jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ec9659d0cb5692f5e03c31b792978a28f70bd8fb
infrastructure/docs/archive/vlan-migration/10-MIKROTIK-TAILSCALE.md
Kaloyan Danchev ec9659d0cb
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Restructure docs: archive VLAN migration, update IPs to VLAN 10 
Major documentation cleanup after VLAN migration completion:
- Archive 12 VLAN project docs to archive/vlan-migration/
- Archive 5 done WIP docs (VLAN proposals, AI stack, Fossorial, DNS backup)
- Create standing reference docs 08-DNS-ARCHITECTURE and 09-TAILSCALE-VPN
- Renumber docs to clean 01-09 sequence with merged CHANGELOG
- Update all active docs from stale 192.168.31.x to current VLAN 10 IPs
- Fix CSS1 (.10.9→.10.3) and ZX1 (.10.7→.10.4) IPs in hardware inventory
- Clean 06-VLAN-DEVICE-ASSIGNMENT: remove migration columns/sections, fix VLAN 25 subnet

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 12:45:16 +02:00

5.7 KiB
Raw Blame History

MikroTik Tailscale Container

Status: Completed
Implemented: 2026-01-25

Overview

Tailscale VPN running as a container on MikroTik for secure remote access to the home network.

Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                        MikroTik hAP ax³                              │
│                                                                      │
│  ┌───────────────────────────────────────────────────────────────┐  │
│  │                    containers-br (172.17.0.1/24)               │  │
│  │  ┌─────────────────┐       ┌─────────────────┐                │  │
│  │  │   veth-adguard  │       │  veth-tailscale │                │  │
│  │  │   172.17.0.2    │       │   172.17.0.3    │                │  │
│  │  └────────┬────────┘       └────────┬────────┘                │  │
│  └───────────┼─────────────────────────┼─────────────────────────┘  │
│              │                         │                             │
│              ▼                         ▼                             │
│  ┌─────────────────────┐   ┌─────────────────────┐                  │
│  │   AdGuard Home      │   │     Tailscale       │                  │
│  │   (DNS filtering)   │   │   (VPN tunnel)      │                  │
│  └─────────────────────┘   └─────────────────────┘                  │
│                                     │                                │
└─────────────────────────────────────┼────────────────────────────────┘
                                      │
                                      ▼
                              Tailscale Network
                              (100.x.x.x)

Container Configuration

Setting Value
Image tailscale/tailscale:latest
Interface veth-tailscale
Container IP 172.17.0.3/24
Gateway 172.17.0.1
Root dir usb1/tailscale/root
Mount ts-state → /var/lib/tailscale
Start on boot yes

Environment Variables

Variable Value Purpose
TS_USERSPACE true Run in userspace mode (no kernel module)
TS_STATE_DIR /var/lib/tailscale State persistence directory
TS_SOCKET /var/run/tailscale/tailscaled.sock Socket location

Mounts

Name Source Destination
ts-state usb1/tailscale/state /var/lib/tailscale

Setup

Prerequisites

  1. Container bridge must exist (run mikrotik-containers-bridge-setup.rsc first)
  2. USB storage mounted as usb1

Initial Setup

  1. Run mikrotik-tailscale-setup.rsc script
  2. Wait for image extraction
  3. Check logs for authentication URL: 
    :log print where message~"login.tailscale"
  4. Visit the URL to authenticate with your Tailscale account

Manual Setup Commands

# Create veth
/interface veth add name=veth-tailscale address=172.17.0.3/24 gateway=172.17.0.1

# Add to bridge
/interface bridge port add bridge=containers-br interface=veth-tailscale

# Create mount
/container/mounts/add list=ts-state src=usb1/tailscale/state dst=/var/lib/tailscale

# Create environment variables
/container/envs/add list=ts-env key=TS_USERSPACE value=true
/container/envs/add list=ts-env key=TS_STATE_DIR value=/var/lib/tailscale
/container/envs/add list=ts-env key=TS_SOCKET value=/var/run/tailscale/tailscaled.sock

# Create container
/container/add remote-image=tailscale/tailscale:latest interface=veth-tailscale root-dir=usb1/tailscale/root logging=yes start-on-boot=yes dns=8.8.8.8 name=tailscale

# After extraction completes
/container/set [find name=tailscale] mountlists=ts-state envlists=ts-env

# Start
/container/start [find name=tailscale]

Troubleshooting

Check container status

/container print

Check logs

:log print where topics~"container" and message~"tailscale"

Find authentication URL

:log print where message~"login.tailscale"

Container fails to reach internet

  1. Verify bridge exists: /interface bridge print
  2. Verify veth is in bridge: /interface bridge port print
  3. Verify NAT rule exists: /ip firewall nat print where comment~"Container"
  4. Check route: /ip route print where dst-address~"172.17"

Re-authenticate

If authentication expires, restart the container and check logs for new auth URL:

/container stop [find name=tailscale]
/container start [find name=tailscale]
:delay 10s
:log print where message~"login.tailscale"

Scripts

  • scripts/mikrotik-containers-bridge-setup.rsc - Bridge setup (run first)
  • scripts/mikrotik-tailscale-setup.rsc - Tailscale container setup

Related Documents

Reference in New Issue View Git Blame Copy Permalink