XTRM-Unraid
e5e76871bb
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Added mikrotik-containers-bridge-setup.rsc for shared container networking - Added mikrotik-tailscale-setup.rsc for Tailscale container - Added docs/10-MIKROTIK-TAILSCALE.md with full documentation - Both containers now use containers-br bridge (172.17.0.1/24) - AdGuard: 172.17.0.2, Tailscale: 172.17.0.3
5.7 KiB
5.7 KiB
MikroTik Tailscale Container
Status: Completed
Implemented: 2026-01-25
Overview
Tailscale VPN running as a container on MikroTik for secure remote access to the home network.
Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ MikroTik hAP ax³ │
│ │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ containers-br (172.17.0.1/24) │ │
│ │ ┌─────────────────┐ ┌─────────────────┐ │ │
│ │ │ veth-adguard │ │ veth-tailscale │ │ │
│ │ │ 172.17.0.2 │ │ 172.17.0.3 │ │ │
│ │ └────────┬────────┘ └────────┬────────┘ │ │
│ └───────────┼─────────────────────────┼─────────────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ AdGuard Home │ │ Tailscale │ │
│ │ (DNS filtering) │ │ (VPN tunnel) │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │ │
└─────────────────────────────────────┼────────────────────────────────┘
│
▼
Tailscale Network
(100.x.x.x)
Container Configuration
| Setting | Value |
|---|---|
| Image | tailscale/tailscale:latest |
| Interface | veth-tailscale |
| Container IP | 172.17.0.3/24 |
| Gateway | 172.17.0.1 |
| Root dir | usb1/tailscale/root |
| Mount | ts-state → /var/lib/tailscale |
| Start on boot | yes |
Environment Variables
| Variable | Value | Purpose |
|---|---|---|
| TS_USERSPACE | true | Run in userspace mode (no kernel module) |
| TS_STATE_DIR | /var/lib/tailscale | State persistence directory |
| TS_SOCKET | /var/run/tailscale/tailscaled.sock | Socket location |
Mounts
| Name | Source | Destination |
|---|---|---|
| ts-state | usb1/tailscale/state | /var/lib/tailscale |
Setup
Prerequisites
- Container bridge must exist (run
mikrotik-containers-bridge-setup.rscfirst) - USB storage mounted as usb1
Initial Setup
- Run
mikrotik-tailscale-setup.rscscript - Wait for image extraction
- Check logs for authentication URL:
:log print where message~"login.tailscale" - Visit the URL to authenticate with your Tailscale account
Manual Setup Commands
# Create veth
/interface veth add name=veth-tailscale address=172.17.0.3/24 gateway=172.17.0.1
# Add to bridge
/interface bridge port add bridge=containers-br interface=veth-tailscale
# Create mount
/container/mounts/add list=ts-state src=usb1/tailscale/state dst=/var/lib/tailscale
# Create environment variables
/container/envs/add list=ts-env key=TS_USERSPACE value=true
/container/envs/add list=ts-env key=TS_STATE_DIR value=/var/lib/tailscale
/container/envs/add list=ts-env key=TS_SOCKET value=/var/run/tailscale/tailscaled.sock
# Create container
/container/add remote-image=tailscale/tailscale:latest interface=veth-tailscale root-dir=usb1/tailscale/root logging=yes start-on-boot=yes dns=8.8.8.8 name=tailscale
# After extraction completes
/container/set [find name=tailscale] mountlists=ts-state envlists=ts-env
# Start
/container/start [find name=tailscale]
Troubleshooting
Check container status
/container print
Check logs
:log print where topics~"container" and message~"tailscale"
Find authentication URL
:log print where message~"login.tailscale"
Container fails to reach internet
- Verify bridge exists:
/interface bridge print - Verify veth is in bridge:
/interface bridge port print - Verify NAT rule exists:
/ip firewall nat print where comment~"Container" - Check route:
/ip route print where dst-address~"172.17"
Re-authenticate
If authentication expires, restart the container and check logs for new auth URL:
/container stop [find name=tailscale]
/container start [find name=tailscale]
:delay 10s
:log print where message~"login.tailscale"
Scripts
scripts/mikrotik-containers-bridge-setup.rsc- Bridge setup (run first)scripts/mikrotik-tailscale-setup.rsc- Tailscale container setup
Related Documents
- 09-MIKROTIK-ADGUARD-DOT-DOH.md - AdGuard container setup