From 2ffd42fadf6f88a26135a59b99339e84892fc59b Mon Sep 17 00:00:00 2001 From: ljm42 Date: Mon, 21 Oct 2024 14:50:47 -0700 Subject: [PATCH 1/5] Add Tailscale-Docker integration details --- docs/unraid-os/manual/security/tailscale.md | 126 ++++++++++++++++++-- 1 file changed, 113 insertions(+), 13 deletions(-) diff --git a/docs/unraid-os/manual/security/tailscale.md b/docs/unraid-os/manual/security/tailscale.md index 3f863e635..3ee8643c4 100644 --- a/docs/unraid-os/manual/security/tailscale.md +++ b/docs/unraid-os/manual/security/tailscale.md @@ -8,7 +8,9 @@ At its simplest, Tailscale is another way to get remote access to your home netw But Tailscale is actually much more than that. Every machine you add goes onto your personal *Tailnet*, an "overlay network" that allows those machines to connect regardless of where they are physically located or how they are connected to the Internet. -And you can optionally share individual machines with other people, and other people can optionally share their machines with you. +And you can optionally share individual machines (including individual Docker containers!) with other people, and other people can optionally share their machines with you. + +## Getting Started To get started, first [sign up for a free Tailscale account](https://login.tailscale.com/start) and install it on at least one client machine (it is available for Windows/Mac/iOS/Android and more). A free account allows three users and 100 machines. @@ -24,7 +26,7 @@ Keep in mind that HTTPS Certificates are public, so make sure you are comfortabl ::: -To add Tailscale to Unraid: +## Adding Tailscale to Unraid 1. Navigate to Community Apps, search for **Tailscale plugin** and install it. Big thanks to [@EDACerton](https://forums.unraid.net/profile/244077-edacerton/) aka [@dkaser](https://github.com/dkaser) for all their work on this plugin! 2. Navigate to ***Settings → Tailscale*** and click **Reauthenticate** (you will sign in with your Tailscale account, not your Unraid.net account) @@ -32,14 +34,112 @@ To add Tailscale to Unraid: 4. If you are on Unraid 7.0.0-beta.3 or higher, navigate to ***Settings → Management Access*** to see your new Tailscale URL(s) which any system on your Tailnet can use to access the Unraid webgui. 5. Navigate to ***Settings → Tailscale*** to find this system's name and IP address on the Tailnet. This can be used to access SMB/NFS shares or most Docker containers, etc. Just replace the URL you normally use with the name/IP shown here. -If you would prefer to access the system by it's main IP, or if you want to access Docker containers that are on their own IPs, navigate to ***Settings → Tailscale***, click the **Viewing** button and **Sign In** - -1. Click **Subnet router** and add either: - 1. Your Unraid server's IP address in the format `192.168.0.12/32` - 2. Or your whole network's subnet in the format `192.168.0.0/24` -2. Then click **Advertise routes** -3. You will see a *Pending approval* message, and a link where you can approve the route -4. Once you approve the route, other machines on your Tailnet will be able to access either: - 1. Your Unraid server by its main IP - 2. Or everything on your network -5. See the Tailscale Docs for more information about [Subnet routing](https://tailscale.com/kb/1019/subnets) +If you would prefer to access the system by it's main IP when connected to the Tailnet, or if you want to access Docker containers that are on their own IPs: + +1. Navigate to ***Settings → Tailscale***, click the **Viewing** button and **Sign In** +2. Click **Subnet router** and add either: + 1. Your Unraid server's IP address in the format `192.168.0.12/32` + 2. Or your whole network's subnet in the format `192.168.0.0/24` +3. Then click **Advertise routes** +4. You will see a *Pending approval* message, and a link where you can approve the route +5. Once you approve the route, other machines on your Tailnet will be able to access either: + 1. Your Unraid server by its main IP + 2. Or everything on your network +6. See the Tailscale Docs for more information about [Subnet routing](https://tailscale.com/kb/1019/subnets) + +## Adding Tailscale to Docker containers + +### Introduction to Tailscale in Docker + +New to Unraid 7.0.0-rc.1 + +You can optionally add Tailscale to pretty much any Docker container managed by Unraid! Some of the benefits of doing this are: + +* The container will appear as a unique machine on your Tailnet, which means you can share just that container with other people without having