Gluetun as Tailscale exit node

[pdfrg]

Rationale: when away from home, be able to access all services on home server, plus all other machines on home network, while at the same time, without changing any settings, browse internet privately through VPN. Previously, having both mobile VPN client and Tailscale mobile client installed, switching between the two is inconvenient, and after a certain number of switches, breaks networking, requiring reboot.

Tailscale allows use of Mullvad servers as exit nodes, but the subscription must be purchased through Tailscale. When the feature was first offered, they were enabling Mullvad customers who already had paid in advance. Tailscale is awesome for being able to access home network from anywhere, without exposing the network to the internet, but with their default exit node feature all traffic outside the home network is not private.

So, I was looking for a way to use Mullvad via Gluetun as a Tailscale exit node. After some trial and error, I have it working. At least, when I load mullvad.net/en/check, with Tailscale enabled on my mobile device, I appear to be using Mullvad and it passes all the security checks.

Here is my setup...
gluetun docker compose (relevant parts only, indentation broken on paste)

  environment:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=$WIREGUARD_PRIVATE_KEY
      - WIREGUARD_ADDRESSES=<insert here>
      - TZ=$TZ
      - UPDATER_PERIOD=24h
      - SERVER_CITIES=<insert here>
      - OWNED_ONLY=yes
      - PUID=$PUID
      - PGID=$PGID
      - HEALTH_VPN_DURATION_INITIAL=120s
      - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
      - DNS_ADDRESS=192.168.1.87 # server LAN IP, use AdGuardHome instead of built-in DNS, with network_mode:host

tailscale docker compose (relevant parts only)

network_mode: "service:gluetun" # was "host", changed to use Mullvad as exit node
    environment:
      - TS_HOSTNAME=<will appear in Tailscale dashboard> # https://login.tailscale.com/admin/machines
      - TS_AUTHKEY=$TS_AUTHKEY
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_EXTRA_ARGS=--advertise-tags=tag:server
      - TS_ROUTES=192.168.1.0/24 # home LAN subnet
      - TS_EXTRA_ARGS=--accept-routes
      - TS_EXTRA_ARGS=--advertise-exit-node
    depends_on:
      gluetun:
        condition: service_healthy

tailscale dashboard settings -- machines (https://login.tailscale.com/admin/machines):
click on your server (hostname set as above)
subnet routes 192.168.1.0/24 (same as TS_ROUTES above) --> check box
use as exit node --> check box

tailscale dashboard -- dns (https://login.tailscale.com/admin/dns)
nameservers > global nameservers --> enter IP of your server
override local DNS --> (enable slider)
magicDNS --> disable

tailscale mobile client settings
open app > 3 dots in upper right > use exit node... > click on server hostname

AdGuardHome (or PiHole) settings (Docker container on same server as Gluetun and Tailscale)
filters > DNS rewrites --> domain: *.lan (any custom local suffix) answer: 192.168.1.87 (server LAN IP)
Not necessary but makes it easy to browse to jellyfin.lan or jf.lan rather than 192.168.1.87:8096, for example.

caddy-docker-proxy settings (https://github.com/lucaslorentz/caddy-docker-proxy)

e.g. jellyfin docker compose (partial)

labels:
      caddy: jellyfin.lan jf.lan
      caddy.reverse_proxy: "{{upstreams 8096}}" # unless network_mode: host, then use host_ip:port without quotes or brackets
      caddy.tls: internal

auto-generates this snippet in Caddyfile when jellyfin container starts. Can also manually write and mount into Caddy container.

jellyfin.lan jf.lan {
	reverse_proxy 172.18.0.3:8096
	tls internal
}

Install root certificate on devices that will access resources through Caddy, so that security warnings are not generated
get root certificate from caddy container > /data/caddy/pki/authorities/local/root.crt
google how to install to your OS and/or browsers

Honestly, I'm not sure how exactly everything works together here, so this may be a spaghetti mess that could be simplified or improved. But for me at least, it works. Happy to receive any feedback.

There is one open issue #1854, that links to a post I also found helpful https://lemmy.world/post/7281194. However, their setup doesn't allow for remote access of the entire home network, nor does it allow for custom DNS settings.

[SmatMan]

This is awesome. I'm going to try this out right now, hopefully this can get some more attention!

[biscuit-ops]

Your post helped get my setup working. Thank you!!!

I did a few things differently:

• Different vpn provider
• FIREWALL_OUTBOUND_SUBNETS=100.64.0.0/10 # Tailscale's ip range. The idea here is I only want vpn access via my tailnet, but not sure if it works out that way.
• TS_ROUTES=100.64.0.0/10 # to match above.
• No specified DNS_ADDRESS. I went with the default.

[Blacks-Army]

Hey,

could you please share your full compose.yaml? I don't seem to get it working :(

[forabi]

Has anyone managed to get this working with podman? Everything seems to work fine but I don't have access to the internet when using the tailscale container as exited node routed through gluetun

[LeoRX]

Yes. I have Gluetun working fine.. and then Tailscale makes changes and make Gluetun container unhealthy and keep restarting. once I changed tailscaled to run in userspace networking mode. both are healthy and happy.

command: tailscaled --tun=userspace-networking

[mattdale77]

I've just spent the last 2 days trying to work out how to do this and not have it leak DNS but I've accomplished it now. This might have saved me a bit of time

I don't have the --accept-routes enabled and it seems to work so far

[mickeyyde]

got it working with proton-vpn, thank you

[redge76]

same
used also: https://lemmy.world/post/7281194

[DcR-NL]

tailscale docker compose (relevant parts only)

network_mode: "service:gluetun" # was "host", changed to use Mullvad as exit node
    environment:
      - TS_HOSTNAME=<will appear in Tailscale dashboard> # https://login.tailscale.com/admin/machines
      - TS_AUTHKEY=$TS_AUTHKEY
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_EXTRA_ARGS=--advertise-tags=tag:server
      - TS_ROUTES=192.168.1.0/24 # home LAN subnet
      - TS_EXTRA_ARGS=--accept-routes
      - TS_EXTRA_ARGS=--advertise-exit-node
    depends_on:
      gluetun:
        condition: service_healthy

