I don’t understand the Compose yaml at @6:45. If you don’t define it, TS_USERSPACE will default to true, and not need the /dev/net/tun and net_admin/sys_module capabilities. So either remove those lines and run in userspace, or leave them in and also add TS_USERSPACE=false. The combination as shown seems self-contradictory.

Tailscale has genuinely changed the way my business works. Thanks so much for sharing so many useful ways to innovate and break the traditional and insecure ways of connecting things.

I met Alex at DevOps Days Chicago and he’s been blowing my mind since. Thanks Alex!

Great tutorial, love the way you explain things!

I can't tell you how much I've been waiting for this video! You mentioned it recently in one of the podcasts and as I'm still not quite getting to grips with Docker and Tailscale I've been eagerly awaiting it. 😅

Thanks, Tailscale, for your outstanding efforts! Your dedication to providing high-quality content is truly appreciated. Keep up the great work!

Amazing content! Thank you for the time and effort you and the rest of the Tailscale team put into this.

just getting started with Tailscale and Docker, thanks for the great intro! Long live self hosting! 🔥

Your explanation skills are outstanding!

I've been looking for a suitable self-hosting start point and this tutorial has answered a heap of "where do i begin?" questions. Thanks !

Fantastic video series Alex! Short, to the point and easily understandable information. Keep it up! Future video suggestion: deepdive in ACL:s and OPNsense interface firewall correlation? Having a hard time getting only the right nodes to access my admin stuff on LAN.

Thanks Alex. I was locking for a way to connect all my docker to Tailscale (were already some of my devices connected). Before I worked with macvlan, but now I will try out this solution.

Completely off topic here - I had no idea about sudo !! => You are a goldmine Alex!

Brilliant stuff. The command line is scary, and docker just seems a headache, but I'm sure I could learn it if I tried. With tailscale, I've set up an old laptop with an external HDD, then use it as a personal cloud storage when I'm away from the house and have access to several TB if I want my files anywhere. Then I've also set up jellyfin with tailscale for a media server for family on a refurbished office PC for £60 off ebay - so it's a family netflix. This is a very powerful tool, and the more you can simplify it and offer alternatives to the command line and messy config files (because this stuff is just not intuitive), the more value it has for me personally. In any case, thanks for simplifying this stuff. Much appreciated

Great tutorial! It would be nice, a tutorial with Tailscale running on a Proxmox

I use Tailscale and Nomad, both running on raspberry pi 4b based edge devices distributed around the world, to collect data on the carbon footprint of the production process in different places. And centralized collection, processing, analysis and presentation.

Thx. It will be super helpful if you could do a similar topic on docker swarm as well

In the vidéo and in the blog post, you don't say that you have to allow the node to have the "funnel" option. But you have it on the ACL provided. Great work BTW

Hello! Could you do a deep dive into how ACLs work for beginners please? I know there is a really in depth article y'all have but I do much better learning when I can see it be done. Thank you!

Video on ACLs would be great!

A good follow up video would be a nice, detailed work up of the ACL settings.

I Love Tailscale ❤.

Would this have support for things like udp ports leading to game server containers?

maybe its just me but I can't find the ACL json file that you mentioned would be available in links provided? The tagging option wasn't immediately enabled for me because that section of the Access Controls wasn't yet configured or uncommented. But fortunately there was a helpful link to the ACLs, right next to the greyed out tag button which made that super intuitive. 👍

Great Video - as always. I am currently struggeling with getting direct access to my tailscale clients - Singe NAT on one side (home router with a valid , public IP4 address. However all connections to this container are routet via DERP. This is anoying especially when doing high bandwith tasks. Can you maybe give a tutorial on how to get direct connections and how to optimize routing?

If I have a service that uses 'networks: -networkname' to connect to other services on the same compose file, I can't use network_mode to connect it to the tailscale image since network_mode can't be used when networks is being used. Is it possible to add tailscale also to the same network to have the service available on my tailscale network?

userspace tailscaled was a game changer for my workload. I don't need massive throughput but I don't want to run a privileged container if I can avoid it. The feature I'd like to see most is reserved IP keys: Almost like elastic IPs in AWS EC2, but for my tailnet. I generate an auth key for an ephemeral node that's always going to get a predetermined IP on my tailnet. I also want keys to last longer than 90 days, maybe with the prerequisite that the node be manually approved by an admin? This means I can use preauthorized keys to spin up infrastructure with deterministic IPs on my tailnet.

