I have a server running portainer with some media apps which I connect to with tailscale when I’m away from home and through LAN when at home. This works fine but I want to be able to use tailscale as an exit node so that I can connect to tailscale and access jellyfin as well as having my traffic routed through the server connection.

I have this working but what I really want is to route the tailscale traffic into the gluetun. I have managed to do this but it means that I lose access to jellyfin and the local machine for ssh.

Is it possible to put tailscale through gluetun but also be able to access the local network? I would like to access jellyfin via 192.x.x.x.x:xxxx (local) and 100.x.x.x.x.x:xxxx (tailscale).

This is my tailscale compose (after a bunch of experimentation):

version: '3.9'
services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscaled
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TS_HOSTNAME=mediaserver-docker-exit-node
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_EXTRA_ARGS=--advertise-exit-node --accept-dns=false
      - TS_ROUTES=192.168.0.0/24
    volumes:
      - /srv/config/tailscale:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    network_mode: host
    # network_mode: "container:gluetun"
    restart: unless-stopped

And this is my jellyfin/gluetun compose:

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8080:8080
      - 6881:6881/tcp
      - 6881:6881/udp
    environment:
      - FIREWALL_INPUT_PORTS=6881,9696
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
    restart: unless-stopped 
      
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
    network_mode: 'host'
    group_add:
      - '993'
    devices:
      - /dev/dri/renderD128:/dev/dri/renderD128
      - /dev/dri/card0:/dev/dri/card0
    volumes:
      - /srv/config/jellyfin/:/config
      - type: bind
        source: /srv/data/media
        target: /media
      - type: bind
        source: /srv/data2/media
        target: /media2
        read_only: true
    restart: unless-stopped
  • Unquote0270@programming.devOPEnglish
    0·
    24 days ago

    Essentially, I want to be able to use a vpn at the same time as tailscale when I am on my phone and away from home or connected to a hotel wifi etc. Android doesn’t allow this but I read about tailscale exit nodes so I have set this up and it works. The issue is that I would prefer to not use my server location as the exit so I want to push traffic into gluetun (which I already have set up with other stuff running in it).

    • chaospatterns@lemmy.worldEnglish
      0·
      24 days ago

      How do you expect the packets to actually route? If you run Tailscale and your VPN on your phone, they might fight with each other for control of the routing table.

      If you’re trying to use Tailscale exit note to then route through Tailscale to one node running gluetun to Mullvad. That’s going to be complex because against they both want to mess with the routing table.

      Tailscale natively supports Mullvad: https://tailscale.com/mullvad

    • stratself@lemdro.idEnglish
      0·
      24 days ago

      Two separate functions should go into two separate nodes

      1. Run Tailscale binary on host. Connect to Jellyfin server using that node’s IP address.

      and

      1. Run Gluetun + another Tailscale instance in containers. Don’t use host networking, use bridge or something else. Connect to that node as an exit node

      As an (advanced) alternative to Gluetun + Tailscale I propose tswg (my project)