There's a wrong assumption in this example. Each environment variable can only be declared once. So your definition will translate to:

      TS_HOSTNAME: <will appear in Tailscale dashboard>
      TS_AUTHKEY: ""
      TS_STATE_DIR: /var/lib/tailscale
      TS_ROUTES=192.168.1.0/24
      TS_EXTRA_ARGS: --advertise-exit-node

You lose --advertise-tags and --accept-routes. Instead, it should look like:

- TS_EXTRA_ARGS=--advertise-tags=tag:server --advertise-exit-node --accept-routes

[crypticviper]

I couldn't get this stuff to work on Unraid 7 (following SpaceInvader's tutorial). Everything works fine as long as I don't enable Tailscale. As soon as I enable Tailscale on gluetun, VPN simply stops working (container still runs but vpn functionality just doesn't work) and all traffic gets routed via my home IP address. This happens even if I don't advertise it as an exit node.

I use Mulvad as VPN provider. Used both OVPN and Wireguard, same issue.

[mattdale77]

It definitely needs to be advertised as an exit node and your clients have to use it as an exit node.
How was your traffic routed through gluetun before?
What devices are you trying to use the tunnel with? Do you have a docker-compose or config?

[crypticviper]

@mattdale77 thanks for your reply. I understand that it needs to be advertised as exit node. Currently I am just testing the container network newly introduced in Unraid 7. So I have a Firefox docker container that is using gluetun container to route it's traffic.

As long as tailscale is not enabled, all requests from firefox go via VPN. As soon as I enable Tailscale it's traffic just goes via my network and not via VPN.

Below is the docker run that WORKS (No Tailscale enabled)

docker run
  -d
  --name='GluetunVPN'
  --net='bridge'
  --pids-limit 2048
  -e TZ="Europe/Berlin"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="unraid"
  -e HOST_CONTAINERNAME="GluetunVPN"
  -e 'TZ'='Europe/Berlin'
  -e 'VPN_SERVICE_PROVIDER'='mullvad'
  -e 'VPN_TYPE'='wireguard'
  -e 'VPN_INTERFACE'='tun0'
  -e 'WIREGUARD_IMPLEMENTATION'='auto'
  -e 'WIREGUARD_PRIVATE_KEY'='xxxx'
  -e 'WIREGUARD_PUBLIC_KEY'='yyyy'
  -e 'WIREGUARD_ADDRESSES'='xx.xx.xx.xx/32'
  -e 'SERVER_CITIES'='Servercity'
  -e 'FIREWALL'='on'
  -e 'FIREWALL_OUTBOUND_SUBNETS'='192.168.50.0/24'
  -e 'FIREWALL_DEBUG'='off'
  -e 'LOG_LEVEL'='info'
  -e 'DOT'='off'
  -e 'DNS_UPDATE_PERIOD'='24h'
  -e 'DNS_ADDRESS'='192.168.50.6' # My PiHole IP
  -e 'DNS_KEEP_NAMESERVER'='off'

Enabling Tailscale adds the below lines to the command. And now (after doing all tailscale realted configuration like auth + aprove exit node on first run), traffic goes via my home network and not via the VPN.

  -e TAILSCALE_HOSTNAME='vpn-test2'
  -e TAILSCALE_EXIT_NODE=true
  -e TAILSCALE_USE_SSH='false'
  -e TAILSCALE_USERSPACE_NETWORKING='true'
  -e TAILSCALE_SERVE_PORT='4110'
  -e TAILSCALE_STATE_DIR='/gluetun/.tailscale_state'

Below is what I have tried so far:

• Stopped using my DNS sever (PiHole) and enable DOT => No change in results
• Used Open VPN instead of wireguard => No change in results

[Robin-Sch]

For me, I kinda got it to work:

services:
    protonvpn:
        container_name: protonvpn
        image: qmcgaw/gluetun:v3
        restart: unless-stopped
        cap_add:
            - NET_ADMIN
        environment:
            - VPN_SERVICE_PROVIDER=protonvpn
            <PROTONVPN RELATED>
            - FIREWALL_OUTBOUND_SUBNETS=100.64.0.0/10,192.168.0.0/24 # tailscale + LAN
            - DOT=off
            - DNS_ADDRESS= # ip of pihole (in same docker network)
        volumes:
            - gluetun:/gluetun
            
    tailscale-exit-node:
        container_name: tailscale-exit-node
        image: ghcr.io/tailscale/tailscale:latest
        restart: unless-stopped
        network_mode: service:protonvpn
        environment:
            - TS_STATE_DIR=/var/lib/tailscale
            - TS_USERSPACE=true # needed for network_mode
            - TS_ACCEPT_DNS=false
            - TS_EXTRA_ARGS=--login-server https://myheadscale.com --advertise-exit-node
        volumes:
            - ./tailscale:/var/lib/tailscale
        depends_on:
            - protonvpn

On my phone it is working fine (although connection via relay, not direct). However, on my pc it does not work.

Running docker exec -it tailscale-exit-node tailscale status, I see that my phone is active (and connected via a relay), but my pc has a "-".

The other way around, when running tailscale status on my pc, I see exit node as "idle; offers exit node".

So... I have two questions, 1. can you connect directly to the exit node, or are you using a relay? And 2, do you have any idea what the problem is? Maybe it has to due with protonvpn?... but idk.

I edited my post after I managed to get it to work (12th April, includes the comment from Write below), so the compose file above should be working!