to give them access to your whole server. See [Sharing](https://tailscale.com/kb/1084/sharing.) +* You can setup a VPN container to be an Exit Node, which any other machine on your Tailnet (or anyone you have shared this machine with) can use. See [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). +* You can configure the container to send its outgoing Internet traffic through an Exit Node on your Tailnet (or one that has been shared with you.) See [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). +* If the container has a website, enable Tailscale Serve to access it from your Tailnet via a friendly https url with a full certificate. No port is necessary! See [Serve](https://tailscale.com/kb/1312/serve). +* Or you can even make the container's website available on the Internet using Tailscale Funnel. See [Funnel](https://tailscale.com/kb/1223/funnel). + +### Install Tailscale everywhere + +If you plan to use Tailscale in your Docker containers we recommend installing it on any computer that needs to access these containers. The **Tailscale WebUI** URLs are much nicer than the default **WebUI** URLs, and in certain configurations ([see below](#userspace-networking)) the original container **WebUI** URLs stop working, requiring you to be on the Tailnet to access the container. + +The Tailscale plugin for Unraid is technically *not required* for Docker integration, but for the best experience we recommend installing it and signing in to Tailscale on your Unraid server. + +### Install Tailscale in a Docker container + +1. Navigate to the ***Docker*** tab in the Unraid webGUI and edit a container +2. Enable the **Use Tailscale** switch +3. Provide the **Tailscale Hostname** for this container. It does not need to match the container name, but it must be unique on your Tailnet. + + :::warning + + Note that an HTTPS certificate will be generated for this hostname, which means it will be placed in a public ledger, so use a name that you don't mind being public. + For more details, see [enabling https](https://tailscale.com/kb/1153/enabling-https). + + ::: + +4. Specify whether this container will **Be an Exit Node** or not, this is most useful for containers that connect to commercial VPN services. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). +5. Specify whether this container should **Use an Exit Node** for its outgoing Internet traffic. If you have the Tailnet plugin installed on your server you will see a list of Exit Nodes to choose from. If not, you will need to provide the IP address of the Exit Node to use. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). +6. If you chose to **Use an Exit Node**, specify whether the container should also have access to your LAN. +7. Depending on your previous choices, the **Tailscale Userspace Networking** field may already be set for you. If not, you will probably want to leave it **disabled**. [See below](#userspace-networking) for details. +8. Specify whether or not to enable **Tailscale SSH**. This is similar to the Docker **Console** option in the Unraid webGUI, except you connect with an SSH client and authenticate via Tailscale. For more details, see the [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh) documentation. +9. Enable **Serve** to easily reverse proxy a website in the container at a friendly https url with a full certificate. For more details, see the [Tailscale Serve](https://tailscale.com/kb/1312/serve) documentation. Or enable **Funnel** to make the container's website available on the open Internet (use with care as the container is likely to be attacked!) See the [Tailscale Funnel](https://tailscale.com/kb/1223/funnel) documentation. + + :::warning + + Note that when accessing the Tailscale WebUI url via **Serve** or **Funnel**, no additional authentication layer is added - the container is still responsible for managing usernames/passwords that are allowed to access it. + + ::: + + 1. Unraid will automatically determine the best port to reverse proxy via **Serve** or **Funnel** based on the **WebUI** field for this container, visible by switching from **Basic View** to **Advanced View** in the upper right corner of the Edit Docker page. To override this value, enable **Tailscale Show Advanced Settings** and modify the **Tailscale Serve Port**. + 2. In most cases, specifying the port is all that is needed to get **Serve** or **Funnel** working. Additional settings are available behind the **Tailscale Show Advanced Settings** switch, see the inline help and