jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5e76871bbd77b4101991126d47ef8808d3a4b22
infrastructure/docs/10-MIKROTIK-TAILSCALE.md
XTRM-Unraid e5e76871bb
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Add Tailscale container and bridge setup 
- Added mikrotik-containers-bridge-setup.rsc for shared container networking
- Added mikrotik-tailscale-setup.rsc for Tailscale container
- Added docs/10-MIKROTIK-TAILSCALE.md with full documentation
- Both containers now use containers-br bridge (172.17.0.1/24)
- AdGuard: 172.17.0.2, Tailscale: 172.17.0.3
2026-01-25 15:33:34 +02:00

147 lines
5.7 KiB
Markdown
Raw Blame History

# MikroTik Tailscale Container
**Status:** Completed
**Implemented:** 2026-01-25
---
## Overview
Tailscale VPN running as a container on MikroTik for secure remote access to the home network.
## Architecture
```
┌─────────────────────────────────────────────────────────────────────┐
│ MikroTik hAP ax³ │
│ │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ containers-br (172.17.0.1/24) │ │
│ │ ┌─────────────────┐ ┌─────────────────┐ │ │
│ │ │ veth-adguard │ │ veth-tailscale │ │ │
│ │ │ 172.17.0.2 │ │ 172.17.0.3 │ │ │
│ │ └────────┬────────┘ └────────┬────────┘ │ │
│ └───────────┼─────────────────────────┼─────────────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ AdGuard Home │ │ Tailscale │ │
│ │ (DNS filtering) │ │ (VPN tunnel) │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │ │
└─────────────────────────────────────┼────────────────────────────────┘
Tailscale Network
(100.x.x.x)
```
## Container Configuration
| Setting | Value |
|---------|-------|
| Image | tailscale/tailscale:latest |
| Interface | veth-tailscale |
| Container IP | 172.17.0.3/24 |
| Gateway | 172.17.0.1 |
| Root dir | usb1/tailscale/root |
| Mount | ts-state → /var/lib/tailscale |
| Start on boot | yes |
## Environment Variables
| Variable | Value | Purpose |
|----------|-------|---------|
| TS_USERSPACE | true | Run in userspace mode (no kernel module) |
| TS_STATE_DIR | /var/lib/tailscale | State persistence directory |
| TS_SOCKET | /var/run/tailscale/tailscaled.sock | Socket location |
## Mounts
| Name | Source | Destination |
|------|--------|-------------|
| ts-state | usb1/tailscale/state | /var/lib/tailscale |
## Setup
### Prerequisites
1. Container bridge must exist (run `mikrotik-containers-bridge-setup.rsc` first)
2. USB storage mounted as usb1
### Initial Setup
1. Run `mikrotik-tailscale-setup.rsc` script
2. Wait for image extraction
3. Check logs for authentication URL:
```routeros
:log print where message~"login.tailscale"
```
4. Visit the URL to authenticate with your Tailscale account
### Manual Setup Commands
```routeros
# Create veth
/interface veth add name=veth-tailscale address=172.17.0.3/24 gateway=172.17.0.1
# Add to bridge
/interface bridge port add bridge=containers-br interface=veth-tailscale
# Create mount
/container/mounts/add list=ts-state src=usb1/tailscale/state dst=/var/lib/tailscale
# Create environment variables
/container/envs/add list=ts-env key=TS_USERSPACE value=true
/container/envs/add list=ts-env key=TS_STATE_DIR value=/var/lib/tailscale
/container/envs/add list=ts-env key=TS_SOCKET value=/var/run/tailscale/tailscaled.sock
# Create container
/container/add remote-image=tailscale/tailscale:latest interface=veth-tailscale root-dir=usb1/tailscale/root logging=yes start-on-boot=yes dns=8.8.8.8 name=tailscale
# After extraction completes
/container/set [find name=tailscale] mountlists=ts-state envlists=ts-env
# Start
/container/start [find name=tailscale]
```
## Troubleshooting
### Check container status
```routeros
/container print
```
### Check logs
```routeros
:log print where topics~"container" and message~"tailscale"
```
### Find authentication URL
```routeros
:log print where message~"login.tailscale"
```
### Container fails to reach internet
1. Verify bridge exists: `/interface bridge print`
2. Verify veth is in bridge: `/interface bridge port print`
3. Verify NAT rule exists: `/ip firewall nat print where comment~"Container"`
4. Check route: `/ip route print where dst-address~"172.17"`
### Re-authenticate
If authentication expires, restart the container and check logs for new auth URL:
```routeros
/container stop [find name=tailscale]
/container start [find name=tailscale]
:delay 10s
:log print where message~"login.tailscale"
```
## Scripts
- `scripts/mikrotik-containers-bridge-setup.rsc` - Bridge setup (run first)
- `scripts/mikrotik-tailscale-setup.rsc` - Tailscale container setup
## Related Documents
- [09-MIKROTIK-ADGUARD-DOT-DOH.md](09-MIKROTIK-ADGUARD-DOT-DOH.md) - AdGuard container setup
Reference in New Issue View Git Blame Copy Permalink