I have a server running portainer with some media apps which I connect to with tailscale when I’m away from home and through LAN when at home. This works fine but I want to be able to use tailscale as an exit node so that I can connect to tailscale and access jellyfin as well as having my traffic routed through the server connection.

I have this working but what I really want is to route the tailscale traffic into the gluetun. I have managed to do this but it means that I lose access to jellyfin and the local machine for ssh.

Is it possible to put tailscale through gluetun but also be able to access the local network? I would like to access jellyfin via 192.x.x.x.x:xxxx (local) and 100.x.x.x.x.x:xxxx (tailscale).

This is my tailscale compose (after a bunch of experimentation):

version: '3.9'
services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscaled
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TS_HOSTNAME=mediaserver-docker-exit-node
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_EXTRA_ARGS=--advertise-exit-node --accept-dns=false
      - TS_ROUTES=192.168.0.0/24
    volumes:
      - /srv/config/tailscale:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    network_mode: host
    # network_mode: "container:gluetun"
    restart: unless-stopped

And this is my jellyfin/gluetun compose:

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8080:8080
      - 6881:6881/tcp
      - 6881:6881/udp
    environment:
      - FIREWALL_INPUT_PORTS=6881,9696
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
    restart: unless-stopped 
      
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
    network_mode: 'host'
    group_add:
      - '993'
    devices:
      - /dev/dri/renderD128:/dev/dri/renderD128
      - /dev/dri/card0:/dev/dri/card0
    volumes:
      - /srv/config/jellyfin/:/config
      - type: bind
        source: /srv/data/media
        target: /media
      - type: bind
        source: /srv/data2/media
        target: /media2
        read_only: true
    restart: unless-stopped
  • chaospatterns@lemmy.worldEnglish
    0·
    24 days ago

    Gluetun doesn’t make any sense here. You’re forcing all the traffic for from Jellyfin to go through Mullvad, but you need to be able to connect to Jellyfin because Jellyfin is a service you connect to.

    Since your Tailscale is host network mounted, you’ll be able to expose your Docker network subnets over Tailscale then access Jellyfin. This is done via the TS_SUBNETS env variable. Docker will use a 172.16.0.0/12 subnet.

    You probably intend to gluetun your downloading software, not Jellyfin.

    • Unquote0270@programming.devOPEnglish
      0·
      24 days ago

      Is jellyfin going through mullvad? Jellyfin and tailscale are using host. This is part of a larger docker compose where I do have things running through gluetun.

      Since your Tailscale is host network mounted, you’ll be able to expose your Docker network subnets over Tailscale then access Jellyfin. This is done via the TS_SUBNETS env variable. Docker will use a 172.16.0.0/12 subnet.

      Thanks that sounds like what I’m after. So this means that I could access jellyfin on the 172.x.x.x address but anything else goes to the exit node (and then the vpn)?

      • chaospatterns@lemmy.worldEnglish
        0·
        24 days ago

        Okay it was a little hard to read since your post was missing formatting. TS_SUBNETS is what controls what CIDRs are announced through Tailscale. Since you’re not using Docker networking for Jellyfin, it would be whatever subnet the host is on. Maybe it’s 192.168.x.y