You did a great job explaining it Alex, but honestly, it makes me want to pull out my hair almost as much as setting up a reverse proxy with TLS does. However, because I'm now on CGNAT all that NGINX work is out of the window and this looks like a feasible replacement. It would be great to get more videos diving into more details.

Hi! An amazing video, Just want to know how can I access my host like if tailscale was installed on it via this setup? Currently whenever I am moving b/w machine I have to do this manual setup. Rather I am looking that since my rest of the ecosystem is managed via docker compose I just spin this also up there and I can then normally SSH into my host machine

This is awesone! Thank you! But now I have another problem: My containers can't reach the www, but I need my containers to have access to the www while they're still only reachable via tailscale from outside. How can I do this now?

Hey there, can you lend me a hand? I'm trying to figure out where I'm going wrong. I'm attempting to set up authkeys with a VSCode container from LinuxServer. Also, I need to get a Cloudflare reverse proxy going and expose port 8443. How do I set all this up with the end goal of getting the Tailscale VScode addon working and exposed on cloudflare

Make a video on adding devices to a subnet and connecting it to your tailscale network

I think I've got everything set up! Thanks for the tutorial. I'm a bit confused that this enables funnel for the node in the dashboard even though it's set to false in the json file. Is this the expected outcome?

Tailscale is seriously cool. SDN are so neat, tailscale isn't necessarily one but in the realm of.

how can i apply this to containers running in a synology nas?

I have a unraid server and want to use tailscale on 2 diffrent accounts how to do this with a docker compose setup or on my unraid server. I tried what gpt4 suggested did not work I meant it kinda worked for every reboot of my unriad server it got ne a new machine name.

Running Tailscaled using Docker (compose) on a Ubuntu server. Have the --ssh setting. When attempting to SSH to this machine, SSH connects to the docker container itself and not the host machine. I'm guessing somebody has figured this out or maybe it's not possible.

Tailscale is the best. How do you guys feel about headscale? I've considered trying it but I haven't taken the plunge yet.

using oauth method, if two container try to use same port 80. how to resolve that

At 17:50 I get "curl: (6) Could not resolve host: ts-oauth". Didn't work in browser either.

I have been trying to do this for a month using macvlan with no luck thanks. Do you have to do this for every container?

I cannot get serve to work. I have mounted the config directory but the command tailscale serve status states No serve config. The json file is in the config directory. What can be wrong?

How are the containers supposed to communicate between each other?

I did ask this on the reddit thread but I'll ask it here too in case you don't see it. Are there any issues doing this with podman? Or is it only with Docker?

Just watched this and wonder if I misunderstood an effect of the namespace network merge. If I connect a django container and a postgres container to the same tailscale container will django be able to connect to postgres using localhost rather than databases container name? If yes then tailscale simplifies things even more. Or is there a reason why we can't/shouldn't connect multiple containers?

Great video, but how do I add Tailscale to five of my docker containers? Some say use docker networks and others creating side cars to the container. I would really appreciate a video about adding tailscale to multiple existing containers.

I'm having a heck of a time trying to get the serve and funnel configuration (/config/mealie.json in this example) to work in a Portainer stack. Apparently relative directories don't work in docker-compose within Portainer and even configuring another Dockerfile to copy the file from the image to the container doesn't want to work. Does anybody know a way around this or at least understand what I'm talking about? 😅

Is it possible to get help doing this on my NAS? : )

I had just one doubt. Is there a way to funnel multiple web services by adding subdomain for each, within one tailscale container? More like how we can do with nginx

I don't think this would work on platforms that only support non-root or user-only docker containers. A lot of PaaS don't support compose or allow you to set the docker run args.

Ha I've even started reading tailscale docs with your accent

نريد شرح مترجم بالعربي We want a detailed explanation translated into Arabic of the steps for using the application from installation until connecting to the other device and controlling it

What was he piping through to get the colors in the output of docker inspect?

I love tailscale and love what it can do but im not smart enough to config this stuff lol

No ssh to the container?

so I basically have to destroy my containers networks to chagne the network mode for everything

can i run tailscale both on the linux machine and on the docker inside the linux machine?