Skip to main content

Tailscale within LXCs

Enable Userspace Networking Mode

Userspace Networking

Userspace networking mode allows running Tailscale where you don’t have access to create a VPN tunnel device. This often happens in container environments.

Tailscale works on Linux systems using a device driver called /dev/net/tun, which allows us to instantiate the VPN tunnel as though it were any other network interface like Ethernet or Wi-Fi. This lets any Linux application — from a web browser to the ping CLI command — send its traffic through the Tailscale interface.

However, not all Linux systems support /dev/net/tun. For example, some container-based app platforms such as Heroku or Google Cloud Run do not. For those environments, userspace networking mode offers a different way of running, where tailscaled functions as a SOCKS5 or HTTP proxy which other processes in the container can connect through.

See tailscale.com for more details and the commands used below.

Starting Tailscale on Reboot

Our issue now after following these steps is that Tailscale doesn't reinitiate on reboot as the auth-key needs to be entered manually (or at least it does to the best of my knowledge)

To solve this I created a small cron routine that executes a script with the commands upon reboot.

  • Create a file for the script
    • cd /home
    • nano ts-connect.sh
    • Add the following content to the file
#!/usr/bin/bash

/usr/sbin/tailscaled --tun=userspace-networking --socks5-server=localhost:1055 --outbound-http-proxy-listen=localhost:1055 &
/usr/bin/tailscale up --authkey=[your_auth_key]

Make sure to change [your_auth_key] to an auth key you generate at login.tailscale.com

  • Make sure the file is executable

    • chmod +x /home/ts-connect.sh

  • Add a cronjob to the cron scheduler

    • crontab -e
    • Add the follwing content at the end of the file
@reboot sleep 15 & home/ts-connect.sh > home/cron.log 2>&1

This will ensure the script is ran 15 seconds after boot and that a log is kept in the same directory.

Depending on your environment, crontab -e may open in yum or vim by default.
You will need to change your default text editor to your preference if required by adding two lines to your .bashrc file:
export EDITOR='nano'
export VISUAL='nano'
You can exit yum/vi/vim with ctrl + c then enter :q! enter

Back to top