If you are not using headscale, make sure to remove the --login-server https://myheadscale.com

If you are not using pihole/a self-hosted DNS server, make sure to remove DOT=off and DNS_ADDRESS from protonvpn, and TS_ACCEPT_DNS from tailscale

[Robin-Sch]

The issue was me using a custom tailscale subnet. I switched to the default one and now all devices are able to use the exit node!
However, they all (still) connect via a relay and are not able to connect directly (via port 41642).

[Write]

Thanks your post helped me a lot.

It seems that for me exit is "direct" and not relay, maybe make sure your local network is also added to FIREWALL_OUTBOUND_SUBNET ?

Mine look like that :
FIREWALL_OUTBOUND_SUBNETS=10.0.0.0/23,192.168.2.0/24,192.168.1.0/24,100.64.0.0/10

ALso my gluetun doesn't need to be privileged, I just have

    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - /dev/net/tun:/dev/net/tun

I also didn't added 41642/41641 ports

I'm not using myheadscale, but I don't think it's related.

[Robin-Sch]

Glad it helped you out. Turned out I already removed privileged in the past, so I'll edit my post to exclude that. And you are right, after adding my local subnet it indeed establishes a direct connection, even without exposing the port!

FYI: headscale is basically a self-hosted version of the tailscale.com, so yeah that's not related for sure :)

[deivi98]

Hi there, could you please share your compose? I have been able to get it working but not to get direct UDP connection.

Issue goes away as soon as I either disconnect tailscale container from gluetun. This is my setup:

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
      - SYS_RESOURCE
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./gluetun:/gluetun
    # ports:
    #   - 41642:41642/udp # tried this but it's not neccessary
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=<SECRET>
      - WIREGUARD_MTU=1280
      - PORT_FORWARD_ONLY=on
      - VPN_PORT_FORWARDING=on
      - SERVER_COUNTRIES=Spain,Germany
      - TZ=Europe/Madrid
      - UPDATER_PERIOD=24h
      - FIREWALL_OUTBOUND_SUBNETS=100.64.0.0/10,192.168.1.0/24,172.17.0.1/32,<MY_HEADSCALE_IP>/32

  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
      - SYS_RESOURCE
    volumes:
      - ./tailscale/var/lib:/var/lib
      - ./tailscale/state:/state
      - /dev/net/tun:/dev/net/tun
    # network_mode: "service:gluetun" <-- THIS BREAKS DIRECT CONNECTION
    # network_mode: "host" # direct connection works, but can't use gluetun
    # network_mode: "bridge" # direct connection works most of the times (as double NAT), but can't use gluetun
    restart: unless-stopped
    environment:
      - PORT=41462
      - TS_HOSTNAME=wayout
      # - TS_AUTHKEY=
      - TS_EXTRA_ARGS=--login-server=https://<MY_HEADSCALE_IP>:443 --advertise-exit-node
      - TS_NO_LOGS_NO_SUPPORT=true
      - TS_STATE_DIR=/state
      - TS_USERSPACE=true
      # - TS_ACCEPT_ROUTES=true
    depends_on:
      gluetun:
        condition: service_healthy

[deivi98]

From my understanding, direct connection (if not UDP open in purpose) is achieved through NAT holepunching. These are different scenarios:

network_mode: "host"
HOST A ---> ROUTER A NAT (hole) ---> ROUTER B NAT (hole) ---> HOST B

network_mode: "bridge"
HOST A --> ROUTER A NAT (hole) --> ROUTER B NAT (1st hole) --> DOCKER NAT (2nd hole) --> HOST B

network_mode: "service:gluetun"
same as bridge, but VPN might interfere with UDP holepunching.

Afaik in order to open a hole in NAT both peers have to simultaneously send UDP packets to the others' public IP and ports, which they get out of STUN/DERP server initially.

However, in gluetun case, although HOST A should be able to reach out to HOST B, packets sent by HOST B might be catched by VPN and sent through VPN as public ip HOST A is using is not in the firewall and there is not a way to dynamically set it there.

I am surprised it works for you and would like to understand why

[dblueone]

Exacly what i was looking. Thank you.

[spectromas]

I'm trying to get this working but I'm getting very slow down speeds although up seems reasonable. Did anyone else experience this and manage to solve it?

[pdfrg]

Since posting, I have now removed the custom DNS line from my gluetun configuration. Now using the VPNs default DNS. The custom one was slow and causing failed healthchecks. Since I have other containers that depend on gluetun being healthy, they were continually having problems. I lost the ability to connect to those containers via tailscale using the container names, but if you remember the IP and port or bookmark them, it still works. Not sure this will fix your speed issue, but it helped mine.

[spectromas]

Interesting, I'm just going through your config and instructions again (I've tried so many iterations).

Which IP do you mean in the DNS part for the tailscale console, my 192.xxxx address?

I must be missing something somewhere. I'm thinking about abandoning TS and trying netbird but I don't if that's realistically going to make any difference.

gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
      - NET_RAW
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8080:8080
      - 6881:6881/tcp
      - 6881:6881/udp
      - 9696:9696/tcp
      - 7878:7878
      - 8989:8989
      - 11011:11011
    environment:
      - FIREWALL_INPUT_PORTS=6881,9696
      - FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/24
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
      - SERVER_COUNTRIES=${SERVER_COUNTRIES}
      - UPDATER_PERIOD=24h
    restart: unless-stopped

  tailscale-exit:
    image: tailscale/tailscale:latest
    container_name: tailscale-exit
    cap_add:
      - NET_ADMIN
      - NET_RAW
    depends_on:
      gluetun:
        condition: service_healthy
    network_mode: service:gluetun
    environment:
      - TS_HOSTNAME=mediaserver-exit
      - TS_AUTHKEY=${TS_AUTHKEY_EXIT}
      - TS_EXTRA_ARGS=--advertise-exit-node --accept-dns=false
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=true
      - TS_ROUTES=192.168.0.0/24 # home LAN subnet
    volumes:
      - /srv/config/tailscale-exit:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    restart: unless-stopped

[Robin-Sch]

Take a look at the compose file I posted before, does that work?