the Tailscale documentation for [Tailscale Serve Command Line](https://tailscale.com/kb/1242/tailscale-serve) for details on using those advanced settings. + +## Updating Tailscale + +Tailscale is updated pretty regularly, see their [changelog](https://tailscale.com/changelog). + +To update the version of Tailscale used by Unraid itself, simply update the Tailscale plugin once an update is available. + +To update the version of Tailscale inside a Docker container, first hover over the Tailscale icon on the Docker listing page, it will tell you if an update is available. +There are two ways to update the container: + +1. On the Docker Listing page, switch from **Basic View** to **Advanced View** in the upper right corner of the page, then click the **Force update** option for this container. +2. Or you can edit the container, make a dummy change, and apply. + +## Technical Details + +### Userspace Networking + +:::tip + +You can ignore the details of **Userspace Networking** if you install Tailscale on all systems that need to access the containers, and if you always access the containers via the **Tailscale WebUI** URL. + +::: + +When **Userspace Networking** is *enabled*, the container will operate in a restricted environment. Tailscale DNS will not work, and the container will not be able to initiate connections to other Tailscale machines. However, the container will be reachable by either the **Tailscale WebUI** URL or the original **WebUI** url. + +When **Userspace Networking** is *disabled*, the container will have full access to your Tailnet. Tailscale DNS will work, and the container can fully communicate with other machines on the Tailnet. However, the original **WebUI** may not work, details below. + +:::info + +To be clear, a **Tailscale WebUI** URL is only accessible by other machines with Tailscale installed. They need to be on your Tailnet or you need to have shared the machine with them. + +::: + +Certain Tailscale features have requirements that affect **Userspace Networking**: + +* Containers which have enabled **Be an Exit Node** always have **Userspace Networking** *enabled* +* Containers which **Use an Exit Node** always have **Userspace Networking** *disabled* + +Additionally, **Userspace Networking** options depends on the **Network type** of the container: + +* **host**: always has Userspace Networking *enabled* + * The container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** url +* **bridge**: defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired + * When **Userspace Networking** is *enabled* the container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** url + * When **Userspace Networking** is *disabled* the container will only be accessible by the **Tailscale WebUI** URL and not the original **WebUI** url +* **eth0/br0/bond0**: defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired + * The container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** url, regardless of the **Userspace Networking** setting. +* **container/wg0**: currently defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired. Note that this is untested, the usefulness of adding Tailscale here is unclear From b14c4f28aa1cacbdcb77c1b9865acea8751126b9 Mon Sep 17 00:00:00 2001 From: ljm42 Date: Mon, 21 Oct 2024 17:09:26 -0700 Subject: [PATCH 2/5] Add Tailscale-Docker integration details --- docs/unraid-os/manual/security/tailscale.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/unraid-os/manual/security/tailscale.md b/docs/unraid-os/manual/security/tailscale.md index 3ee8643c4..4817e9691 100644 --- a/docs/unraid-os/manual/security/tailscale.md +++ b/docs/unraid-os/manual/security/tailscale.md @@ -143,3 +143,13 @@ Additionally, **Userspace Networking** options depends on the **Network type** o * **eth0/br0/bond0**: defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired * The container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** url, regardless of the **Userspace Networking** setting. * **container/wg0**: currently defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired. Note that this is untested, the usefulness of adding Tailscale here is unclear + +### How does the Unraid Tailscale-Docker integration work? + +When you enable the **Use Tailscale** switch and click **Apply**: + +1. Unraid will extract the default **Entrypoint** and **CMD** from the container +2. The **tailscale_container_hook** script will be mounted in the container to `/opt/unraid/tailscale-hook` and the container's **Entrypoint** will