Lightweight docker image that allows connecting wireguard tunnels to a tailnet
8.6K
See rinkp/wireguard-tailscale on GitHub
This repository provides a small docker image that allows connecting wireguard tunnels to a tailnet.
Example use cases:
Please note that any docker container running this image requires:
NET_ADMIN capability/dev/net/tun devicenet.ipv4.conf.all.src_valid_mark=1net.ipv4.ip_forward=1net.ipv6.conf.all.forwarding=1When using the provided docker-compose.yml, these settings are automatically set.
This setup has been tested against a server running Juan Font's headscale v0.25.1. It is expected to work with tailscale.com and some instructions have been provided below.
This setup has been tested with Windscribe VPN provider. You can generate a Wireguard config on https://windscribe.com/getconfig/wireguard.
This setup has been tested with a wg0.conf file having 1 endpoint and 1 peer. When multiple peers are present, the AllowedIPs are combined for the purposes of advertising routes. Likely, you want to set TS_ADVERTISE_ROUTES manually. See also GH-2.
git clone --recurse-submodules https://github.com/rinkp/wireguard-tailscale.gitcompose.override.yml.dist to compose.override.yml and uncomment the build: linedocker compose buildcompose.yml and compose.override.yml filesconfig/wireguard folder, create a wg0.conf config fileWGTS_AUTO_ROUTE or a tool like thisTS_AUTHKEY and other necessary environment variablesWhen using headscale, perform the following steps:
headscale users listheadscale preauthkeys create --reusable --expiration "1d" --ephemeral -u 1 --tags=tag:wgts-client and set this as TS_AUTHKEYpolicies.json, add the route to the autoApprovers, either in exitNode or a specific route in routes.policies.json allows one or more hosts/users to connect to destinations in your published subnets. It is not possible to publish a bigger subnet (e.g. 8.8.0.0/16) to your tailnet and only allow traffic to a subset of the destinations (e.g. 8.8.8.0/22). You can solve this by publishing the subnet in one or more smaller parts, either by updating your wireguard config or by using TS_ADVERTISE_ROUTES.Example snippet from policies.json:
"autoApprovers": {
"routes": {
"192.168.10.0/24": ["tag:wgts-client"],
},
"exitNode": ["tag:wgts-exit"],
},
"hosts": {
"net-example": "192.168.10.0/24",
},
"acls": [
{
"action": "accept",
"src": ["group:wgts-users"],
"dst": ["net-example:*"],
},
]
When using tailscale.com, perform the following steps:
policies.json, add the route(s) to the autoApproverspolicies.json allows one or more hosts/users to connect to destinations in your published subnets. It is not possible to publish a bigger subnet (e.g. 8.8.0.0/16) to your tailnet and only allow traffic to a subset of the destinations (e.g. 8.8.8.0/22). You can solve this by publishing the subnet in one or more smaller parts, either by updating your wireguard config or by using TS_ADVERTISE_ROUTES.This machine has unapproved routes. remark.| Variable | Default value | Description |
|---|---|---|
TS_LOGIN_SERVER | https://controlplane.tailscale.com | Optional, tailscale login server (e.g. when using headscale) |
TS_AUTHKEY | | Mandatory, auth key |
TS_ADVERTISE_ROUTES | | Optional, forces advertising specific routes rather than using the routes from wireguard |
WGTS_TEST_HOST | google.com | Optional, host to verify that the wireguard connection is working (make sure this host is in an accepted wireguard route) |
WGTS_TEST_PORT | 443 | Optional, port for the above |
WGTS_ALLOW_SHARED_ADDRESS_ROUTING | False | Optional, when ¨True¨ allows routing incoming 100.64.0.0/10 traffic. E.g. if addresses are in use on your network or linking two tailscale networks together. |
WGTS_ALWAYS_UP | False | Optional, when ¨True¨ always enables tailscale and advertises the ¨TS_ADVERTISE_ROUTES¨ routes, even when wireguard does not work |
WGTS_AUTO_ROUTE | False | Optional, when ¨True¨ automatically excludes the wireguard and tailscale hosts from being routed over the Wireguard tunnel |
WGTS_CHECK_INTERVAL | 300 | Optional, how frequently to check status of wireguard tunnel (in sec) |
By default, Tailscale is operating in userspace mode rather than kernel mode. This default is used to allow for the greatest compatibility our of the box.
It is possible to switch to kernel routing mode by overriding TS_TAILSCALED_EXTRA_ARGS, an example is given in compose.override.yml:
# To use kernel routing mode, redeclare TS_TAILSCALED_EXTRA_ARGS without --tun=userspace-networking
- #- TS_TAILSCALED_EXTRA_ARGS=--no-logs-no-support
+ - TS_TAILSCALED_EXTRA_ARGS=--no-logs-no-support
This image includes several other tools.
This repository includes a submodule and will build the tailscale CLI and
tailscaled daemon from tailscale/tailscale.
License: BSD 3-Clause, copy here
During build, wireguard-tools-wg-quick will be installed. Wireguard licenses
can be found here.
A similar project exists: tailguard. See @juhovh's comment here for a brief comparison.
Content type
Image
Digest
sha256:60b7da7d6…
Size
11.7 MB
Last updated
6 days ago
docker pull rinkp/wireguard-tailscale:nightly