TimeStamps: 0:00: Intro, what did we do in Part1 and what are we going to cover in part2? 2:45: Integrating Tailescale into Emby, featuring installing Emby 11:13: Adding Tailescale to an reverse proxy, featuring installing SWAG and setup custom docker network 12:45: Domain and Cloudflare 16:48: Cloudflare settings APT token for certificate verification 19:00: Integrating SWAG with Tailescale 19:50: Setting up DNS on Cloudflare that points to SWAG on Tailescale 20:50: Adding containers to SWAG 26:50: Adding Bitwarden/Vaultwarden to SWAG and Tailescale 29:36: Ending, what will be in part3?
@@SpaceinvaderOnethanks for doing it, but I believe the formatting is wrong on both videos so it didn't work. There can't be a colin after the timestamp. It has to be a timestamp, then a space, then the chapter name. You got the starting at 0:00 part though which is good.
A rookie mistake, but remember not to include spaces after your Docker variable names (like I did after pasting from the video description). I spent a good 5-10 minutes wondering why Swag wasn't showing up in Tailscale, before it clicked. Thanks again for another excellent tutorial.
I've seen a big increase on bot traffic and failed logins on my hosted Unraid containers. Following along I was able to implement this quickly and was a huge relief.
Leaving this here for other weary travellers, some issues I had along the way and how I resolved them: 1. Tailscale auth key is single use and expires in 90 days You can resolve this by creating tags in your Access Control file in the Tailscale UI. Then when you create an auth key check the box that lets you tag the device that connects with the auth key. Doing this will automatically disable key expiry so you don't have to update the key everytime you restart the Swag container. 2. My browser still shows the Swag default screen after changing the *.conf file For me this turned out to be a caching issue. So either check your cache settings for Cloudflare or try deleting the cache for your browser
Would love a side-video on what methods one would use if they wanna set up a reverse proxy using Tailscale/solutions like SWAG but for docker containers *not* using linuxserver. For example: I'd love to have access to AudioBookShelf on my unraid server while out and about on my phone, but there is no linuxserver distribution of it on Unraid as it's such a small open source project. So the docker mod method isn't an option.
I thought I saw an AudioBookShelf.subdomain.conf option in the LinuxServer SWAG docker > "user/appdata/swag/nginx/proxy-confs" folder. After you integrate the Tailscale plugin into the SWAG docker (per the vid) - from there you can follow the same instructions provided in the vid for Vaultwarden. I'm using this method to gain remote access to a few non-LinuxServer dockers.
Thank you very much! I find both videos extremely useful and helpful. I have implemented this with all my docker containers and swag and it works perfectly. Three instances of paperless-ngx, for example, without 2FA are now also secure. Very understandable videos, I can follow along very well. THANK YOU! (Translated with deepl :))
It's possible and I'm considering it too but it requires SSH'ing in and running a script. I've not done it yet because the unit I'd be doing this on is 800 miles away and I'm afraid I'd screw it up and be unable to fix it 😲
im very new to this world of IT and im getting gummbled up in all of it. youre providing a path of least resistance and i thank you for that. one question i have is this reverse proxy with swag and cloudflare seperate from putting a reverse proxy at the entry point of internet access? im planning to do VLAN setups with cloudflare proxy server filtering traffic comming into my home and im worried about intergration conflict between blindly following different videos online. thanks again for your videos, very detailed and easy to follow
Great videos man! Is there any chance you're planning to do a tailscale and nextcloud set up? I have nextcloud set up with cloudflare but would prefer to use tailscale.
I found that it is nginx that does not resolve within docker well even if container can. Instead of changing upstream_app to IP, try and add another line that says "resolver 127.0.0.11;". This will tell nginx to talk to docker's internal DNS (127.0.0.11) to resolve the name.
Great video, was able to get emby and vaultwarden working, but was not able to get home assistant working. Is there something different that needs to be done for that?
Great video, however ive hit a slight crux, ive noticed that when i am stopping my swag container, and then starting it back up after a period of downtime, it tries to provision itself as a new node using the same key as given before, which is single use of course, and then if you make the key reusable, it gives itself a brand new ipv4 address every time, which will require you to update cloudflare every time. Not sure if this is a bug?
For anyone still struggling with this. Ensure you have both a path for /var/lib/tailscale declared as well as the TAILSCALE_STATE_DIR correctly pointing to /var/lib/tailscale. An additional check point is to look into the directory in appdata /mnt/user/appdata/swag/tailscale. I went in via commandline. You'll see a json file and .state file in there when configured correctly.
Hey guys, I hope you guys can help. I followed the instructions in adding the variables and path to the swag container, but I get an error in the log `2024/10/01 21:42:04 health(warnable=wantrunning-false): error: Tailscale is stopped.` I have Tailscale installed as a plugin, chatgpt was a wall and... yeah....
I may have missed something simple, but every time my swag container has to re-start I get this error: "2024/08/17 12:26:53 Received error: invalid key: API key "old key here" not valid" and I have to delete and re-create which is not great. Did I miss a step to make it sustain across swag re-starts?
Nice series on Tailscale! But as mentioned here a few times, the swag container restart, needing a new Tailscale API key & Cloudflare DNS ipaddress update; is a seriously awkward condition to have to understand and follow..
Is there a way to add Tailscale directly to Immich? It seems that since the Unraid Immich container is not by linuxserver, there are some issues integrating the Docker Mod. Was anyone else able to get this working so that immich also goes through tailscale through to a VPS?
Hello, thanks for great tutorial. I've made it :) I have another question - is there any way to make DNS in LAN network? I want my player to be visible in LAN network same as when I use tailscale. Is it possible? Maybe you already made video about it? Thanks so much in advance :)
I got emby to work, but can't get vault warden to come up. Also confused because for emby you had to put it on the proxy net but for vault warden you didn't?
For jellyfin i have setup all the variables properly and can confirm that tailscale is installed in my jellyfin container and visible in my tailnet. I can reach my jellyfin when connected to the tailnet using the IP and port number as described in your video no problem. However if browse directly to the IP without the port number it just brings me into my unraid UI (without requiring login), unlike how you browse to it and cant reach anything.
Excellent thanks! One question, how do we add more than one container in SWAG, is it comma seperated in the variables TAILSCALE_HOSTNAME, TAILSCALE_AUTHKEY ? We should have like 2 different entries in tailscale so we can share for example Emby, and Bitwarden separately. Is it done by installing multiple SWAG instances?
No you dont need multiple swags. Just add the domain dns records into cloudflare again pointing to your swag tailscale ip. Then in the SWAG appdata /mnt/user/appdata/swag/nginx/proxy-configs look for the .sample file for that container. rename it to remove the .sample (so now it will be a .config) and edit the file accordingly if needed (as in the video) That way you can have as many containers/subdomains as you like. All tailscale is doing is connecting to the reverse proxy rather than you forwarding ports in your router/firewall
@@SpaceinvaderOne Thanks! I did that already but there is only one entry in tailscale pointing to the SWAG container, so if you have many containers in SWAG then when you share them in Tailscale you share them all though. I was thinking to seperate them in tailscale. I guess to do that you will need a different SWAG instance so tailscale will create a different machine (second machine).
Top man, thanks a lot! I’ve set it up and can access my plex via the web interface (via the domain) from all tailscale devices including my phone, however the plex app on the phone can’t see the plex server, any ideas why? Cheers
Moved from Swag to Traefik not far back, damn. Looks like Traefik has some good tailscale documentation, though (I know your focus on Swag is because it has a linuxserver container). Seems quite simple with Traefik > make a tailscale entrypoint, apply traefik tailscale labels to docker containers.
Instead of having Cloudflare, I wonder if we could just use Pi-hole / Adguard Home as local DNS server under the unraid Tailscale subnet route, then point the custom domain to the Nginx docker, then Nginx to the Emby or other services (not using swag but linuxserver’s docker-nginx to avoid 3rd party dns setting), cert wise we could use the unraid one? (I guess we can use Tailscale cert command to get one for unraid server…)
I'm using a reverse proxy (NPM) which works just fine outside of my network, but can't access domain names internally from my network. (having mikrotik devices). Tried out Hairpin (loopback) NAT, but no joy. Wondering whether setting tailscale for my NPM container would resolve this. Have you ever came across with similar challenge? Maybe worth to cover this in your next episode. :)
I THINK i am following the directions with Jellyfin, but the tailscale IP address is still requiring me to include the port ID (ie. adding 8096 after using the tailscale IP address). I tested with emby as well and cannot figure out what mistake I am making.
@@waynethompson8795 i did get it working; if you are using swag, you do not need the docker mod, you use the virtual network in unraid instead. However, at some point I did test with the docker mod and believe it worked for me.
4 หลายเดือนก่อน +1
Great work as usual! I'm getting an error in docker logs, "tailscaled does not take non-flag arguments: ["/var/lib/tailscale"] " any idea? When trying to deploy swag.
4 หลายเดือนก่อน +1
Ok error is not present anymore after few attempts.
I was getting this too... and for anyone else having this problem my solution was to reorder the added paths/variables in the swag container so that the TAILSCALE_STATE_DIR variable comes AFTER the path rather than before as in the video.
I followed this guide, thank you very much this is what I needed and wanted to be able to do. One question, every time I restarted Swag it would say my API Key is expired and I would have to go and make a new one and then update the DNS. I set it to reusable and then put it to not expire and for now this seems to work. Am I missing something or is that the way it is suppose to be? Thanks
Make a tag called "tag:containers" or something in your tailscale Access Control file -- you'll need to read their docs for the exact syntax -- and then add the tag to the generated auth key and it will disable key expirations.
I'm confused why in swag you had to use the server IP and "external" server-level port rather than the name of the container and its "internal" port. I thought the entire point of having swag and the container on the same docker network was that you could reference the container by name. All of my swag conf files just reference the container name and port and it works perfectly.
It has to do with the swag-container being started first off the custom network, then it creates a wrong nginx resolve-file. Easily solved by deleting the file so it recreates.
Thanks for the great video! It is possible to use a wildcard DNS record for the Tailscale IP in Cloudflare so do I need to add the subdomains one at a time?
Yes you can. Just use an A record with * that will make any subdomain that doesnt have its own specific DNS record goto that ip. So its good as you can mix and match
Something that caught my eye was the 90 day expiration on the Tailscale keys. Does that mean what it seems like, that I will have to refresh those keys every 90 days or else lose access to my services? Wonder if there's a way to extend the time, or remove the limit altogether.
Unfortunately the DOCKERMOD is only built into linuxserver.io containers and they dont have an Nginx Proxy Manager container. But there is no reason why you cant rung NPM for your public sites and SWAG with tailscale for the private sites. If using SWAG solely for private sites you dont need to forward any ports to it at all.
Hello and thank you for this wonderful video! One question: If i connect two Unraid servers (A and B) with Tailscale, and add all the subnet advert stuff. Can I use server A as a gateway to the server B for a Device C with does not run Talescale but is in the same lan as A. I did all this with Wireguard and it worked very well, would like to to the same with Tailscale, but I don't know what I am doing wrong. Thanks for the help :)
I have tried to add vaultwarden to talscale like we did with other apps and swag. It does not seem to show up in tailscale at all. Also, when I put in the host name for vaultwarden after making the adjustments in swag conf file for my unraid server IP all it does it bing up my unraid server login window. so two issues that are being a big pain. Ideas?
Frankly, I have oine or two services I would like to make fully public, a Blog actually and I want to obfuscate my local public IP through a VPN and I just havent bothered to do this yet. If I were to use tail scale for this purpose, I would need to have the reverse proxy in a VPS right? I also want the data to be encrypted too which is why I would use a VPN and not JUST the vps reverse proxy.
I think the easiest solution for your needs for your blog is to use a Cloudflare tunnel. Your IP will not be visable at all. And all traffic is https so by its nature encrypted (no need for a VPN). Its very easy and fast to setup. Please check out my video here th-cam.com/video/h5fAcE70xbQ/w-d-xo.html
4 หลายเดือนก่อน
what would best approach to use this for ssh access to gitea docker?
Thanks for another awesome video. I've done something wrong, any idea why I'd be getting this error: "getLocalBackend error: store.New: creating state directory: mkdir /var/lib/tailscale: not a directory"
Just in case there are other idiots like me, make sure when you setup the docker mods that the mod path /var/lib/tailscale is actually setup as a path, not a variable. 🤦♂
I spent 2 hours trying to get this working, every time I reboot Swag the Tailscale key expires. This is even after I added a the ACL tag and disabled the key expiration.
Did you also add the Path variable (Container Path: /var/lib/tailscale) and map it to a persistent storage location that will survive reboot/updates (ex: /mnt/user/appdata/swag/tailscale)?
Is it possible to efficiently run/maintain two swag instances? One normal for public accessible sites and a second through Tailscale for private sites?
Hi. You dont neeed 2 instances. You can use one swag to do both normal and private traffic. For normal sites set the DNS as you would normally to point to your WAN ip address (then so long as your router forwards port 443 to swag it wil work fine). For private sites have the DNS point to the SWAG Tailscale IP. It will then work for both types of site public and private. I do the same with my server. Thanks for watching :)
@@SpaceinvaderOne thanks for the reply! If I wanted to use a Cloudflare tunnel to point to swag instead of opening my firewall for the public sites, does that change your suggested implementation?
@@WillCodeForBeer It shouldnt do, as the cloudflare tunnel uses a domain to point to a service running on your box, hence why no port forwarding is needed
The guides have been great. And part 2 is no different. But it highlights the wall I've hit: I'm using Nginx Proxy Manager and not SWAG. :( Tailscale is pretty easy to set up on real machines (and Unraid itself via the plugin) as there's really no installation for a server, just sign in to your account and install a bunch of clients. The only idea I can come up with at this point is to run NPM in a VM instead of docker, so I can then install Tailscale within that same VM - there's a Proxmox LXC guide out there which would hopefully provide all the info, as the LXC is just running Alpine anyway.
I can't for the life of me work out how to get my Windows/samba shares working over tailscale. Is it possible and I'm just a numpty? Would love to see a video on it
Cloudflare does have limits on what you can stream through their tunnels. Ie video. Also cloudflare tunnels are accessible by anyone with the domain name. So using tailscale it is much more secure as only people who you choose to access the service can. To everyone else its invisible.
I wonder how tailscale is secure since the website kinda establishes the connection between all these computers or services. Can anyone explain that to me ?
After following all the instructions everything had been working for a couple months, but now SWAG is unable to renew the certificates. It looks like SWAG is unable to resolve the DNS? Is anyone else having this issue, and if so how did you resolve it?
As a follow up I found that in the tailscale ui I needed to go to the DNS tab, then under Global Nameserver I added in the Google Public DNS and selected Override local DNS. I then was able to go to Swag's console and run "certbot renew"
One of the things I’d like to be added to Unraid is…in the APP section i’d like to be able to see 2-4 little screenshots that I can click on that shows me what each app looks like before I install it… right now I need to install each app just to see what it looks like. I think it would be pretty sweet. If I could click on the app and then be able to click on a little screenshot. What do you all think? 🥃
Plenty video on it on TH-cam, even a complete idiot like figured it out. But if you are using it commercially and you can't afford to lose the data. Pay a professional.
@sprocket5526 I tried watching all the videos. I'm pissed that I went to ZFS file format. It was so much easier in the XFS without these stupid datasets. I've watched every spaceinvaderone video on it and can not figure it out
This is a very difficult way of having a DNS name for a docker container. Tailscale already gives you one via magic DNS, sure it's not your own domain name. Alternatively, use controlD's integration with Tailscale and set custom DNS records in there.
Damn, wish I would of seen this before I setup my Plex server using all by binhex. Yeah I could redo all my dockers but that is a bit of work that i'm not doing. lol
Aaah, you make swag an "machine" on tailnet and then anyone who has access to your tailnet has access to everything behind swag? So thats how you can share containers over tailnet that is not made by Linuxserver?
@@saneparadox8181 Hi mate, could you elaborate on this please? I can access my plex via the domain (on the web), but not via the plex app on the phone? Any ideas why?
@@saneparadox8181 Hi mate, can you elaborate on this please? I’ve set it up and can access my plex via the web interface (via the domain) from all tailscale devices including my phone, however the plex app on the phone can’t see the plex server, any ideas why?
TimeStamps:
0:00: Intro, what did we do in Part1 and what are we going to cover in part2?
2:45: Integrating Tailescale into Emby, featuring installing Emby
11:13: Adding Tailescale to an reverse proxy, featuring installing SWAG and setup custom docker network
12:45: Domain and Cloudflare
16:48: Cloudflare settings APT token for certificate verification
19:00: Integrating SWAG with Tailescale
19:50: Setting up DNS on Cloudflare that points to SWAG on Tailescale
20:50: Adding containers to SWAG
26:50: Adding Bitwarden/Vaultwarden to SWAG and Tailescale
29:36: Ending, what will be in part3?
Thankyou very much
@@SpaceinvaderOne 😁
@@SpaceinvaderOne could you copy these into the description so they generate chapter markers in the video?
maybe do the same for part 1?
@@fizzyfrys done
@@SpaceinvaderOnethanks for doing it, but I believe the formatting is wrong on both videos so it didn't work. There can't be a colin after the timestamp. It has to be a timestamp, then a space, then the chapter name. You got the starting at 0:00 part though which is good.
You are THE REASON that I will always choose Unraid over other NAS offerings. Because of content like this.
This is how these kinds of videos should be done. I've used this guide to set up mulitple services as a subdomain without issue.
Hard to explain how much I appreciate your tutorials.
A rookie mistake, but remember not to include spaces after your Docker variable names (like I did after pasting from the video description). I spent a good 5-10 minutes wondering why Swag wasn't showing up in Tailscale, before it clicked. Thanks again for another excellent tutorial.
Great point
Part 2 posted only days later? Absolute legend 🙏 well earned Patreon subscription! Thanks again
I've seen a big increase on bot traffic and failed logins on my hosted Unraid containers. Following along I was able to implement this quickly and was a huge relief.
Thankyou so much for both the super thanks and for watching :)
Greeting from Brazil! Another great video! Waiting for part 3 cgnat
Thank you for watching! Greetings to you in beautiful Brazil! I’m glad you’re enjoying the series, and I can’t wait to share Part 3 with you soon!
Leaving this here for other weary travellers, some issues I had along the way and how I resolved them:
1. Tailscale auth key is single use and expires in 90 days
You can resolve this by creating tags in your Access Control file in the Tailscale UI. Then when you create an auth key check the box that lets you tag the device that connects with the auth key. Doing this will automatically disable key expiry so you don't have to update the key everytime you restart the Swag container.
2. My browser still shows the Swag default screen after changing the *.conf file
For me this turned out to be a caching issue. So either check your cache settings for Cloudflare or try deleting the cache for your browser
Would love a side-video on what methods one would use if they wanna set up a reverse proxy using Tailscale/solutions like SWAG but for docker containers *not* using linuxserver. For example: I'd love to have access to AudioBookShelf on my unraid server while out and about on my phone, but there is no linuxserver distribution of it on Unraid as it's such a small open source project. So the docker mod method isn't an option.
I thought I saw an AudioBookShelf.subdomain.conf option in the LinuxServer SWAG docker > "user/appdata/swag/nginx/proxy-confs" folder. After you integrate the Tailscale plugin into the SWAG docker (per the vid) - from there you can follow the same instructions provided in the vid for Vaultwarden. I'm using this method to gain remote access to a few non-LinuxServer dockers.
Thank you very much! I find both videos extremely useful and helpful. I have implemented this with all my docker containers and swag and it works perfectly. Three instances of paperless-ngx, for example, without 2FA are now also secure. Very understandable videos, I can follow along very well. THANK YOU! (Translated with deepl :))
You know what would even more cool: tailscal on the unifydreammachine
It's possible and I'm considering it too but it requires SSH'ing in and running a script. I've not done it yet because the unit I'd be doing this on is 800 miles away and I'm afraid I'd screw it up and be unable to fix it 😲
Thanks! Was waiting for this
I hope you find it useful :)
@@SpaceinvaderOne I have it all setup now as in the video, thanks a lot!
im very new to this world of IT and im getting gummbled up in all of it. youre providing a path of least resistance and i thank you for that. one question i have is this reverse proxy with swag and cloudflare seperate from putting a reverse proxy at the entry point of internet access? im planning to do VLAN setups with cloudflare proxy server filtering traffic comming into my home and im worried about intergration conflict between blindly following different videos online. thanks again for your videos, very detailed and easy to follow
Great videos man! Is there any chance you're planning to do a tailscale and nextcloud set up? I have nextcloud set up with cloudflare but would prefer to use tailscale.
I found that it is nginx that does not resolve within docker well even if container can. Instead of changing upstream_app to IP, try and add another line that says "resolver 127.0.0.11;". This will tell nginx to talk to docker's internal DNS (127.0.0.11) to resolve the name.
Outstanding, thanks for this!
Glad you enjoyed it!
Great video, was able to get emby and vaultwarden working, but was not able to get home assistant working. Is there something different that needs to be done for that?
Great video, however ive hit a slight crux, ive noticed that when i am stopping my swag container, and then starting it back up after a period of downtime, it tries to provision itself as a new node using the same key as given before, which is single use of course, and then if you make the key reusable, it gives itself a brand new ipv4 address every time, which will require you to update cloudflare every time. Not sure if this is a bug?
Anyone come up with a solution for this? I'm seeing the same even after adding a tag to the auth key.
For anyone still struggling with this. Ensure you have both a path for /var/lib/tailscale declared as well as the TAILSCALE_STATE_DIR correctly pointing to /var/lib/tailscale. An additional check point is to look into the directory in appdata /mnt/user/appdata/swag/tailscale. I went in via commandline. You'll see a json file and .state file in there when configured correctly.
Hey guys, I hope you guys can help. I followed the instructions in adding the variables and path to the swag container, but I get an error in the log `2024/10/01 21:42:04 health(warnable=wantrunning-false): error: Tailscale is stopped.`
I have Tailscale installed as a plugin, chatgpt was a wall and... yeah....
I may have missed something simple, but every time my swag container has to re-start I get this error: "2024/08/17 12:26:53 Received error: invalid key: API key "old key here" not valid" and I have to delete and re-create which is not great. Did I miss a step to make it sustain across swag re-starts?
Nice series on Tailscale!
But as mentioned here a few times, the swag container restart, needing a new Tailscale API key & Cloudflare DNS ipaddress update; is a seriously awkward condition to have to understand and follow..
absolutely great video! Is there anyway to explain to setup SWAG for multiple subdomains? :)
Is there a way to add Tailscale directly to Immich? It seems that since the Unraid Immich container is not by linuxserver, there are some issues integrating the Docker Mod. Was anyone else able to get this working so that immich also goes through tailscale through to a VPS?
You had me at "Master" 👁️
Thanks for you service! When is part 3 coming?
Hello, thanks for great tutorial. I've made it :)
I have another question - is there any way to make DNS in LAN network? I want my player to be visible in LAN network same as when I use tailscale. Is it possible? Maybe you already made video about it? Thanks so much in advance :)
I got emby to work, but can't get vault warden to come up. Also confused because for emby you had to put it on the proxy net but for vault warden you didn't?
For jellyfin i have setup all the variables properly and can confirm that tailscale is installed in my jellyfin container and visible in my tailnet. I can reach my jellyfin when connected to the tailnet using the IP and port number as described in your video no problem. However if browse directly to the IP without the port number it just brings me into my unraid UI (without requiring login), unlike how you browse to it and cant reach anything.
Figured out my issue. Was using host as the network rather than bridge on the container. NVM!! lol
Excellent thanks! One question, how do we add more than one container in SWAG, is it comma seperated in the variables TAILSCALE_HOSTNAME, TAILSCALE_AUTHKEY ? We should have like 2 different entries in tailscale so we can share for example Emby, and Bitwarden separately. Is it done by installing multiple SWAG instances?
No you dont need multiple swags. Just add the domain dns records into cloudflare again pointing to your swag tailscale ip. Then in the SWAG appdata /mnt/user/appdata/swag/nginx/proxy-configs look for the .sample file for that container. rename it to remove the .sample (so now it will be a .config) and edit the file accordingly if needed (as in the video) That way you can have as many containers/subdomains as you like. All tailscale is doing is connecting to the reverse proxy rather than you forwarding ports in your router/firewall
@@SpaceinvaderOne Thanks! I did that already but there is only one entry in tailscale pointing to the SWAG container, so if you have many containers in SWAG then when you share them in Tailscale you share them all though. I was thinking to seperate them in tailscale. I guess to do that you will need a different SWAG instance so tailscale will create a different machine (second machine).
Top man, thanks a lot! I’ve set it up and can access my plex via the web interface (via the domain) from all tailscale devices including my phone, however the plex app on the phone can’t see the plex server, any ideas why? Cheers
Moved from Swag to Traefik not far back, damn. Looks like Traefik has some good tailscale documentation, though (I know your focus on Swag is because it has a linuxserver container). Seems quite simple with Traefik > make a tailscale entrypoint, apply traefik tailscale labels to docker containers.
How can i set up the Swag Reverse Proxy, to be able to acess my apps via the fully qualified domain name from my local networtk without tailscale?
Instead of having Cloudflare, I wonder if we could just use Pi-hole / Adguard Home as local DNS server under the unraid Tailscale subnet route, then point the custom domain to the Nginx docker, then Nginx to the Emby or other services (not using swag but linuxserver’s docker-nginx to avoid 3rd party dns setting), cert wise we could use the unraid one? (I guess we can use Tailscale cert command to get one for unraid server…)
Could this also be implemented using a Cloudflare tunnel? If so, what would be different?
I'm using a reverse proxy (NPM) which works just fine outside of my network, but can't access domain names internally from my network. (having mikrotik devices).
Tried out Hairpin (loopback) NAT, but no joy.
Wondering whether setting tailscale for my NPM container would resolve this.
Have you ever came across with similar challenge? Maybe worth to cover this in your next episode. :)
have you tried a cloudflare tunnel?
I THINK i am following the directions with Jellyfin, but the tailscale IP address is still requiring me to include the port ID (ie. adding 8096 after using the tailscale IP address). I tested with emby as well and cannot figure out what mistake I am making.
@@SpaceinvaderOne Thank you very much. I realized my error was further downwind as I missed a step setting up the swag tailscale.
have you got this working ??? i have used linux jellyfin container but cannot get container to install docker mod
@@waynethompson8795 i did get it working; if you are using swag, you do not need the docker mod, you use the virtual network in unraid instead. However, at some point I did test with the docker mod and believe it worked for me.
Great work as usual! I'm getting an error in docker logs, "tailscaled does not take non-flag arguments: ["/var/lib/tailscale"] " any idea?
When trying to deploy swag.
Ok error is not present anymore after few attempts.
I was getting this too... and for anyone else having this problem my solution was to reorder the added paths/variables in the swag container so that the TAILSCALE_STATE_DIR variable comes AFTER the path rather than before as in the video.
Is there any advantage in using Tailscale over passing your domain through cloudflare to swag with authelia in front of it? (Hope that makes sense…)
I followed this guide, thank you very much this is what I needed and wanted to be able to do. One question, every time I restarted Swag it would say my API Key is expired and I would have to go and make a new one and then update the DNS. I set it to reusable and then put it to not expire and for now this seems to work. Am I missing something or is that the way it is suppose to be? Thanks
Make a tag called "tag:containers" or something in your tailscale Access Control file -- you'll need to read their docs for the exact syntax -- and then add the tag to the generated auth key and it will disable key expirations.