be modified to call it +3. The original **Entrypoint** and **CMD** from the container, alongside with the other necessary variables for Tailscale, will be passed to the Docker run command +4. When the container starts, the **tailscale_container_hook** script will be executed, which installs dependencies and then downloads and runs Tailscale +5. The **tailscale_container_hook** script will then run the original **Entrypoint** and **CMD** which was extracted in step 2 and the container will start as usual From 42382de49c44a8bc40881ed14bb761e135d07d24 Mon Sep 17 00:00:00 2001 From: Spencer Jones <61853631+spencerjunraid@users.noreply.github.com> Date: Tue, 22 Oct 2024 11:08:56 -0700 Subject: [PATCH 3/5] Update tailscale.md small edits and grammar --- docs/unraid-os/manual/security/tailscale.md | 38 ++++++++++----------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/unraid-os/manual/security/tailscale.md b/docs/unraid-os/manual/security/tailscale.md index 4817e9691..6f35627bd 100644 --- a/docs/unraid-os/manual/security/tailscale.md +++ b/docs/unraid-os/manual/security/tailscale.md @@ -34,14 +34,14 @@ Keep in mind that HTTPS Certificates are public, so make sure you are comfortabl 4. If you are on Unraid 7.0.0-beta.3 or higher, navigate to ***Settings → Management Access*** to see your new Tailscale URL(s) which any system on your Tailnet can use to access the Unraid webgui. 5. Navigate to ***Settings → Tailscale*** to find this system's name and IP address on the Tailnet. This can be used to access SMB/NFS shares or most Docker containers, etc. Just replace the URL you normally use with the name/IP shown here. -If you would prefer to access the system by it's main IP when connected to the Tailnet, or if you want to access Docker containers that are on their own IPs: +If you would prefer to access the system by its main IP when connected to the Tailnet, or if you want to access Docker containers that are on their own IPs: 1. Navigate to ***Settings → Tailscale***, click the **Viewing** button and **Sign In** 2. Click **Subnet router** and add either: 1. Your Unraid server's IP address in the format `192.168.0.12/32` 2. Or your whole network's subnet in the format `192.168.0.0/24` 3. Then click **Advertise routes** -4. You will see a *Pending approval* message, and a link where you can approve the route +4. You will see a *Pending approval* message and a link where you can approve the route 5. Once you approve the route, other machines on your Tailnet will be able to access either: 1. Your Unraid server by its main IP 2. Or everything on your network @@ -53,19 +53,19 @@ If you would prefer to access the system by it's main IP when connected to the T New to Unraid 7.0.0-rc.1 -You can optionally add Tailscale to pretty much any Docker container managed by Unraid! Some of the benefits of doing this are: +You can optionally add Tailscale to almost any Docker container managed by Unraid! Some of the benefits of doing this are: -* The container will appear as a unique machine on your Tailnet, which means you can share just that container with other people without having to give them access to your whole server. See [Sharing](https://tailscale.com/kb/1084/sharing.) -* You can setup a VPN container to be an Exit Node, which any other machine on your Tailnet (or anyone you have shared this machine with) can use. See [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). +* The container will appear as a unique machine on your Tailnet, which means you can share just that container with other people without giving them access to your whole server. See [Sharing](https://tailscale.com/kb/1084/sharing.) +* You can set up a VPN container to be an Exit Node, which any other machine on your Tailnet (or anyone you have shared this machine with) can use. See [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). * You can configure the container to send its outgoing Internet traffic through an Exit Node on your Tailnet (or one that has been shared with you.) See [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). -* If the container has a website, enable Tailscale Serve to access it from your Tailnet via a friendly https url with a full certificate. No port is necessary! See [Serve](https://tailscale.com/kb/1312/serve). +* If the container has a website, enable Tailscale Serve to access it from your Tailnet via a friendly https URL with a full certificate. No port forwarding is necessary! See [Serve](https://tailscale.com/kb/1312/serve). * Or you can