search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
18.8k stars 1.46k forks source link

DNS Resolution Issue with Tailscale Funnel and Proxy on Raspberry Pi with Docker and Tailscale User Space Networking #8680

Open byteshiva opened 1 year ago

byteshiva commented 1 year ago

What is the issue?

Description: After following the provided steps to set up a website using Tailscale on an ARM Raspberry Pi with user space networking and funneling enabled, there is an issue with DNS resolution. The website should be accessible outside of the Tailnet network via a custom hostname, but it fails to resolve after waiting for 10 to 15 minutes following Step 7 and Step 8.

Steps to reproduce

Steps to Reproduce:

  1. Run the Docker container :

    docker run -it python /bin/bash

  2. Inside the container instance, Install "tailscale":

    curl -fsSL https://tailscale.com/install.sh | sh

  3. Run tailscaled with user-space networking:

    sudo tailscaled --tun=userspace-networking --socks5-server=localhost:1055 &

  4. Run tailscale with custom hostname:

    sudo tailscale up --hostname=container_raspberrypi

  5. Create a folder /tmp/public/ and touch index.html, echo "hello" >> index.html:

    mkdir -p /tmp/public
echo "hello" >> /tmp/public/index.html

  6. Run a Python HTTP server to serve the content:

    python3 -m http.server

  7. Add proxy to route 443 to port 8000:

     tailscale serve https / http://127.0.0.1:8000

  8. Enable funnel on port 443:

    tailscale funnel 443 on

  9. Wait for 10 to 15 minutes and attempt to access the website using the custom hostname outside of the Tailnet network.

Note: ACL Settings for Tailscale Funnel - Default Configuration

"nodeAttrs": [
    {
        // Default Funnel policy, allowing tailnet members to control Funnel for their own devices.
        // Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
        "target": ["autogroup:members"],
        "attr": ["funnel"]
    }
]

Expected Result: The website content from index.html should be displayed when accessing it via the custom hostname outside of the Tailnet network.

Actual Result: After waiting for 10 to 15 minutes following Step 7 and Step 8, the website fails to resolve when attempting to access it using the custom hostname outside of the Tailnet network.

Are there any recent changes that introduced the issue?

Additional Information:

OS

Linux

OS version

Linux 6.1.21 aarch64 GNU/Linux

Tailscale version

1.44.2

Other software

No response

Bug report

BUG-2384b5e8fde9161aa0832fe10738f9017ec613df6b74c8e45ad9e990dad25894-20230722075927Z-f06502bdac90b707

jimmybrancaccio commented 7 months ago

A customer ran into this issue today (32296). Initially I was able to replicate it using a DigitalOcean droplet with Docker. I attempted to setup a Tailscale container that would funnel to a Portainer container. Initially I was able to reach Portainer when I was connected to my tailnet but couldn't reach it when I wasn't connected - obviously not the expected behavior.

I then tried starting up Tailscale with the following environment variable set - TS_ACCEPT_DNS=true (in my docker-compose.yml) and everything started working as I expected.

Of note, if using tailscale on the command line you can do tailscale up --accept-dns=true.

kennethcassel commented 4 months ago

A customer ran into this issue today (32296). Initially I was able to replicate it using a DigitalOcean droplet with Docker. I attempted to setup a Tailscale container that would funnel to a Portainer container. Initially I was able to reach Portainer when I was connected to my tailnet but couldn't reach it when I wasn't connected - obviously not the expected behavior.

I then tried starting up Tailscale with the following environment variable set - TS_ACCEPT_DNS=true (in my docker-compose.yml) and everything started working as I expected.

Of note, if using tailscale on the command line you can do tailscale up --accept-dns=true.

Was having the same issue and this worked for me (tailscale up --accept-dns=true.) Thanks! Maybe they should add something about that to the docs