ghassan/tailscale-lxc-installation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
tailscale-lxc-installation/readme.md
Ghassan Yusuf feb36d3f67 Update readme.md
2026-02-25 11:03:08 +03:00

195 lines
6.5 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Curl Command
```
curl -fsSL https://git.innovator.bh/ghassan/tailscale-lxc-installation/raw/branch/main/install.sh | bash
```
# Tailscale in Proxmox LXC
This document describes how to run **Tailscale** inside a Proxmox LXC container, including enabling `/dev/net/tun` and optionally using the container as a subnet router. [tailscale](https://tailscale.com/docs/features/containers/lxc/lxc-unprivileged)
## Prerequisites
- Proxmox VE 7 or newer. [github](https://github.com/mossc001/Tailscale-LXC/blob/main/Guide)
- An LXC container (Debian/Ubuntu or similar; examples assume Debian/Ubuntu). [nihalatwal](https://nihalatwal.com/projects/tailscale-subnet-router-proxmox/)
- Access to the Proxmox host shell and the container shell. [github](https://github.com/mossc001/Tailscale-LXC/blob/main/Guide)
***
## 1. Create the LXC container
Create an LXC container from a standard Debian/Ubuntu template (e.g. `debian-12-standard` or `ubuntu-22.04-standard`). Keep resources minimal unless you plan to route a lot of traffic. [nihalatwal](https://nihalatwal.com/projects/tailscale-subnet-router-proxmox/)
Example (GUI):
- Download Debian/Ubuntu CT template from Proxmox templates.
- Click **Create CT**, choose the template, set hostname (e.g. `tailscale-lxc`), disk ~816 GB, RAM 5122048 MB, and assign a static IP if desired. [github](https://github.com/mossc001/Tailscale-LXC/blob/main/Guide)
Start the container when finished.
***
## 2. Enable `/dev/net/tun` for the container
On the Proxmox **host**, edit the container config:
```bash
nano /etc/pve/lxc/<CTID>.conf
```
Append the following lines (for Proxmox 7+ with cgroup2): [github](https://github.com/tailscale/tailscale/issues/825)
```ini
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
```
For older Proxmox with cgroup v1, the key name differs: [github](https://github.com/mossc001/Tailscale-LXC/blob/main/Guide)
```ini
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
```
Restart the container to apply the changes:
```bash
pct stop <CTID>
pct start <CTID>
```
Inside the container, verify TUN exists:
```bash
ls -l /dev/net/tun
# Expect: character device with major 10, minor 200
```
***
## 3. Install Tailscale inside the LXC
Inside the container:
```bash
apt update && apt upgrade -y
apt install -y curl
```
Install Tailscale using the official Linux installer: [tailscale](https://tailscale.com/docs/install/linux)
```bash
curl -fsSL https://tailscale.com/install.sh | sh
```
Enable and start the service:
```bash
systemctl enable --now tailscaled
```
You can check status with:
```bash
systemctl status tailscaled
```
***
## 4. Bring the node onto your tailnet
On the container:
```bash
tailscale up
```
Follow the URL printed in the terminal to authenticate the node in your Tailscale admin console. [tailscale](https://tailscale.com/docs/install/linux)
After that, verify it has a Tailscale IP:
```bash
tailscale ip
tailscale status
```
You should see an IP in the `100.x.y.z` range and the node listed as connected. [tailscale](https://tailscale.com/docs/install/linux)
***
## 5. Enable IP forwarding (for subnet router use)
If you want this LXC to act as a **subnet router** for your LAN, enable IP forwarding inside the container: [imoize.github](https://imoize.github.io/getstart/docs/proxmox/lxc/tailscale-subnet-router)
```bash
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
```
Alternatively, use a dedicated sysctl drop-in such as `/etc/sysctl.d/99-tailscale.conf` with similar content. [imoize.github](https://imoize.github.io/getstart/docs/proxmox/lxc/tailscale-subnet-router)
***
## 6. Configure Tailscale as a subnet router (optional)
Decide which LAN subnets behind the LXC you want to advertise, e.g. `192.168.1.0/24`. [imoize.github](https://imoize.github.io/getstart/docs/proxmox/lxc/tailscale-subnet-router)
Run:
```bash
sudo tailscale up --advertise-routes=192.168.1.0/24
```
If you are using a local DNS (Pi-hole etc.) and do **not** want Tailscale to override DNS, you can add: [github](https://github.com/mossc001/Tailscale-LXC/blob/main/Guide)
```bash
sudo tailscale up \
--advertise-routes=192.168.1.0/24 \
--accept-dns=false
```
Then, in the Tailscale admin console:
1. Go to **Machines**.
2. Find this LXC node.
3. Click the three-dot menu → **Edit route settings**.
4. Approve the advertised subnet routes. [imoize.github](https://imoize.github.io/getstart/docs/proxmox/lxc/tailscale-subnet-router)
After approval, devices on your tailnet can reach the advertised subnet via this container. [nihalatwal](https://nihalatwal.com/projects/tailscale-subnet-router-proxmox/)
***
## 7. Userspace networking mode (no TUN, optional)
If you cannot or do not want to expose `/dev/net/tun`, you can run Tailscale in **userspace networking** mode inside the LXC: [tailscale](https://tailscale.com/docs/containers-and-virtualization)
```bash
tailscaled --tun=userspace-networking &
tailscale up --tun=userspace-networking
```
This avoids needing a TUN device but may have limitations and different performance characteristics compared to kernel TUN mode. [tailscale](https://tailscale.com/docs/features/containers/lxc/lxc-unprivileged)
***
## 8. Troubleshooting
- **`failed to connect to local tailscaled`**
- Ensure `tailscaled` is running: `systemctl status tailscaled`.
- Confirm `/dev/net/tun` exists and the Proxmox config lines were added correctly. [github](https://github.com/tailscale/tailscale/issues/825)
- **Container starts but no Tailscale traffic**
- Check IP forwarding and firewall rules inside the LXC.
- For subnet router scenarios, verify routes are approved in the Tailscale admin console. [nihalatwal](https://nihalatwal.com/projects/tailscale-subnet-router-proxmox/)
- **Unprivileged LXC specifics**
- The `/dev/net/tun` configuration in the Proxmox LXC config is enough for kernel TUN even in unprivileged LXCs starting with Proxmox 7, as shown in the official LXC + Tailscale guidance. [youtube](https://www.youtube.com/watch?v=JC63OGSzTQI)
***
## References
- Tailscale LXC / unprivileged guide. [tailscale](https://tailscale.com/docs/features/containers/lxc/lxc-unprivileged)
- Example Proxmox LXC + Tailscale setup. [nihalatwal](https://nihalatwal.com/projects/tailscale-subnet-router-proxmox/)
- Containers and virtualization notes for Tailscale. [tailscale](https://tailscale.com/docs/containers-and-virtualization)
Reference in New Issue View Git Blame Copy Permalink