A short guide how to run Tailscale Subnet Router as container on VyOS using container networking. Using host networking would make it easier and avoid needing to manually specifying routes but I prefer running it separate from the host to write more explicit firewall rules and better isolation.
For this example the container network services is 192.168.0.0/24
and 2001:DB8::/64
. Local subnets 192.168.1.0/24
and 2001:DB8:1::0/64
. Remote subnets 192.168.100.0/24
and 192.168.101.0/24
First set up container:
set container name tailscale image docker.io/tailscale/tailscale:v1.70.
set container name tailscale restart on-failure
set container name tailscale memory 512
set container name tailscale shared-memory 128
set container name tailscale network services address 192.168.0.2
set container name tailscale network services address 2001:DB8:0::2/64
set container name tailscale environment TS_STATE_DIR value '/var/lib/tailscale'
set container name tailscale environment TS_AUTH_ONCE value 'True'
set container name tailscale environment TS_USERSPACE value 'False'
set container name tailscale environment TS_ACCEPT_DNS value 'False'
set container name tailscale environment TS_AUTHKEY value 'tskey-auth-xxxxxxx'
set container name tailscale environment TS_ROUTES value '192.168.1.0/24,2001:DB8:1::0/64'
set container name tailscale environment TS_EXTRA_ARGS value '--advertise-exit-node --accept-routes --snat-subnet-routes=false --stateful-filtering=false'
set container name tailscale capability net-admin
set container name tailscale capability net-raw
set container name tailscale capability sys-module
set container name tailscale capability sys-admin
set container name tailscale volume tailscale_lib source '/config/container/tailscale/lib/'
set container name tailscale volume tailscale_lib destination '/var/lib/tailscale'
set container name tailscale device devtun source '/dev/net/tun'
set container name tailscale device devtun destination '/dev/net/tun'
If you’re using IPv6 as in this example, you also need to enable IPv6 forwarding within the container
set container name tailscale sysctl parameter net.ipv6.conf.all.forwarding value '1'
(This works with the rolling releases, but sysctl config is not yet supported in 1.4.0 LTS. There you’d need to manually edit the systemd unit and append the podman parameter)
Next we need to add static routes for the external networks:
set protocols static route 100.64.0.0/10 next-hop 192.168.0.2
set protocols static route 192.168.0.0/24 next-hop 192.168.0.2
set protocols static route 192.168.1.0/24 next-hop 192.168.0.2
With that (and some firewall rules if needed) traffic can be routed through tailscale in and out and used as an exit node as well.