[spectromas]

Take a look at the compose file I posted before, does that work?

ok, just taken a closer look at your config and it's behaving the same unfortunately. Did you do anything for DNS in the admin console?

Edit: I think I've solved this finally. The thing that made a difference was setting WIREGUARD_MTU=1450 in gluetun. I saw some discussion online about slow down and fast up speeds being symptomatic of MTU mismatches and sure enough this solved it. My working config is this:

gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8080:8080 # ...etc
    environment:
      - FIREWALL_OUTBOUND_SUBNETS=100.64.0.0/10,192.168.0.0/24 # tailscale + LAN
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
      - SERVER_COUNTRIES=${MULLVAD_SERVER_COUNTRIES}
      - WIREGUARD_MTU=1450
      - UPDATER_PERIOD=24h
    restart: unless-stopped

  tailscale-exit:
    image: tailscale/tailscale:latest
    container_name: tailscale-exit
    network_mode: service:gluetun
    environment:
      - TS_HOSTNAME=mediaserver-exit
      - TS_AUTHKEY=${TS_AUTHKEY_EXIT}
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_EXTRA_ARGS=--advertise-exit-node --accept-routes
      - TS_ROUTES=192.168.0.0/24 # home LAN subnet
    volumes:
      - /srv/config/tailscale-exit:/var/lib/tailscale
    devices:
      - /dev/net/tun:/dev/net/tun
    restart: unless-stopped
    depends_on:
      gluetun:
        condition: service_healthy

Edit again:

I kept having problems with this but then it would stop working, especially after updating or restarting. I did find a solution which is fully working now. I think there was conflct with some of the options in the two services. This is the better version :

services:
    gluetun_exit_node:
        image: qmcgaw/gluetun
        container_name: gluetun_exit_node
        cap_add:
          - NET_ADMIN
        devices:
          - /dev/net/tun:/dev/net/tun
        environment:
          - FIREWALL_OUTBOUND_SUBNETS=100.64.0.0/10,192.168.0.0/24 # tailscale + LAN
          - VPN_SERVICE_PROVIDER=mullvad
          - VPN_TYPE=wireguard
          - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
          - WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
          - SERVER_COUNTRIES=${MULLVAD_SERVER_COUNTRIES}
          - WIREGUARD_MTU=1450
          - UPDATER_PERIOD=24h
          - BLOCK_MALICIOUS=true
          - BLOCK_SURVEILLANCE=true
          - BLOCK_ADS=true
        restart: unless-stopped
    
    tailscale-exit:
        image: tailscale/tailscale:latest
        container_name: tailscale-exit
        network_mode: service:gluetun_exit_node
        environment:
          - TS_HOSTNAME=mediaserver-exit
          - TS_AUTHKEY=${TS_AUTHKEY_EXIT}
          - TS_STATE_DIR=/var/lib/tailscale
          - TS_EXTRA_ARGS=--advertise-exit-node --accept-routes
          - TS_ROUTES=192.168.0.0/24
          - TS_USERSPACE=true
          - TS_LOG_LEVEL=info
        volumes:
          - /srv/config/tailscale-exit:/var/lib/tailscale
        user: "1000:1000"
        depends_on:
          - gluetun_exit_node
        restart: unless-stopped

[Robin-Sch]

Yeah I run my own pihole server, if you don't have that you can remove those env variables related to dns (as you did)

[mattdale77]

I've got this working pretty well from the local network but externally the tailscale traffic to the exit node goes through the VPN tunnel so using it as an exit node off site is diabolically slow. Using tailscale ping, the external hosts use DERP to obtain the IP address which appears to be the VPN endpoint. Has anyone found a way to get it to the exit node without going through the vpn backwards?

[Robin-Sch]

- FIREWALL_OUTBOUND_SUBNETS=100.64.0.0/10,192.168.0.0/24 # tailscale + LAN

Only works for your LAN tho

[mattdale77]

- FIREWALL_OUTBOUND_SUBNETS=100.64.0.0/10,192.168.0.0/24 # tailscale + LAN

Only works for your LAN tho

And this is the last problem I'm trying to defeat. I improved matters temporariliy by turning on the DERP server in headscale and stopping it using all the tailscale ones. tailscale netcheck now reports it as being on the LAN gateway IP. When I went to bed last night it was going through the DERP but then to the LAN gateway and was considerably faster. This morning it has however rediscovered the VPN route which is a direct connection and preferred. I'm wondering if there's something that can be done with iptables rules done to get a direct connection through the gluetun firewall

[TiagoBohnenberger]

Just adding my one cent of contribution here for those who are facing indirect connections via DERP server: the one solution that currently worked for me was using IPv6 stack on docker. It also requires using a IPv6-compatible VPN provider. In my case, a tested Mullvad and it's working fine.

[mattdale77]

Is your direct connection through your local network or back down the VPN tunnel? tailscale netcheck in the tailscale container should tell you what outside IP it sees. For me, without some fiddling, this was the VPN endpoint and not my local network. It didn't have too much trouble getting a direct connection but it was not the desired route.

I'm currently working on the routing and firewall of gluetun to get a direct connection through the network gateway and not the VPN tunnel. I've got it relaying through the network which many factors faster than direct down the VPN.

[TiagoBohnenberger]

It's through my local network. But when I connect my phone on 5G, it is establishes a direct connection too.

It's not the best cenario yet, but I achieved a good network speed (greather on my pc than my phone).

[mattdale77]

Do you have any hints on how to switch to ip6? I've never really used it before.

