | server  | 0.0.0.0/0        | false      | false   | -
        2  | server  | ::/0             | false      | false   | -
        3  | server  | 192.168.178.0/24 | true       | true    | true
        

        Also have you checked your firewall rules? If you’re using ipfw or something, try just turning off iptables briefly and see if that lets you ping through.

        I’m not using a firewall, but the VPS is hosted on Hetzner, which has a firewall. But I already allowed UDP port 41641 and 41641. The wg0 rule is from the Wireguard setup I want to replace using Tailscale.

        # iptables --list-rules
        -P INPUT ACCEPT
        -P FORWARD ACCEPT
        -P OUTPUT ACCEPT
        -N DOCKER
        -N DOCKER-ISOLATION-STAGE-1
        -N DOCKER-ISOLATION-STAGE-2
        -N DOCKER-USER
        -A INPUT -s 100.64.0.0/10 -j ACCEPT
        -A FORWARD -j DOCKER-USER
        -A FORWARD -j DOCKER-ISOLATION-STAGE-1
        -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A FORWARD -o docker0 -j DOCKER
        -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
        -A FORWARD -i docker0 -o docker0 -j ACCEPT
        -A FORWARD -i wg0 -j ACCEPT
        -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
        -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 81 -j ACCEPT
        -A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
        -A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9090 -j ACCEPT
        -A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
        -A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
        -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9001 -j ACCEPT
        -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
        -A DOCKER-ISOLATION-STAGE-1 -j RETURN
        -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
        -A DOCKER-ISOLATION-STAGE-2 -j RETURN
        -A DOCKER-USER -j RETURN
        
        • Shadow@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          How do I do this?

          Run ip route show table all

          I would expect to see a line like:

          192.168.178.0/24 dev tailscale0 table 52
          

          Out of curiosity on a remote node do tcpdump -i tailscale0 -n icmp and then do a ping from the other side, does tcpdump see the icmp packets come in?

          • Dataprolet@lemmy.dbzer0.comOP
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            There is no tailscale0, but also not on my home server which also runs Tailscale and which I can access remotely using my Android. Could my existing Wireguard setup interfere with Tailscale?

            • Shadow@lemmy.ca
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              8 months ago

              The tailscale client should have created an interface, but I’ve never used it on a box also running wg. You don’t have a tailscale specific interface in ip addr show at all? That’s… odd.

              Do you have a device at /dev/net/tun?

              • Dataprolet@lemmy.dbzer0.comOP
                link
                fedilink
                English
                arrow-up
                1
                ·
                8 months ago

                I’m not sure the Docker container is even using a tailscale interface, because there is none on my VPS or my home server.

                And how do I see whether I have a device at /dev/net/tun?