Closed Gyosa3 closed 1 year ago
tsujamin
commented
1 year ago Hey there, sorry you've had such a frustrating time getting it all set up. I've been thinking increasingly often that making userspace_networking the default going forward might be the way to go, would that have alleviated some of your issues?
Also interesting re: ping, I'll get that added to the container when I have a moment this evening hopefully.
Gyosa3
commented
1 year ago Hi again,
I'm pushing the setup to some limits there, I'm trying to combine different things like using the addon as a subnet router (that works now), using it also as an exit node (that works too), and combining that with AdGuard (or PiHole) (and then it does not fully work due to some Tailscale tweaking that I can't figure out yet).
I tend to think that none of these capabilities would even work without the userspace_networking activated.
When I installed AdGuard, below are the different networks it can discover. It clearly does not see much of the network beyond the inner virtual network between the HA containers. So I believe that your addon will work "OK" when users will use it only for accessing their HA instance from remote, but any usage where you want to use the addon for accessing any resource outside of the HA host will probably require the userspace_networking flag activated. Well, it's just my personal observation anyway.
I still have lots of questions about advanced setup and the docs from Tailscale only rarely consider the client running in a container. And Tailscale forum is not helping much either.
The question of the "disable DNS" flag is also an important one when you want to use a DNS proxy as mentioned here: https://tailscale.com/kb/1114/pi-hole/ but again it does not take in consideration the container aspect.
At this moment I am advertising local routes, exit node, and userspace_networking and disable_dns are on and everything seem to work except the DNS proxy is bypassed by Tailscale when I use the addon as exit node (DNS is forced to 100.100.100.100 when a tailscale client changes the exit node). And I have small issues between Tailscale and AdGuard addons for which I just opened another issue here.
That's where I'm up to.
Is your feature request related to a problem? Please describe. My problem was to access the web interface of individual devices on the local network from remote, via the Tailscale addon running on the Home Assistant server. First, I switched from the "official" Tailscale addon to this one because there is a configuration option to announce additional routes. Then I tried all other parameters until I could reach the web interfaces of the other devices on the network.
Describe the solution you'd like I spent considerable time trying the different options, restarting the addon, sometimes loosing the connection and having to reconnect to the HA server via another VPN route... I would have gain a lot of time if that procedure was documented. I'd like therefore to propose to improve the documentation of this add-on with that use case, especially related to the parameter "userspace networking".
The main point is to document the relation between the configuration parameter "advertise_routes" where the reachable subnets are declared, and the activation of the parameter "userspace_networking" that seems to enable the proper routing of traffic not just to the HA server itself, but also to any other device with another IP address in the scope of the routes announced.
Using "advertise_routes" alone is not enough in this case, as the traffic goes well to the Tailscale container but does not "go out" of it to the external device.
Other points of attention to mention is that "ping" does not seem to traverse the container:
2023/01/31 15:36:48 exec ping of 192.168.x.x failed in 606.399µs: exec: "ping": executable file not found in $PATHNevertheless http traffic does traverse the container (did not try with https so far).
2023/01/31 15:38:10 Accept: TCP{100.108.x.x:18125 > 192.168.x.x:80} 52 tcp okLast point to mention, trying different options in the addon, I had to enable the "reset" option in several occasion to flush the addon between configurations. Maybe not necessary if one sets up the addon properly from first try...
Hope this will help others!