/ November 8, 2025/ Articles, Docker, Tailscale/ 0 comments

After struggles with SSL client VPNs and other Windows VPN solutions to access my Home Lab, i set-up Tailscale to simplify this. Tailscale is a zero-config VPN (Virtual Private Network) that creates a secure, private network between your devices, no matter where they are located. It uses the WireGuard protocol to build a peer-to-peer mesh network, allowing devices to connect directly to each other without the complex firewall rules and port forwarding typically associated with traditional VPNs.

Android Apps by Tailscale Inc. on Google Play

First we need an Tailscale Tailnet environment. Go to https://login.tailscale.com/ and create your own environment with your Microsoft, Google or other Indentity provider.
After creating the environment, you are able to install the first Tailscale client, such as your Windows device or mobile device. After installing your client it will be automatically added in your Tailnet environment.

Go to Settings and then under Personal Settings / Keys, generate an AuthKey. Enable Reusable and give it a discription. (save it for late use).

Now we need to add your docker host to your Tailnet.

First is need to enable IP Forwarding
Go to SSH on your host and go to /etc
Open sysctl.conf with nano en edit the line “net.ipv4.ip_forward = 1” so that it is uncommented.
Save the file
Run sysctl -p to apply it

As i’am running Docker with Docker-Compose i used the following code.
Change the TS_AUTHKEY with your previsously created Authkey in your Tailnet environment.

tailscale:
    container_name: tailscale
    image: tailscale/tailscale:latest
    restart: unless-stopped
    network_mode: host
    privileged: true
    environment:
      - TS_HOSTNAME=tailscale
      - TS_AUTHKEY=tskey-auth-XXXXXXXXXXXXX
      - TS_EXTRA_ARGS=--advertise-exit-node
      - TS_STATE_DIR=/var/lib/tailscale # Persistent entry TS Machines, not Epehmeral
      - TS_USERSPACE=false # Do not use userspace networking but kernel
      - TS_AUTH_ONCE=false # Attempt to log in only if not already logged in
      - TS_ACCEPT_DNS=false # I don't want to use DNS.
      - TS_ROUTES=192.168.1.0/24 # Add your local network route which would be accepted.
    volumes:
      - /home/docker/tailscale/data:/var/lib #handy for authkey access
      - /dev/net/tun:/dev/net/tun
      - /home/docker/tailscale/config:/config #point to your local dir for feature config
    cap_add:
      - net_admin
      - net_raw
      - sys_module
    labels:
      com.centurylinklabs.watchtower.enable: "true"

Now, run you container and it will be added to your Tailnet environment under Machines.
Go to your newly added Docker machine and press the 3 dots and choose ‘Disable Key Expiration’.  Then press it again and go to ‘Edit route settings’. Approve your advertised route to approve your local lan route.

 

Share this Post

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
*
*