…

On Wed, 8 Oct 2025, at 7:35 PM, Tiago Bohnenberger wrote: It's through my local network. But when I connect my phone on 5G, it is establishes a direct connection too. It's not the best cenario yet, but I achieved a good network speed (greather on my pc than *DuckDuckGo* removed one tracker. More <https://duckduckgo.com/-j6BBWLr7n55BUJZJN8qT2eiT6Zjhndw55mrv_R5e0zx0nXgSVb3vIfTL45rcJMzKW0bokh0iXhqlKU8VLGHDXkrGJXU5BDVITkB3qtUuEJBLTGlC324OaTTmwGJVaEfg3rESIDtcXsFntARttoItZEV9zPhj0Tx-SACrKKXkWczBv_YgVEnT10KajLt-qdV-xJctM1wXVZoMlWeCEOspJvIRP8Ozpg-7CevaBcHXyAusAikF-8jZLXLXUZu7LOA911pKL9Y4vjkfRiKLw_1fx9t0bLbiHoTA7o6wQrismUKdIBQ7H3cy3EBwzw-GzPinSBkPLRvYPr3F8vzcWmmFgH-J-xTOcFdcm5i-xAxaZUC> Report Spam <https://duckduckgo.com/-j6BBWLr7n55BUJZJN8qT2eiT6Zjhndw55mrv_R5e0zx0nXgSVb3vIfTL45rcJMzKW0bokh0iXhqlKU8VLGHDXkrGJXU5BDVITkB3qtUuEJBLTGlC324OaTTmwGJVaEfg3rESIDtcXsFntARttoItZEV9zPhj0Tx-SACrKKXkWczBv_YgVEnT10KajLt-qdV-xJctM1wXVZoMlWeCEOspJvIRP8Ozpg-7CevaBcHXyAusAikF-8jZLXLXUZu7LOA911pKL9Y4vjkfRiKLw_1fx9t0bLbiHoTA7o6wQrismUKdIBQ7H3cy3EBwzw-GzPinSBkPLRvYPr3F8vzcWmmFgH-J-xTOcFdcm5i-xAxaZUC> It's through my local network. But when I connect my phone on 5G, it is establishes a direct connection too. It's not the best cenario yet, but I achieved a good network speed (greather on my pc than my phone). — Reply to this email directly, view it on GitHub <#2201 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABNPJ5Z3J46IIRTT5MZ57ET3WVKPZAVCNFSM6AAAAABFUSCSQWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINRSHE3DCMQ>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[TiagoBohnenberger]

First you'll need a VPN provider that supports IPv6. Without it, it's not going to work. Second you must enable IPv6 on docker. There's two options:

1. User default docker's bridge network or...
2. Create a custom docker network with IPv6 enabled on it.

On docker oficial documentation you can have some more details.

Then you can proceed with specifics configurations on your VPN provider (Gluetun's specific provider documentation it's your buddy here).

[mattdale77]

First you'll need a VPN provider that supports IPv6. Without it, it's not going to work. Second you must enable IPv6 on docker. There's two options:

1. User default docker's bridge network or...

2. Create a custom docker network with IPv6 enabled on it.

On docker oficial documentation you can have some more details.

Then you can proceed with specifics configurations on your VPN provider (Gluetun's specific provider documentation it's your buddy here).

I've got ipv6 enabled and also use Mullvad but still having no luck with a direct connection from nodes on other networks

The only option I can see now is to have a shadowsocks relay into gluetun. I've spent days on trying loads of things and this has been way harder than I could have imagined

Actually I just thought, do you use either a macvlan or ipvlan?

[mattdale77]

So I finally got this working reliably with direct connections to Tailscale, albeit in a slightly different way. I will try and document what I did but the absolute key was setting TS_USERSPACE to false on the Tailscale container which brings the Tailscale routing into the same space as the container it is sharing.

My model is slightly different to that discussed in that I turned on the Shadowsocks server in Gluetun. Then I had Tailscale share it's network stack with a Shadowsocks client container with tun2socks and some rules to direct all outbound traffic over the tunnel. I exclude only my head scale server but I'm not 100% sure that's necessary.

I need to go back and try this within the Gluetun network stack with TS_USERSPACE=false and see if that helps me there.

[cadr10]

So I finally got this working reliably with direct connections to Tailscale, albeit in a slightly different way. I will try and document what I did but the absolute key was setting TS_USERSPACE to false on the Tailscale container which brings the Tailscale routing into the same space as the container it is sharing.

My model is slightly different to that discussed in that I turned on the Shadowsocks server in Gluetun. Then I had Tailscale share it's network stack with a Shadowsocks client container with tun2socks and some rules to direct all outbound traffic over the tunnel. I exclude only my head scale server but I'm not 100% sure that's necessary.

I need to go back and try this within the Gluetun network stack with TS_USERSPACE=false and see if that helps me there.

Wanting to hear more from it. I've been following this thread since I've came across gluetun, and I managed to achieve vpn+local access with openvpn setup. It's slow but I can browse my music collection anywhere, which is enough for now.
I've seen some on Netbird. Shouldn't setting up two exit nodes on Netbird, one for routing 0.0.0.0 (connected to gluetun) and other for routing local network (192.168.0.0 or whatever) on the same machine work? I don't know how much into Tailscale dependant or how the two compare (and I didn't think much about it, as for example, setting it up with pihole), but I think this should be ´one´ solution.

[TiagoBohnenberger]

Actually I just thought, do you use either a macvlan or ipvlan?

There's no need to use macvlan or ipvlan drivers. You can just use bridge driver.

[mattdale77]

Can you provide a sample docker-compose as I tried for days. It definitely can't work with macvlan or ipvlan due to the container isolation, that much I discovered

…

On Tue, 21 Oct 2025, at 4:53 PM, Tiago Bohnenberger wrote: Actually I just thought, do you use either a macvlan or ipvlan? There's no need to use macvlan or ipvlan drivers. You can just use bridge driver. —Reply to this email directly, view it on GitHub, or u *DuckDuckGo* removed one tracker. More <https://duckduckgo.com/-hGyvyiXmf6u7VQd9sTh6kcEsdlr5lS1O-Qibhzs0V2AFs-z9wU9EIA88kwPO-ZVl0LhZh0QcKH0gW4ABxmnYkJjwkEjtjbXvzozWANtBiQNNCsjKs1MxkV5vhuScAT0pTVXI1BBV0cAIPuFNanECD5lgN_RoAXmEWu-MEloitu_tsDwTWJF-x64nNpRpRqeGg6kwLRTwDlnqdy6hm3vzbjKdfnLboZ29F9h2ROXkhNbfaUR4ru9PFvBdMmqt4RH1yFsBn4wp3LGg4idwY4qOiXMGOtNTVyo9BPZIMwPndP0EntIblV8JtZMF5JvhIdJ8PJsAKehkloeTpjx2YdPKaUlBfGorfgfAjtGiH4cay1pd4lUhDbEn3URH9j_CM-cN-6oru4uwLxGURgWRRobK91-l14lJ7h92GSy94Lmua3nyMYwnlpeHvoy1ZdltQb2ImVyfrQcwGvkYnCKneozpaPUlNWPR0PdFMEDweuzcw_ftLkKS4NN_JAP8TxqmcFu-VuAo5REIa1wE> Report Spam <https://duckduckgo.com/-hGyvyiXmf6u7VQd9sTh6kcEsdlr5lS1O-Qibhzs0V2AFs-z9wU9EIA88kwPO-ZVl0LhZh0QcKH0gW4ABxmnYkJjwkEjtjbXvzozWANtBiQNNCsjKs1MxkV5vhuScAT0pTVXI1BBV0cAIPuFNanECD5lgN_RoAXmEWu-MEloitu_tsDwTWJF-x64nNpRpRqeGg6kwLRTwDlnqdy6hm3vzbjKdfnLboZ29F9h2ROXkhNbfaUR4ru9PFvBdMmqt4RH1yFsBn4wp3LGg4idwY4qOiXMGOtNTVyo9BPZIMwPndP0EntIblV8JtZMF5JvhIdJ8PJsAKehkloeTpjx2YdPKaUlBfGorfgfAjtGiH4cay1pd4lUhDbEn3URH9j_CM-cN-6oru4uwLxGURgWRRobK91-l14lJ7h92GSy94Lmua3nyMYwnlpeHvoy1ZdltQb2ImVyfrQcwGvkYnCKneozpaPUlNWPR0PdFMEDweuzcw_ftLkKS4NN_JAP8TxqmcFu-VuAo5REIa1wE> > Actually I just thought, do you use either a macvlan or ipvlan? > There's no need to use macvlan or ipvlan drivers. You can just use bridge driver. — Reply to this email directly, view it on GitHub <#2201 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABNPJ553YNNJ36KJFOWDF5L3YZJIDAVCNFSM6AAAAABFUSCSQWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINZUGIYDQOA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[TiagoBohnenberger]

Sure! Here is my example docker-compose:

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.all.disable_ipv6=0
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ${PWD}/gluetun-vpn:/gluetun
      - /lib/modules:/lib/modules:ro  
    environment:
      - WIREGUARD_ADDRESSES=${}
      - VPN_SERVICE_PROVIDER=${}
      - VPN_TYPE=${}
      - WIREGUARD_PRIVATE_KEY=${}
      - TZ=${}
      - SERVER_COUNTRIES=${}
      - SERVER_CITIES=${}
      - SERVER_HOSTNAMES=${}
      - WIREGUARD_IMPLEMENTATION=kernelspace
      - FIREWALL_OUTBOUND_SUBNETS=192.168.XXX.0/24,172.22.0.0/16,100.64.0.0/10,fd5e:8a3c:9b2a:1::/64
      - WIREGUARD_MTU=1450
      - UPDATER_PERIOD=24h
      - DOT=off
    restart: always
    networks:
      - vpn

  tailscale:
    image: tailscale/tailscale:stable
    container_name: ts-vpn
    environment:
      - TS_AUTHKEY=
      - 'TS_EXTRA_ARGS=--advertise-exit-node --accept-routes --reset'
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_ROUTES=192.168.XXX.0/24,172.22.0.0/16,fd5e:8a3c:9b2a:1::/64
    volumes:
      - ${PWD}/tailscale-vpn:/var/lib/tailscale
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
      - net.ipv6.conf.all.disable_ipv6=0
    restart: always
    network_mode: 'service:gluetun'
    depends_on:
      gluetun:
        condition: service_healthy
        restart: true

networks:
  vpn:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: 172.22.0.0/16
          gateway: 172.22.0.1      
        - subnet: fd5e:8a3c:9b2a:1::/64
          gateway: fd5e:8a3c:9b2a:1::1

[beningodfrey4]

Finally got it working at the cost of a bit of my sanity. Also since it involves a bunch of iptables mods, proceed with caution. I DO NOT know what I’m doing.

Basically, it runs the gluetun and tailscale containers in the same bridge network, and forwards non-STUN traffic to gluetun. Works by changing tailscale’s default gateway to gluetun’s IP and enabling forwarding on gluetun.