@@tannerdavisr Thank you
I'm confused why in swag you had to use the server IP and "external" server-level port rather than the name of the container and its "internal" port. I thought the entire point of having swag and the container on the same docker network was that you could reference the container by name. All of my swag conf files just reference the container name and port and it works perfectly.
It has to do with the swag-container being started first off the custom network, then it creates a wrong nginx resolve-file. Easily solved by deleting the file so it recreates.
Would love a video on Tunarr with Plex
do same thing as video but include port variable to open 32400
Hi ed
Can you use this with nextcloud the same way ?
Thanks for the great video! It is possible to use a wildcard DNS record for the Tailscale IP in Cloudflare so do I need to add the subdomains one at a time?
Yes you can. Just use an A record with * that will make any subdomain that doesnt have its own specific DNS record goto that ip. So its good as you can mix and match
Something that caught my eye was the 90 day expiration on the Tailscale keys. Does that mean what it seems like, that I will have to refresh those keys every 90 days or else lose access to my services? Wonder if there's a way to extend the time, or remove the limit altogether.
Yea you can remove the limit. Right in the 3 dot menu of the machines screen on Tailscale.
You can also disable the key expiry by tagging the device. You'll have to make a tag in your Tailnet Access Control config file
Great Video! Thx! Does this also work with Nginx Proxy Manager?
Unfortunately the DOCKERMOD is only built into linuxserver.io containers and they dont have an Nginx Proxy Manager container. But there is no reason why you cant rung NPM for your public sites and SWAG with tailscale for the private sites. If using SWAG solely for private sites you dont need to forward any ports to it at all.
Hello and thank you for this wonderful video!
One question: If i connect two Unraid servers (A and B) with Tailscale, and add all the subnet advert stuff. Can I use server A as a gateway to the server B for a Device C with does not run Talescale but is in the same lan as A.
I did all this with Wireguard and it worked very well, would like to to the same with Tailscale, but I don't know what I am doing wrong.
Thanks for the help :)
never mind, got it working, but only with the whole subnet /24 ... not sure why
OOO yeah! just what I needed
Thanks for watching
I have tried to add vaultwarden to talscale like we did with other apps and swag. It does not seem to show up in tailscale at all. Also, when I put in the host name for vaultwarden after making the adjustments in swag conf file for my unraid server IP all it does it bing up my unraid server login window. so two issues that are being a big pain. Ideas?
NVM, I was able to get vaultwarden to allow me access with it being proxied. Still do not see vaultwarden listed in tailscale. Any ideas on that one?
Great video as usual
Can we do the same with a VM ex: a HomeAssistant VM
could you do a vid on taildrive set up and connection have been having some trouble with that. also subbed
I tried to do the procedure on my nextcloudserver , and now is gone. I mean Nextcloud is not anymore visible in the Docker page....help
Can I repeat these steps with plex and the arr library?
Frankly, I have oine or two services I would like to make fully public, a Blog actually and I want to obfuscate my local public IP through a VPN and I just havent bothered to do this yet. If I were to use tail scale for this purpose, I would need to have the reverse proxy in a VPS right? I also want the data to be encrypted too which is why I would use a VPN and not JUST the vps reverse proxy.
I think the easiest solution for your needs for your blog is to use a Cloudflare tunnel. Your IP will not be visable at all. And all traffic is https so by its nature encrypted (no need for a VPN). Its very easy and fast to setup. Please check out my video here th-cam.com/video/h5fAcE70xbQ/w-d-xo.html
what would best approach to use this for ssh access to gitea docker?
Thanks for another awesome video.
I've done something wrong, any idea why I'd be getting this error: "getLocalBackend error: store.New: creating state directory: mkdir /var/lib/tailscale: not a directory"
Just in case there are other idiots like me, make sure when you setup the docker mods that the mod path /var/lib/tailscale is actually setup as a path, not a variable. 🤦♂
I spent 2 hours trying to get this working, every time I reboot Swag the Tailscale key expires. This is even after I added a the ACL tag and disabled the key expiration.
Did you also add the Path variable (Container Path: /var/lib/tailscale) and map it to a persistent storage location that will survive reboot/updates (ex: /mnt/user/appdata/swag/tailscale)?
Is it possible to efficiently run/maintain two swag instances? One normal for public accessible sites and a second through Tailscale for private sites?
