Tailscale is a powerful application based on Wireguard technology which lets us access our machines over the internet as if they were on our network. The communication is decentralized and takes the shortest path between the two computers with tailscale’s servers only coming in for initial synchronization.
As powerful as this is, the default installation does not support running on an unprivileged lxc container. The most popular way to run lxc containers is Proxmox which is what I’m using. To set up tailscale on unprivileged containers, follow the steps below.
Step 1: Install tailscale
Follow the instructions on Download · Tailscale It is as simple as running a single shell command but I advice anyone using this to refer to the above link for up to date information
Step 2:
Open the tailscaled service present in /usr/lib/systemd/system/tailscaled.service
using a text editor
Step 3:
And change the ExecStart parameter to run tailscaled in usermode
ExecStart=/usr/sbin/tailscaled --tun=userspace-networking --socks5-server=localhost:1055 --outbound-http-proxy-listen=localhost:1055
Alternatively, you can copy the complete service and paste it over the default one.
This command will empty the service file
You can the open the file in a text editor and paste in the below.
[Unit]
Description=Tailscale node agent
Documentation=https://tailscale.com/kb/
Wants=network-pre.target
After=network-pre.target NetworkManager.service systemd-resolved.service
[Service]
EnvironmentFile=/etc/default/tailscaled
ExecStart=/usr/sbin/tailscaled --tun=userspace-networking --socks5-server=localhost:1055 --outbound-http-proxy-listen=localhost:1055
ExecStopPost=/usr/sbin/tailscaled --cleanup
Restart=on-failure
RuntimeDirectory=tailscale
RuntimeDirectoryMode=0755
StateDirectory=tailscale
StateDirectoryMode=0700
CacheDirectory=tailscale
CacheDirectoryMode=0750
Type=notify
[Install]
WantedBy=multi-user.target
The above will use userspace-networking mode built into tailscale when the service starts up.
Resources
Userspace networking mode (for containers) · Tailscale Docs
Alternative method (not used here): Tailscale in LXC containers · Tailscale Docs