1. Kernelspace wireguard for both gluetun and tailscale containers
2. Works with IPv4 everywhere
3. Tailscale Admin panel shows only local public IP (not VPN IP), direct routing and geographically closest DERP server
4. Tailscale and Gluetun have their own network namespaces on a shared bridge network
5. On local network, no noticeable drop in speeds. On remote networks, speeds are acceptable and latencies are as expected.

compose.yaml

services:
  gluetun:
    container_name: gluetun
    image: qmcgaw/gluetun:latest
    environment:
      VPN_SERVICE_PROVIDER: ""
      SERVER_COUNTRIES: ""
      VPN_TYPE: "wireguard"
      WIREGUARD_PRIVATE_KEY: ""
      WIREGUARD_PRESHARED_KEY: ""
      WIREGUARD_ADDRESSES: ""
      WIREGUARD_IMPLEMENTATION: "kernelspace"
      WIREGUARD_MTU: "1320"
      DOT: "off"
      DNS_KEEP_NAMESERVER: "on"
      TZ: "${TIMEZONE:?err}"
    networks:
      vpn:
        ipv4_address: 172.31.0.2
    volumes:
      - ${CONFIG_HOME:?err}/gluetun:/gluetun
    configs:
      - source: gluetun-rules
        target: /iptables/post-rules.txt
        mode: 0755
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    sysctls:
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.src_valid_mark: 1

  tailscale:
    container_name: tailscale
    image: tailscale/tailscale:latest
    environment:
      TS_AUTHKEY: ""
      TS_HOSTNAME: ""
      TS_STATE_DIR: "/var/lib/tailscale"
      TS_EXTRA_ARGS: "--advertise-tags=tag:<TAG> --advertise-exit-node"
      TS_USERSPACE: "false"
    networks:
      vpn:
        ipv4_address: 172.31.0.3
    volumes:
      - ${CONFIG_HOME:?err}/tailscale:/var/lib/tailscale
    depends_on:
      gluetun:
        condition: service_healthy
        restart: true
    entrypoint: /tailscale_wrapper.sh
    configs:
      - source: tailscale-wrapper
        target: /tailscale_wrapper.sh
        mode: 0755
    cap_add:
      - NET_ADMIN
      - NET_RAW
    devices:
      - /dev/net/tun:/dev/net/tun
    sysctls:
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.src_valid_mark: 1

configs:
  gluetun-rules:
    content: |
      iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -I FORWARD 2 -i eth0 -o tun0 -j ACCEPT
      iptables -I FORWARD 3 -i tun0 -o eth0 -j ACCEPT
      iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

  tailscale-wrapper:
    content: |
      #!/bin/sh

      set -e

      cleanup() {
        echo "[wrapper]: Received shutdown signal, stopping daemon..."
        kill -TERM $BOOT_PID 2>/dev/null || true
        wait $BOOT_PID 2>/dev/null || true
        exit 0
      }

      trap cleanup EXIT TERM INT QUIT

      echo "[wrapper]: Starting containerboot"
      /usr/local/bin/containerboot 2>&1 &
      BOOT_PID=$!

      echo "[wrapper]: waiting for tailscale"
      until tailscale status >/dev/null 2>&1; do sleep 1; done

      echo "[wrapper]: waiting for routing on tailscale0"
      # if you don't have any node running 24/7, just a `sleep 10` would do
      until ping -c 1 -W 2 "<KNOWN_TAILNET_IP" >/dev/null 2>&1; do sleep 1; done

      ip route add default via 172.31.0.1 dev eth0 table 100
      ip route add 172.31.0.0/16 dev eth0 proto kernel scope link src 172.31.0.3 table 100
      ip rule add from all fwmark 0x80000/0xff0000 lookup 100 pref 4200
      ip route replace default via 172.31.0.2 dev eth0
      iptables -t nat -I POSTROUTING 1 -o eth0 -j MASQUERADE
      echo "[wrapper]: applied forwarding rules"

      echo "[wrapper]: running tailscale netcheck, on the house"
      tailscale netcheck

      wait $BOOT_PID

networks:
  vpn:
    name: _vpn # this leading underscore keeps the interface as `eth0` in the container netns
    ipam:
      config:
        - subnet: 172.31.0.0/16
          gateway: 172.31.0.1

Starts and stops reliably with no issues, and periodic netchecks pass. Am daily-driving it for now, let’s see.

[mattdale77]

Finally got it working at the cost of a bit of my sanity. Also since it involves a bunch of iptables mods, proceed with caution. I DO NOT know what I’m doing.

Basically, it runs the gluetun and tailscale containers in the same bridge network, and forwards non-STUN traffic to gluetun. Works by changing tailscale’s default gateway to gluetun’s IP and enabling forwarding on gluetun.

1. Kernelspace wireguard for both gluetun and tailscale containers

2. Works with IPv4 everywhere

3. Tailscale Admin panel shows only local public IP (not VPN IP), direct routing and geographically closest DERP server

4. Tailscale and Gluetun have their own network namespaces on a shared bridge network

5. On local network, no noticeable drop in speeds. On remote networks, speeds are acceptable and latencies are as expected.

compose.yaml

services:
  gluetun:
    container_name: gluetun
    image: qmcgaw/gluetun:latest
    environment:
      VPN_SERVICE_PROVIDER: ""
      SERVER_COUNTRIES: ""
      VPN_TYPE: "wireguard"
      WIREGUARD_PRIVATE_KEY: ""
      WIREGUARD_PRESHARED_KEY: ""
      WIREGUARD_ADDRESSES: ""
      WIREGUARD_IMPLEMENTATION: "kernelspace"
      WIREGUARD_MTU: "1320"
      DOT: "off"
      DNS_KEEP_NAMESERVER: "on"
      TZ: "${TIMEZONE:?err}"
    networks:
      vpn:
        ipv4_address: 172.31.0.2
    volumes:
      - ${CONFIG_HOME:?err}/gluetun:/gluetun
    configs:
      - source: gluetun-rules
        target: /iptables/post-rules.txt
        mode: 0755
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    sysctls:
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.src_valid_mark: 1

