Need some help with networking - tailscale, gluetun etc

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨Unquote0270@programming.dev⁩ to ⁨selfhosted@lemmy.world⁩

I have a server running portainer with some media apps which I connect to with tailscale when I’m away from home and through LAN when at home. This works fine but I want to be able to use tailscale as an exit node so that I can connect to tailscale and access jellyfin as well as having my traffic routed through the server connection.

I have this working but what I really want is to route the tailscale traffic into the gluetun. I have managed to do this but it means that I lose access to jellyfin and the local machine for ssh.

Is it possible to put tailscale through gluetun but also be able to access the local network? I would like to access jellyfin via 192.x.x.x.x:xxxx (local) and 100.x.x.x.x.x:xxxx (tailscale).

This is my tailscale compose (after a bunch of experimentation):

version: '3.9'
services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscaled
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TS_HOSTNAME=mediaserver-docker-exit-node
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_EXTRA_ARGS=--advertise-exit-node --accept-dns=false
      - TS_ROUTES=192.168.0.0/24
    volumes:
      - /srv/config/tailscale:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    network_mode: host
    # network_mode: "container:gluetun"
    restart: unless-stopped

And this is my jellyfin/gluetun compose:

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8080:8080
      - 6881:6881/tcp
      - 6881:6881/udp
    environment:
      - FIREWALL_INPUT_PORTS=6881,9696
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
    restart: unless-stopped 
      
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
    network_mode: 'host'
    group_add:
      - '993'
    devices:
      - /dev/dri/renderD128:/dev/dri/renderD128
      - /dev/dri/card0:/dev/dri/card0
    volumes:
      - /srv/config/jellyfin/:/config
      - type: bind
        source: /srv/data/media
        target: /media
      - type: bind
        source: /srv/data2/media
        target: /media2
        read_only: true
    restart: unless-stopped

source

Comments

Sort:hotnew top

sorter_plainview@lemmy.today ⁨1⁩ ⁨day⁩ ago
I don’t understand what is the use of gluetun here. Are you trying to, say all the traffic from a laptop,to be routed through your server in your home, while you are away? If yes, can you elaborate why this is needed? Else can you give a better explanation on the setup you are trying to achieve and the results you want?

source
- chaospatterns@lemmy.world ⁨1⁩ ⁨day⁩ ago
  Gluetun doesn’t make any sense here. You’re forcing all the traffic for from Jellyfin to go through Mullvad, but you need to be able to connect to Jellyfin because Jellyfin is a service you connect to.
  
  Since your Tailscale is host network mounted, you’ll be able to expose your Docker network subnets over Tailscale then access Jellyfin.
  
  You probably intend to gluetun your downloading software, not Jellyfin.
  
  source
  - Unquote0270@programming.dev ⁨1⁩ ⁨day⁩ ago
    Is jellyfin going through mullvad? Jellyfin and tailscale are using host. This is part of a larger docker compose where I do have things running through gluetun.
    
    Since your Tailscale is host network mounted, you’ll be able to expose your Docker network subnets over Tailscale then access Jellyfin. This is done via the TS_SUBNETS env variable. Docker will use a 172.16.0.0/12 subnet.
    
    Thanks that sounds like what I’m after. So this means that I could access jellyfin on the 172.x.x.x address but anything else goes to the exit node (and then the vpn)?
    
    source
    -> View More Comments
- Unquote0270@programming.dev ⁨1⁩ ⁨day⁩ ago
  Essentially, I want to be able to use a vpn at the same time as tailscale when I am on my phone and away from home or connected to a hotel wifi etc. Android doesn’t allow this but I read about tailscale exit nodes so I have set this up and it works. The issue is that I would prefer to not use my server location as the exit so I want to push traffic into gluetun (which I already have set up with other stuff running in it).
  
  source
  - stratself@lemdro.id ⁨21⁩ ⁨hours⁩ ago
    Two separate functions should go into two separate nodes
    
    Run Tailscale binary on host. Connect to Jellyfin server using that node’s IP address.
    
    and
    
    Run Gluetun + another Tailscale instance in containers. Don’t use host networking, use bridge or something else. Connect to that node as an exit node
    
    As an alternative to Gluetun + Tailscale I propose tswg (my project)
    
    source
  - chaospatterns@lemmy.world ⁨22⁩ ⁨hours⁩ ago
    How do you expect the packets to actually route? If you run Tailscale and your VPN on your phone, they might fight with each other for control of the routing table.
    
    If you’re trying to use Tailscale exit note to then route through Tailscale to one node running gluetun to Mullvad. That’s going to be complex because against they both want to mess with the routing table.
    
    Tailscale natively supports Mullvad: tailscale.com/mullvad
    
    source
    -> View More Comments