even make the container's website available on the Internet using Tailscale Funnel. See [Funnel](https://tailscale.com/kb/1223/funnel). ### Install Tailscale everywhere -If you plan to use Tailscale in your Docker containers we recommend installing it on any computer that needs to access these containers. The **Tailscale WebUI** URLs are much nicer than the default **WebUI** URLs, and in certain configurations ([see below](#userspace-networking)) the original container **WebUI** URLs stop working, requiring you to be on the Tailnet to access the container. +If you plan to use Tailscale in your Docker containers, we recommend installing it on any computer that needs to access these containers. The **Tailscale WebUI** URLs are much nicer than the default **WebUI** URLs, and in certain configurations ([see below](#userspace-networking)) the original container **WebUI** URLs stop working, requiring you to be on the Tailnet to access the container. -The Tailscale plugin for Unraid is technically *not required* for Docker integration, but for the best experience we recommend installing it and signing in to Tailscale on your Unraid server. +The Tailscale plugin for Unraid is technically *not required* for Docker integration, but for the best experience, we recommend installing it and signing in to Tailscale on your Unraid server. ### Install Tailscale in a Docker container @@ -80,29 +80,29 @@ The Tailscale plugin for Unraid is technically *not required* for Docker integra ::: -4. Specify whether this container will **Be an Exit Node** or not, this is most useful for containers that connect to commercial VPN services. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). +4. Specify whether this container will **Be an Exit Node** or not; this is most useful for containers that connect to commercial VPN services. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). 5. Specify whether this container should **Use an Exit Node** for its outgoing Internet traffic. If you have the Tailnet plugin installed on your server you will see a list of Exit Nodes to choose from. If not, you will need to provide the IP address of the Exit Node to use. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). 6. If you chose to **Use an Exit Node**, specify whether the container should also have access to your LAN. 7. Depending on your previous choices, the **Tailscale Userspace Networking** field may already be set for you. If not, you will probably want to leave it **disabled**. [See below](#userspace-networking) for details. 8. Specify whether or not to enable **Tailscale SSH**. This is similar to the Docker **Console** option in the Unraid webGUI, except you connect with an SSH client and authenticate via Tailscale. For more details, see the [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh) documentation. -9. Enable **Serve** to easily reverse proxy a website in the container at a friendly https url with a full certificate. For more details, see the [Tailscale Serve](https://tailscale.com/kb/1312/serve) documentation. Or enable **Funnel** to make the container's website available on the open Internet (use with care as the container is likely to be attacked!) See the [Tailscale Funnel](https://tailscale.com/kb/1223/funnel) documentation. +9. Enable **Serve** to easily reverse proxy a website in the container at a friendly https URL with a full certificate. For more details, see the [Tailscale Serve](https://tailscale.com/kb/1312/serve) documentation. Or enable **Funnel** to make the container's website available on the open Internet (use with care as the container is likely to be attacked!) See the [Tailscale Funnel](https://tailscale.com/kb/1223/funnel) documentation. :::warning - Note that when accessing the Tailscale WebUI url via **Serve** or **Funnel**, no additional authentication layer is added - the container is still responsible for managing usernames/passwords that are allowed to access it. + Note that when accessing the Tailscale WebUI URL via **Serve** or **Funnel**, no additional authentication layer is added - the container is still responsible for managing usernames/passwords that are allowed to access it. ::: 1. Unraid will automatically determine the best port to reverse proxy via **Serve** or **Funnel** based on the **WebUI** field for this container, visible by switching from **Basic View** to **Advanced View** in the upper right corner of the Edit Docker page. To override this value, enable **Tailscale Show Advanced Settings** and modify the **Tailscale Serve Port**. - 2. In most cases, specifying the port is all that is needed to get **Serve** or **Funnel** working. Additional settings are available behind the **Tailscale Show Advanced Settings** switch, see the inline help and the Tailscale documentation for [Tailscale Serve Command Line](https://tailscale.com/kb/1242/tailscale-serve) for details on using those advanced settings. + 2. In most cases, specifying the port is all that is needed to get **Serve** or **Funnel** working. Additional settings are available behind the **Tailscale Show Advanced Settings** switch. See the inline help and the Tailscale documentation for [Tailscale Serve Command Line](https://tailscale.com/kb/1242/tailscale-serve) for details on using those advanced settings. ## Updating Tailscale -Tailscale is updated pretty regularly, see their [changelog](https://tailscale.com/changelog). +Tailscale is updated regularly. See their [changelog](https://tailscale.com/changelog). To update the version of Tailscale used by Unraid itself, simply update the Tailscale plugin once an update is available. -To update the version of Tailscale inside a Docker container, first hover over the Tailscale icon on the Docker listing page, it will tell you if an update is available. +To update the version of Tailscale inside a Docker container, first hover over the Tailscale icon on the Docker listing page. It will tell you if an update is available. There are two ways to update the container: 1. On the Docker Listing page, switch from **Basic View** to **Advanced View** in the upper right corner of the page, then click the **Force update** option for this container. @@ -114,11 +114,11 @@ There are two ways to update the container: :::tip -You can ignore the details of **Userspace Networking** if you install Tailscale on all systems that need to access the containers, and if you always access the containers via the **Tailscale WebUI** URL. +You can ignore the details of **Userspace Networking** if you install Tailscale on all systems that need to access the containers and if you always access the containers via the **Tailscale WebUI** URL. ::: -When **Userspace Networking** is *enabled*, the container will operate in a restricted environment. Tailscale DNS will not work, and the container will not be able to initiate connections to other Tailscale machines. However, the container will be reachable by either the **Tailscale WebUI** URL or the original **WebUI** url. +When **Userspace Networking** is *enabled*, the container will operate in a restricted environment. Tailscale DNS will not work, and the container will not be able to initiate connections to other Tailscale machines. However, the container will be reachable by either the **Tailscale WebUI** URL or the original **WebUI** URL. When **Userspace Networking** is *disabled*, the container will have full access to your Tailnet. Tailscale DNS will work, and the container can fully communicate with other machines on the Tailnet. However, the original **WebUI** may not work, details below. @@ -141,8 +141,8 @@ Additionally, **Userspace Networking** options depends on the **Network type** o * When **Userspace Networking** is *enabled* the container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** url * When **Userspace Networking** is *disabled* the container will only be accessible by the **Tailscale WebUI** URL and not the original **WebUI** url * **eth0/br0/bond0**: defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired - * The container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** url, regardless of the **Userspace Networking** setting. -* **container/wg0**: currently defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired. Note that this is untested, the usefulness of adding Tailscale here is unclear + * The container will be accessible by both the **Tailscale WebUI** URL and the original **WebUI** URL, regardless of the **Userspace Networking** setting. +* **container/wg0**: currently defaults to having Userspace Networking *disabled*, but it can be *enabled* if desired. Note that this is untested. The usefulness of adding Tailscale here is unclear ### How does the Unraid Tailscale-Docker integration work? @@ -150,6 +150,6 @@ When you enable the **Use Tailscale** switch and click **Apply**: 1. Unraid will extract the default **Entrypoint** and **CMD** from the container 2. The **tailscale_container_hook** script will be mounted in the container to `/opt/unraid/tailscale-hook` and the container's **Entrypoint** will be modified to call it -3. The original **Entrypoint** and **CMD** from the container, alongside with the other necessary variables for Tailscale, will be passed to the Docker run command +3. The original **Entrypoint** and **CMD** from the container, alongside the other necessary variables for Tailscale, will be passed to the Docker run command 4. When the container starts, the **tailscale_container_hook** script will be executed, which installs dependencies and then downloads and runs Tailscale 5. The **tailscale_container_hook** script will then run the original **Entrypoint** and **CMD** which was extracted in step 2 and the container will start as usual From f97dd2d2cae32faf6f4c9840b04ef6e83e70dc71 Mon Sep 17 00:00:00 2001 From: ljm42 Date: Mon, 28 Oct 2024 10:53:50 -0700 Subject: [PATCH 4/5] Add Tailscale-Docker integration details --- docs/unraid-os/manual/security/tailscale.md | 19 ++++++++++--------- docs/unraid-os/release-notes/7.0.0.md | 2 +- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/unraid-os/manual/security/tailscale.md b/docs/unraid-os/manual/security/tailscale.md index 6f35627bd..4f8674fa8 100644 --- a/docs/unraid-os/manual/security/tailscale.md +++ b/docs/unraid-os/manual/security/tailscale.md @@ -69,9 +69,10 @@ The Tailscale plugin for Unraid is technically *not required* for Docker integra ### Install Tailscale in a Docker container -1. Navigate to the ***Docker*** tab in the Unraid webGUI and edit a container -2. Enable the **Use Tailscale** switch -3. Provide the **Tailscale Hostname** for this container. It does not need to match the container name, but it must be unique on your Tailnet. +1. Review the [Getting Started](#getting-started) section above, there are some adjustments you'll want to make to your Tailscale account before continuing +2. Navigate to the ***Docker*** tab in the Unraid webGUI and edit a container +3. Enable the **Use Tailscale** switch +4. Provide the **Tailscale Hostname** for this container. It does not need to match the container name, but it must be unique on your Tailnet. :::warning @@ -80,12 +81,12 @@ The Tailscale plugin for Unraid is technically *not required* for Docker integra ::: -4. Specify whether this container will **Be an Exit Node** or not; this is most useful for containers that connect to commercial VPN services. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). -5. Specify whether this container should **Use an Exit Node** for its outgoing Internet traffic. If you have the Tailnet plugin installed on your server you will see a list of Exit Nodes to choose from. If not, you will need to provide the IP address of the Exit Node to use. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). -6. If you chose to **Use an Exit Node**, specify whether the container should also have access to your LAN. -7. Depending on your previous choices, the **Tailscale Userspace Networking** field may already be set for you. If not, you will probably want to leave it **disabled**. [See below](#userspace-networking) for details. -8. Specify whether or not to enable **Tailscale SSH**. This is similar to the Docker **Console** option in the Unraid webGUI, except you connect with an SSH client and authenticate via Tailscale. For more details, see the [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh) documentation. -9. Enable **Serve** to easily reverse proxy a website in the container at a friendly https URL with a full certificate. For more details, see the [Tailscale Serve](https://tailscale.com/kb/1312/serve) documentation. Or enable **Funnel** to make the container's website available on the open Internet (use with care as the container is likely to be attacked!) See the [Tailscale Funnel](https://tailscale.com/kb/1223/funnel) documentation. +5. Specify whether this container will **Be an Exit Node** or not, this is most useful for containers that connect to commercial VPN services. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). +6. Specify whether this container should **Use an Exit Node** for its outgoing Internet traffic. If you have the Tailnet plugin installed on your server you will see a list of Exit Nodes to choose from. If not, you will need to provide the IP address of the Exit Node to use. For more details, see the Tailscale documentation on [Exit Nodes](https://tailscale.com/kb/1103/exit-nodes). +7. If you chose to **Use an Exit Node**, specify whether the container should also have access to your LAN. +8. Depending on your previous choices, the **Tailscale Userspace Networking** field may already be set for you. If not, you will probably want to leave it **disabled**. [See below](#userspace-networking) for details. +9. Specify whether or not to enable **Tailscale SSH**. This is similar to the Docker **Console** option in the Unraid webGUI, except you connect with an SSH client and authenticate via Tailscale. For more details, see the [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh) documentation. +10. Enable **Serve** to easily reverse proxy a website in the container at a friendly https url with a full certificate. For more details, see the [Tailscale Serve](https://tailscale.com/kb/1312/serve) documentation. Or enable **Funnel** to make the container's website available on the open Internet (use with care as the container is likely to be attacked!) See the [Tailscale Funnel](https://tailscale.com/kb/1223/funnel) documentation. :::warning diff --git a/docs/unraid-os/release-notes/7.0.0.md b/docs/unraid-os/release-notes/7.0.0.md index 9dc219593..6fdc2fa62 100644 --- a/docs/unraid-os/release-notes/7.0.0.md +++ b/docs/unraid-os/release-notes/7.0.0.md @@ -265,7 +265,7 @@ If retaining the ability to downgrade to earlier releases is important, then swi * See [Tailscale integration](#tailscale-integration) * Allow custom registry with a port specification * Use "lazy unmount" unmount of docker image to prevent blocking array stop -* Updated to address multiple security issues (CVE-2024-21626, CVE-2024-24557) <<<< @TOM: do we need this +* Updated to address multiple security issues (CVE-2024-21626, CVE-2024-24557) * Docker Manager: * Allow users to select Container networks in the WebUI * Correctly identify/show non dockerman Managed containers From 52cffd0afb19118f031b2ddd851042805b31a368 Mon Sep 17 00:00:00 2001 From: ljm42 Date: Mon, 28 Oct 2024 11:33:27 -0700 Subject: [PATCH 5/5] Add Tailscale-Docker integration details --- docs/unraid-os/manual/security/tailscale.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/unraid-os/manual/security/tailscale.md b/docs/unraid-os/manual/security/tailscale.md index 4f8674fa8..013c4a2b6 100644 --- a/docs/unraid-os/manual/security/tailscale.md +++ b/docs/unraid-os/manual/security/tailscale.md @@ -28,11 +28,14 @@ Keep in mind that HTTPS Certificates are public, so make sure you are comfortabl ## Adding Tailscale to Unraid -1. Navigate to Community Apps, search for **Tailscale plugin** and install it. Big thanks to [@EDACerton](https://forums.unraid.net/profile/244077-edacerton/) aka [@dkaser](https://github.com/dkaser) for all their work on this plugin! -2. Navigate to ***Settings → Tailscale*** and click **Reauthenticate** (you will sign in with your Tailscale account, not your Unraid.net account) -3. Click **Connect** to add this system to your Tailnet. You can then close the window. -4. If you are on Unraid 7.0.0-beta.3 or higher, navigate to ***Settings → Management Access*** to see your new Tailscale URL(s) which any system on your Tailnet can use to access the Unraid webgui. -5. Navigate to ***Settings → Tailscale*** to find this system's name and IP address on the Tailnet. This can be used to access SMB/NFS shares or most Docker containers, etc. Just replace the URL you normally use with the name/IP shown here. +1. Review the [Getting Started](#getting-started) section above, there are some adjustments you'll want to make to your Tailscale account before continuing +2. Navigate to Community Apps, search for **Tailscale plugin** and install it. Big thanks to [@EDACerton](https://forums.unraid.net/profile/244077-edacerton/) aka [@dkaser](https://github.com/dkaser) for all their work on this plugin! +3. Navigate to ***Settings → Tailscale*** and click **Reauthenticate** (you will sign in with your Tailscale account, not your Unraid.net account) +4. Click **Connect** to add this system to your Tailnet. You can then close the window. +5. If you are on Unraid 7.0.0-beta.3 or higher, navigate to ***Settings → Management Access*** to see your new Tailscale URL(s) which any system on your Tailnet can use to access the Unraid webGUI. +6. Navigate to ***Settings → Tailscale*** to find this system's name and IP address on the Tailnet. This can be used to access SMB/NFS shares or most Docker containers, etc. Just replace the URL you normally use with the name/IP shown here. + +### Subnet routing (optional) If you would prefer to access the system by its main IP when connected to the Tailnet, or if you want to access Docker containers that are on their own IPs: