Can't access subnet from Linux client using Docker

[dataprolet]

What is the issue?

I am not able to ping my home server's local IP address from my Hetzner VPS nor connect to the home server's subnet routes.

I am able to tailscale ping my home server's hostname from the VPS and also tailscale ping the local IP address though. Also other clients (MacOS and Android) are able to access the subnet routes. They can ping local addresses in my home network and even local domains can be accessed through the browser.

Both my VPS and my home server run Tailscale using Docker. I opened UDP ports 41641 via the VPS WebGUI.

The VPS and home server's Docker container uses the latest Tailscale image, the home server advertises subnet routes using the environment variable TS_ROUTES=192.168.178.0/24.

Also see my comment here: https://github.com/tailscale/tailscale/issues/11678#issuecomment-2081440491

Steps to reproduce

1. Connect devices to Tailscale using Docker.
2. Ping my home server's local IP address from my VPS.
3. Get 100 % package loss.

Are there any recent changes that introduced the issue?

None, I set up my devices and never got a connection while other clients have.

OS

Linux

OS version

Debian 12

Tailscale version

1.64.2

Other software

My iptables rules:

$ iptables --list-rules

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9001 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9090 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

Bug report

BUG-4e070929a885022f5cd5d4565dc93dcb39da9a2495a47b39e0426fe6a3e9df6c-20240429105049Z-7655138e1c696a48

[dataprolet]

I just installed Tailscale directly on my VPS without Docker and now I am able to access my home server and other devices in my network. It seems to be an issue with Docker.

[dataprolet]

https://github.com/tailscale/tailscale/issues/3899#issuecomment-1034652529 might be related?

EDIT: I also updated Docker to version 26.1.0, build 9714adc and changed the Tailscale container to privileged mode, both didn't change anything.

EDIT 2: Similar issue: https://github.com/tailscale/tailscale/issues/4343

EDIT 3: For further context, I had Headscale installed using Docker on the same VPS, but running the container or not made no apparent difference. Also I have an active WireGuard interface in the VPS, which I want to replace with Tailscale. I don't think this is interfering with Tailscale, but I wanted to point it out anyway.

[dataprolet]

I now have the same issue on Arch Linux, running Docker version 26.1.0, build 9714adc6c7 and Tailscale 1.64.2, tailscale commit: ede81e2669bc01d60f52c84eea1d404215b13e16, go version: go1.22.2 connected to the same Tailnet via Headscale. Running Tailscale 1.64.0, tailscale commit: 7e9bebdb2470dfbb6e08a3f12a289a7d88128dfb-dirty, go version: go1.22.2 natively on the client using --login-server and --accept-routes works fine.