Hi. You dont neeed 2 instances. You can use one swag to do both normal and private traffic. For normal sites set the DNS as you would normally to point to your WAN ip address (then so long as your router forwards port 443 to swag it wil work fine). For private sites have the DNS point to the SWAG Tailscale IP. It will then work for both types of site public and private. I do the same with my server. Thanks for watching :)
@@SpaceinvaderOne thanks for the reply! If I wanted to use a Cloudflare tunnel to point to swag instead of opening my firewall for the public sites, does that change your suggested implementation?
@@WillCodeForBeer It shouldnt do, as the cloudflare tunnel uses a domain to point to a service running on your box, hence why no port forwarding is needed
The guides have been great. And part 2 is no different. But it highlights the wall I've hit: I'm using Nginx Proxy Manager and not SWAG. :( Tailscale is pretty easy to set up on real machines (and Unraid itself via the plugin) as there's really no installation for a server, just sign in to your account and install a bunch of clients.
The only idea I can come up with at this point is to run NPM in a VM instead of docker, so I can then install Tailscale within that same VM - there's a Proxmox LXC guide out there which would hopefully provide all the info, as the LXC is just running Alpine anyway.
I can't for the life of me work out how to get my Windows/samba shares working over tailscale. Is it possible and I'm just a numpty? Would love to see a video on it
What's the difference between using Cloudflare Zero Trust and Tailscale? I see a lot of more work to do basically the same.
Cloudflare does have limits on what you can stream through their tunnels. Ie video. Also cloudflare tunnels are accessible by anyone with the domain name. So using tailscale it is much more secure as only people who you choose to access the service can. To everyone else its invisible.
Doing the emby thru swag part of the video done it to a T and it does not work
Is it possible to connect a remote WAN network by IP address instead of the client?
All vpns works as an server/client setup
I wonder how tailscale is secure since the website kinda establishes the connection between all these computers or services.
Can anyone explain that to me ?
After following all the instructions everything had been working for a couple months, but now SWAG is unable to renew the certificates. It looks like SWAG is unable to resolve the DNS? Is anyone else having this issue, and if so how did you resolve it?
As a follow up I found that in the tailscale ui I needed to go to the DNS tab, then under Global Nameserver I added in the Google Public DNS and selected Override local DNS. I then was able to go to Swag's console and run "certbot renew"
How about a video on a safe and secure way to self host a headscale server
One of the things I’d like to be added to Unraid is…in the APP section i’d like to be able to see 2-4 little screenshots that I can click on that shows me what each app looks like before I install it… right now I need to install each app just to see what it looks like. I think it would be pretty sweet. If I could click on the app and then be able to click on a little screenshot. What do you all think? 🥃
Excellent. Thanks
Thanks for watching :)
Would love a similar video with caddy
The Docker mod is for Linuxserver.io containers and sadely they dont have a Caddy container
@@SpaceinvaderOnepart 3 soon?
How can i get you or someone to help me migrate my 1tb datasets cache to 2 2tb in my unraid setup
You can get paid support from myself or another Unraid support staff member through here. unraid.net/support/paid-support
Plenty video on it on TH-cam, even a complete idiot like figured it out. But if you are using it commercially and you can't afford to lose the data. Pay a professional.
@sprocket5526 I tried watching all the videos. I'm pissed that I went to ZFS file format. It was so much easier in the XFS without these stupid datasets. I've watched every spaceinvaderone video on it and can not figure it out
This is a very difficult way of having a DNS name for a docker container.
Tailscale already gives you one via magic DNS, sure it's not your own domain name.
Alternatively, use controlD's integration with Tailscale and set custom DNS records in there.
The raspberry pi variables is why I stopped using linuxserver emby and switched to the official one.
Damn, wish I would of seen this before I setup my Plex server using all by binhex. Yeah I could redo all my dockers but that is a bit of work that i'm not doing. lol
Aaah, you make swag an "machine" on tailnet and then anyone who has access to your tailnet has access to everything behind swag?
So thats how you can share containers over tailnet that is not made by Linuxserver?
Yes exactly
First
sure are !!
nginx proxy manager is so much... comfortable.
Did you get this to work with NPM?
@@ThadThigpen yes, sure. I don't see any reason why this would not work with NPM.
Sadely only linuxserver.io containers support this docker mod
first
i'm trying to do this with plex but it doesn't want to be on any network aside from host
For anyone looking, you can do this with plex but you need to include the port variable with 32400 to get it to work.
@@saneparadox8181 Hi mate, could you elaborate on this please? I can access my plex via the domain (on the web), but not via the plex app on the phone? Any ideas why?
@@saneparadox8181 Hi mate, can you elaborate on this please? I’ve set it up and can access my plex via the web interface (via the domain) from all tailscale devices including my phone, however the plex app on the phone can’t see the plex server, any ideas why?
Tried with jellyfin , but in the jellyfin app it doesn't work