  tailscale:
    container_name: tailscale
    image: tailscale/tailscale:latest
    environment:
      TS_AUTHKEY: ""
      TS_HOSTNAME: ""
      TS_STATE_DIR: "/var/lib/tailscale"
      TS_EXTRA_ARGS: "--advertise-tags=tag:<TAG> --advertise-exit-node"
      TS_USERSPACE: "false"
    networks:
      vpn:
        ipv4_address: 172.31.0.3
    volumes:
      - ${CONFIG_HOME:?err}/tailscale:/var/lib/tailscale
    depends_on:
      gluetun:
        condition: service_healthy
        restart: true
    entrypoint: /tailscale_wrapper.sh
    configs:
      - source: tailscale-wrapper
        target: /tailscale_wrapper.sh
        mode: 0755
    cap_add:
      - NET_ADMIN
      - NET_RAW
    devices:
      - /dev/net/tun:/dev/net/tun
    sysctls:
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.src_valid_mark: 1

configs:
  gluetun-rules:
    content: |
      iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -I FORWARD 2 -i eth0 -o tun0 -j ACCEPT
      iptables -I FORWARD 3 -i tun0 -o eth0 -j ACCEPT
      iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

  tailscale-wrapper:
    content: |
      #!/bin/sh

      set -e

      cleanup() {
        echo "[wrapper]: Received shutdown signal, stopping daemon..."
        kill -TERM $BOOT_PID 2>/dev/null || true
        wait $BOOT_PID 2>/dev/null || true
        exit 0
      }

      trap cleanup EXIT TERM INT QUIT

      echo "[wrapper]: Starting containerboot"
      /usr/local/bin/containerboot 2>&1 &
      BOOT_PID=$!

      echo "[wrapper]: waiting for tailscale"
      until tailscale status >/dev/null 2>&1; do sleep 1; done

      echo "[wrapper]: waiting for routing on tailscale0"
      # if you don't have any node running 24/7, just a `sleep 10` would do
      until ping -c 1 -W 2 "<KNOWN_TAILNET_IP" >/dev/null 2>&1; do sleep 1; done

      ip route add default via 172.31.0.1 dev eth0 table 100
      ip route add 172.31.0.0/16 dev eth0 proto kernel scope link src 172.31.0.3 table 100
      ip rule add from all fwmark 0x80000/0xff0000 lookup 100 pref 4200
      ip route replace default via 172.31.0.2 dev eth0
      iptables -t nat -I POSTROUTING 1 -o eth0 -j MASQUERADE
      echo "[wrapper]: applied forwarding rules"

      echo "[wrapper]: running tailscale netcheck, on the house"
      tailscale netcheck

      wait $BOOT_PID

networks:
  vpn:
    name: _vpn # this leading underscore keeps the interface as `eth0` in the container netns
    ipam:
      config:
        - subnet: 172.31.0.0/16
          gateway: 172.31.0.1

Starts and stops reliably with no issues, and periodic netchecks pass. Am daily-driving it for now, let’s see.

I gave this a shot after having limited or no success via other methods. I got it working so thank you very much. I tried to extend it to also allow ipv6 however this was not possible for me as my kernel does not have ipv6 nat enabled so either it would use my ISP or if I configured the VPN supplied IPv6 then it would take the wrong route which I've been trying to avoid. I will continue to test but for now this looks like the best solution.

And also thanks for the extra docker-compose tips on config, I've not seen these before

[TiagoBohnenberger]

I tried this setup but unfortunately gluetun spins up unhealthy. But, when a remove it from the declared _vpn network, it starts working fine again. I truly don't know whats going on and would appreciate some help on this.

[beningodfrey4]

I tried this setup but unfortunately gluetun spins up unhealthy. But, when a remove it from the declared _vpn network, it starts working fine again. I truly down know whats going on and would appreciate some help on this.

Is the network created correctly in the first place (docker network inspect _vpn)? And is the tailscale container able to connect to it?

If so, the only thing I can think of is some other gluetun network that has a conflicting IP range.

Otherwise it could be that the IP range was not able to be created. I was assuming docker that generally allocates 17.1.0.0/16 to 17.31.0.0/16. You could try moving it but you have to change it in the scripts as well.

[sudononymouse]

I tried this setup but unfortunately gluetun spins up unhealthy. But, when a remove it from the declared _vpn network, it starts working fine again. I truly don't know whats going on and would appreciate some help on this.

Same issue, this compose is EXACTLY what I've been trying (and failing miserably) to build! So close

[sudononymouse]

Fixed it. Not sure which fix did it yet, but here's what I did:

1. Follow this: https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/wireguard.md
   CAP_ADD:

• SYS_MODULE
  volumes:
• /lib/modules:/lib/modules:ro

2. Comment out, docker compose up, docker compose down, then un-comment, docker compose up, per this comment: ERROR [vpn] kernel does not support Wireguard #1963 (comment)

WIREGUARD_IMPLEMENTATION: "kernelspace"

[Mrs-Feathers]

i set netbird exit node up using this guide and tweaking it a bit for netbird instead of wireguard. i know netbird isnt made for this, but its neat because i can VPN into my self-hosted servers and stuff then right click and change to gluetun exit node and boom its like a normal VPN all-in-one for me without any other vpn software running. the cool part is that i can still access my servers just perfectly fine while having all of my outbound traffic still shoved through the vpn via the exit node. really great stuff. cheers!

[TiagoBohnenberger]

Só if I understand, instead of Tailscale, you used Netbird for on a container with gluetun's network mode, right?

Did you get direct connections to the Netbird exit node? And how about the Internet speeds, did you get good speeds?

[gav1nall3n]

@Mrs-Feathers Please share more. I'm trying to configure gluetun exit node using netbird sidecar. Both the containers seem to be able to route out over mullvad but I can't get my netbird clients to work over the exit node. Thanks!