Gluetun as Tailscale exit node

[pdfrg]

Rationale: when away from home, be able to access all services on home server, plus all other machines on home network, while at the same time, without changing any settings, browse internet privately through VPN. Previously, having both mobile VPN client and Tailscale mobile client installed, switching between the two is inconvenient, and after a certain number of switches, breaks networking, requiring reboot.

Tailscale allows use of Mullvad servers as exit nodes, but the subscription must be purchased through Tailscale. When the feature was first offered, they were enabling Mullvad customers who already had paid in advance. Tailscale is awesome for being able to access home network from anywhere, without exposing the network to the internet, but with their default exit node feature all traffic outside the home network is not private.

So, I was looking for a way to use Mullvad via Gluetun as a Tailscale exit node. After some trial and error, I have it working. At least, when I load mullvad.net/en/check, with Tailscale enabled on my mobile device, I appear to be using Mullvad and it passes all the security checks.

Here is my setup...
gluetun docker compose (relevant parts only, indentation broken on paste)

  environment:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=$WIREGUARD_PRIVATE_KEY
      - WIREGUARD_ADDRESSES=<insert here>
      - TZ=$TZ
      - UPDATER_PERIOD=24h
      - SERVER_CITIES=<insert here>
      - OWNED_ONLY=yes
      - PUID=$PUID
      - PGID=$PGID
      - HEALTH_VPN_DURATION_INITIAL=120s
      - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
      - DNS_ADDRESS=192.168.1.87 # server LAN IP, use AdGuardHome instead of built-in DNS, with network_mode:host

tailscale docker compose (relevant parts only)

network_mode: "service:gluetun" # was "host", changed to use Mullvad as exit node
    environment:
      - TS_HOSTNAME=<will appear in Tailscale dashboard> # https://login.tailscale.com/admin/machines
      - TS_AUTHKEY=$TS_AUTHKEY
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_EXTRA_ARGS=--advertise-tags=tag:server
      - TS_ROUTES=192.168.1.0/24 # home LAN subnet
      - TS_EXTRA_ARGS=--accept-routes
      - TS_EXTRA_ARGS=--advertise-exit-node
    depends_on:
      gluetun:
        condition: service_healthy

tailscale dashboard settings -- machines (https://login.tailscale.com/admin/machines):
click on your server (hostname set as above)
subnet routes 192.168.1.0/24 (same as TS_ROUTES above) --> check box
use as exit node --> check box

tailscale dashboard -- dns (https://login.tailscale.com/admin/dns)
nameservers > global nameservers --> enter IP of your server
override local DNS --> (enable slider)
magicDNS --> disable

tailscale mobile client settings
open app > 3 dots in upper right > use exit node... > click on server hostname

AdGuardHome (or PiHole) settings (Docker container on same server as Gluetun and Tailscale)
filters > DNS rewrites --> domain: *.lan (any custom local suffix) answer: 192.168.1.87 (server LAN IP)
Not necessary but makes it easy to browse to jellyfin.lan or jf.lan rather than 192.168.1.87:8096, for example.

caddy-docker-proxy settings (https://github.com/lucaslorentz/caddy-docker-proxy)

e.g. jellyfin docker compose (partial)

labels:
      caddy: jellyfin.lan jf.lan
      caddy.reverse_proxy: "{{upstreams 8096}}" # unless network_mode: host, then use host_ip:port without quotes or brackets
      caddy.tls: internal

auto-generates this snippet in Caddyfile when jellyfin container starts. Can also manually write and mount into Caddy container.

jellyfin.lan jf.lan {
	reverse_proxy 172.18.0.3:8096
	tls internal
}

Install root certificate on devices that will access resources through Caddy, so that security warnings are not generated
get root certificate from caddy container > /data/caddy/pki/authorities/local/root.crt
google how to install to your OS and/or browsers

Honestly, I'm not sure how exactly everything works together here, so this may be a spaghetti mess that could be simplified or improved. But for me at least, it works. Happy to receive any feedback.

There is one open issue #1854, that links to a post I also found helpful https://lemmy.world/post/7281194. However, their setup doesn't allow for remote access of the entire home network, nor does it allow for custom DNS settings.

[SmatMan]

This is awesome. I'm going to try this out right now, hopefully this can get some more attention!

[vestyc]

Your post helped get my setup working. Thank you!!!

I did a few things differently:

• Different vpn provider
• FIREWALL_OUTBOUND_SUBNETS=100.64.0.0/10 # Tailscale's ip range. The idea here is I only want vpn access via my tailnet, but not sure if it works out that way.
• TS_ROUTES=100.64.0.0/10 # to match above.
• No specified DNS_ADDRESS. I went with the default.

[forabi]

Has anyone managed to get this working with podman? Everything seems to work fine but I don't have access to the internet when using the tailscale container as exited node routed through gluetun

[LeoRX]

Yes. I have Gluetun working fine.. and then Tailscale makes changes and make Gluetun container unhealthy and keep restarting. once I changed tailscaled to run in userspace networking mode. both are healthy and happy.

command: tailscaled --tun=userspace-networking

[mattdale77]

I've just spent the last 2 days trying to work out how to do this and not have it leak DNS but I've accomplished it now. This might have saved me a bit of time

I don't have the --accept-routes enabled and it seems to work so far

[mickeyyde]

got it working with proton-vpn, thank you

[redge76]

same
used also: https://lemmy.world/post/7281194