Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration of port for tsnet to facilitate direct connections when run in containers #84

Open
chrishoage opened this issue Jan 3, 2025 · 1 comment
Open

Allow configuration of port for tsnet to facilitate direct connections when run in containers #84

chrishoage opened this issue Jan 3, 2025 · 1 comment

Comments

@chrishoage
Copy link

chrishoage commented Jan 3, 2025
edited
Loading

I am having much difficulty making consistent direct connections to services hosted from a caddy-tailscale docker container which reside only on my tailnet.

Other containers which use tailscaled directly allow me to specify a port which I can expose and allow direct connections when running in userspace mode inside a docker container.

My proposal is allowing the configuration of the Port field in tsnet to allow for these udp ports to be exposed to the internet to facilitate direct connections to these tsnet nodes on the tailnet. Since the ports are otherwise randomized it doesn't seem feasible to know what ports to expose.

https://github.com/tailscale/tailscale/blob/ff095606ccff083160eb01a8a4cc062cacfe1a33/tsnet/tsnet.go#L119-L122

The simplest solution is to add an additional field for the <node_name> conflagration option

e.g.

{
  tailscale {
    my_node {
      port 41647
    }
  }
}

However, allowing for a range in the global config would make it much easier to expose the range via docker

{
  tailscale {
    port_range "41642-41649"
  }
}

If the range is exhausted while building the config struct this is an error.

I have done a decent amount of experimenting with my tailnet and my conclusion this is an issue unique to caddy-tailscale (or tsnet more specially) when run inside a docker container and not on the host directly. Running the container in "host" network mode is not an option as then I lose out on docker networking (e.g. a docker proxy network, etc)

If there is something I'm missing with ensuring direct connections to nodes hosted via caddy-tailscale please feel free to close this issue (and perhaps let me know what I am missing)
@chrishoage
Copy link
Author

I have made a commit which implements this chrishoage@a26a499

{
{
  tailscale {
    auth_key {$TS_AUTHKEY}
    ephemeral false
    state_dir /data/tailscale
    port_range {
      start 41650
      end 41655
    }
    node-name {
      port 41665
    }
  }
}

I added tests, but I'm not an experienced go developer so I'm unsure if the quality is good enough for a pull request. Let me know if I should upstream this!

it can be built with

xcaddy build v2.8.4 --with github.com/tailscale/caddy-tailscale=github.com/chrishoage/caddy-tailscale@a26a499346f839f321f78b643a87c501f1ca3b49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chrishoage