Tailscale is no longer allowing me to access my jail after update to EE

Tha_reaper · February 23, 2025, 4:51pm

I just updated to EE. In dragonfish i was running tailscale as a trueNAS app. I also had a jail with dockge and most of my apps run in that jail (i used the Stux tutorial).

After updating to EE, tailscale would not deploy. I had to spin up a new instance, which was easy, but now i can no longer reach my jail when tailscale is running.
Even from my local LAN, i have to disconnect from tailscale to be able to reach the jail on my trueNAS box.
Some extra info:
my trueNAS box has the 192.168.68.63 IP
the Jail has the 192.168.68.55 IP
my tailscale service advertises 192.168.68.0/24
“accept DNS” and “advertise exit node” are enabled.
I have tried both enabling and disabling “host network”

When logged in my tailscale admin panel, when i check the routes settings, i get a warning telling me :

Unable to relay traffic
This machine has IP forwarding disabled and cannot relay traffic. Please [enable IP forwarding on this machine](https://tailscale.com/kb/1104/enable-ip-forwarding) to use relay features like subnets or exit nodes.

I don’t know if the things that they tell to do on that page is safe to do on a TrueNAS installation.

My Jail is configured using the following network config:

systemd_nspawn_user_args=--network-macvlan=enp2s0
        --resolv-conf=bind-host
        --system-call-filter='add_key keyctl bpf'

i would rather not spend many hours at this moment to migrate all my apps from the jail as i simply don’t have the time. Does anyone have a solution?

Jorsher · February 23, 2025, 5:55pm

Advertising as an exit node is not necessary, not that it’s a problem here. In my case, I only use Tailscale to connect to my home network remotely. If you don’t need to use it as an exit node, I don’t believe you’ll need IP forwarding either.

I do use host networking on my Tailscale app on the NAS, but I’m not sure if it’s necessary.

Now, as far as accessing the jail from a remote client:

Did you Approve the subnet on Tailscale admin panel? It will not work until you do, and I’ve seen this be a common reason people can’t get it to work. I believe you just need to click on the machine from the admin panel to Approve the subnet advertisement.
Did you enable “Use Tailscale subnets” on whatever client you’re using?

For example:

Tailscale is on my NAS. I’m advertising 192.168.1.0/24 on that client. I approved the subnet advertisement in the Tailscale admin panel for my NAS.
Tailscale is on my phone. I made sure Settings > Subnet Routing > Use Tailscale subnets was enabled.
Everything works.

Tha_reaper · February 23, 2025, 6:17pm

thanks for responding. I spend a lot of time commuting between 2 countries, so the exit node setting is useful to use my server as some kind of VPN when i want to watch geo-blocked content. Its not necessary, but useful for me.

I did approve the subnet on the admin panel. Thats not a problem
I also enabled use tailscale subnets on the clients that i use.

What i find especially weird is that even on my LAN, i cant ping my Jail whenever tailscale is on.

Stux · February 23, 2025, 9:29pm

In order for a jail and apps running on the nas to commmunicate you need to setup a bridge.

It appears you’re not using one

Tha_reaper · February 24, 2025, 6:23am

That must be the issue. Thanks.
Did this change in EE? Because it did work on dragonfish before.

Stux · February 24, 2025, 7:31am

I’m not 100% certain as I never spent much time with Pre-EE apps, but I suspect the app was actually using a Macvlan network in Dragonfish (and before), and in EE the app is using a host network.

The difference is various apps/vms can communicate with each other when they’re using the same macvlan parent interface, but they can’t communicate with the host (the parent interface).

Since tailscale in EE uses host networking, then the jail’s macvlan network won’t be able to communicate with it without the bridge.

So, the change was actually the change from Kuberetes to Docker.