It’s been a minute since I last had to travel for work, but that’s coming up again. This means for remote access purposes, I need a VPN to my home network. I last accomplished this simply using the L2TP functionality built right in to my Unifi Security Gateway, but since I got rid of that I simply never fixed this again. The obvious solution is Wireguard, but why configure that by hand when I can use Tailscale to do it for me?

Why indeed, and since I’ve heard good things about their offering I decided to take a look at it. First step, let’s run it in an LXD container, so I can blow it away if I need to without polluting the rest of my network. That was fairly painless:

~$ lxc launch ubuntu-minimal:focal tailscale
Creating tailscale
Starting tailscale                          
fwaggle@ghast:~$ lxc shell tailscale 
root@tailscale:~# apt update
-- SNIP --
18 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@tailscale:~# apt upgrade -y
-- SNIP --
root@tailscale:~# apt autoremove
-- SNIP --
root@tailscale:~# curl -fsSL https://tailscale.com/install.sh | sh
Installing Tailscale for ubuntu focal, using method apt
-- SNIP --
Installation complete! Log in to start using Tailscale by running:

tailscale up
root@tailscale:~# tailscale up

To authenticate, visit:

-- SNIP --


For a second device, I installed it on my phone, turned off Wifi, and whaddya know, I can ping something.

Restarting tailscale with tailscale up --advertise-exit-node and flipping the exit node on on my phone meant I got my home IP despite not being on the home wifi networks, so I’m counting that as a success.

Less successful was accessing the other services, and it took a bit to figure out why that is. My first port of call was checking connectivity at the container, which I did so using ICMP. This didn’t work:

From _gateway.lxd ( icmp_seq=1 Redirect Host(New nexthop: _gateway (
From _gateway ( icmp_seq=1 Time to live exceeded

This is actually not unexpected, I suppose. Since this machine is actually three machines in a trench coat (NFS server, LXD server, and a K8s node), and runs two BGP peers on two different IPs, I figured it was something fucky with the routing: It was going up to my router, which tried to send it back down the same path, then the TTL expired.

But a service hosted on LXD should work, because LXD’s bridge network should route it sensibly. It did not, from my phone. More puzzling, actually, a curl of a service hosted on Kubernetes worked from the container.

I soon realized I needed to convince Tailscale to advertise these routes, it seems it won’t expose RFC1918 addresses even if it’s declared as an exit node… which is actually a very sensible default, really. So I configured it to have access to my entire LAN via the --advertise-routes= parameter to tailscale up, approved it in the control panel, and it worked. I later retracted that, opting to only allow access to the services I want.

The final piece of the puzzle (after being greeted with a 403) was to allow the IP of the tailscale container in my lan-only middleware in Traefik, and I’m away.

I’m as yet undecided on whether I want to allow access to the K8s control plane via this or not, but I can do most everything else, including accessing Home Assistant.

Horsham, VIC, Australia fwaggle



Filed under:


Horsham, VIC, Australia

Navigation: Older Entry Newer Entry