# MikroTik Tailscale Container **Status:** Completed **Implemented:** 2026-01-25 --- ## Overview Tailscale VPN running as a container on MikroTik for secure remote access to the home network. ## Architecture ``` ┌─────────────────────────────────────────────────────────────────────┐ │ MikroTik hAP ax³ │ │ │ │ ┌───────────────────────────────────────────────────────────────┐ │ │ │ containers-br (172.17.0.1/24) │ │ │ │ ┌─────────────────┐ ┌─────────────────┐ │ │ │ │ │ veth-adguard │ │ veth-tailscale │ │ │ │ │ │ 172.17.0.2 │ │ 172.17.0.3 │ │ │ │ │ └────────┬────────┘ └────────┬────────┘ │ │ │ └───────────┼─────────────────────────┼─────────────────────────┘ │ │ │ │ │ │ ▼ ▼ │ │ ┌─────────────────────┐ ┌─────────────────────┐ │ │ │ AdGuard Home │ │ Tailscale │ │ │ │ (DNS filtering) │ │ (VPN tunnel) │ │ │ └─────────────────────┘ └─────────────────────┘ │ │ │ │ └─────────────────────────────────────┼────────────────────────────────┘ │ ▼ Tailscale Network (100.x.x.x) ``` ## Container Configuration | Setting | Value | |---------|-------| | Image | tailscale/tailscale:latest | | Interface | veth-tailscale | | Container IP | 172.17.0.3/24 | | Gateway | 172.17.0.1 | | Root dir | usb1/tailscale/root | | Mount | ts-state → /var/lib/tailscale | | Start on boot | yes | ## Environment Variables | Variable | Value | Purpose | |----------|-------|---------| | TS_USERSPACE | true | Run in userspace mode (no kernel module) | | TS_STATE_DIR | /var/lib/tailscale | State persistence directory | | TS_SOCKET | /var/run/tailscale/tailscaled.sock | Socket location | ## Mounts | Name | Source | Destination | |------|--------|-------------| | ts-state | usb1/tailscale/state | /var/lib/tailscale | ## Setup ### Prerequisites 1. Container bridge must exist (run `mikrotik-containers-bridge-setup.rsc` first) 2. USB storage mounted as usb1 ### Initial Setup 1. Run `mikrotik-tailscale-setup.rsc` script 2. Wait for image extraction 3. Check logs for authentication URL: ```routeros :log print where message~"login.tailscale" ``` 4. Visit the URL to authenticate with your Tailscale account ### Manual Setup Commands ```routeros # Create veth /interface veth add name=veth-tailscale address=172.17.0.3/24 gateway=172.17.0.1 # Add to bridge /interface bridge port add bridge=containers-br interface=veth-tailscale # Create mount /container/mounts/add list=ts-state src=usb1/tailscale/state dst=/var/lib/tailscale # Create environment variables /container/envs/add list=ts-env key=TS_USERSPACE value=true /container/envs/add list=ts-env key=TS_STATE_DIR value=/var/lib/tailscale /container/envs/add list=ts-env key=TS_SOCKET value=/var/run/tailscale/tailscaled.sock # Create container /container/add remote-image=tailscale/tailscale:latest interface=veth-tailscale root-dir=usb1/tailscale/root logging=yes start-on-boot=yes dns=8.8.8.8 name=tailscale # After extraction completes /container/set [find name=tailscale] mountlists=ts-state envlists=ts-env # Start /container/start [find name=tailscale] ``` ## Troubleshooting ### Check container status ```routeros /container print ``` ### Check logs ```routeros :log print where topics~"container" and message~"tailscale" ``` ### Find authentication URL ```routeros :log print where message~"login.tailscale" ``` ### Container fails to reach internet 1. Verify bridge exists: `/interface bridge print` 2. Verify veth is in bridge: `/interface bridge port print` 3. Verify NAT rule exists: `/ip firewall nat print where comment~"Container"` 4. Check route: `/ip route print where dst-address~"172.17"` ### Re-authenticate If authentication expires, restart the container and check logs for new auth URL: ```routeros /container stop [find name=tailscale] /container start [find name=tailscale] :delay 10s :log print where message~"login.tailscale" ``` ## Scripts - `scripts/mikrotik-containers-bridge-setup.rsc` - Bridge setup (run first) - `scripts/mikrotik-tailscale-setup.rsc` - Tailscale container setup ## Related Documents - [09-MIKROTIK-ADGUARD-DOT-DOH.md](09-MIKROTIK-ADGUARD-DOT-DOH.md) - AdGuard container setup