Login

u/kaidomac

▲ 12 r/Tailscale

Tutorial: Docker with Tailscale 101

Very brief introduction to running Docker containers (mini virtual machines) with Tailscale securely using a Linux host. Think of these as individual "app servers". Special notes:

  1. Don't get overwhelmed! These are nothing more than Russian nesting dolls! You do NOT need to master or even know Linux or Docker to get started!!
  2. Don't panic at the complexity! Your favorite frontier chatbot will generate the code, commands, and scripts (as well as security & backups!) for you & easily troubleshoot via pasted screenshots!
  3. Don't be afraid to tinker, try stuff, and break stuff! Smart small & learn a little at a time! Everything here is FREE!!

These are HUGELY helpful in a variety of situations! Sample use cases that allow access anywhere:

  • DIY worldwide VPN (via cheap $6 VPS accounts as Exit Nodes)
  • Subnet router (with NETMAP for similar VLAN's)
  • Cloud wireless controllers (Ubiquiti Unifi & TP-Link Omada with per-device PPSK, great for family & travel! I use an MT-3000 travel router)
  • Personal website hosting (Astro, Hugo, VitePress, Ghost, or Wordpress with Cloudflare)
  • Social media video download website (ReClip)
  • Download manager (Servarr suite, qBittorrent, etc.)
  • Password Manager server (Vaultwarden)
  • DIY Microsoft 365-style remote collaboration server (NextCloud)
  • Cert server (Smallstep)
  • Personal & family photo & video backup & shared albums (Immich)
  • Web-based file manager (FileBrowser Quantum)
  • Backup server (SMB for iMazing, Macrium, FreeFileSync, Time Machine)
  • Offsite backup server (Restic & PBS)
  • Electronics simulation (tscircuit & Velxio)
  • Smarthome control (HAOS, Grafana, etc.)
  • Meal-planning (pantry inventory, recipes, shopping lists, control smart devices like the wi-fi Instant Pot & Anova Precision Oven, etc.)
  • Private security system (Frigate NVR, RTSP-mod Wyze cameras, door/window/motion sensors, etc.)
  • Programming automation platform (n8n)
  • Minecraft server (itzg/minecraft-server, Paper, Chunky, Velocity, Aikar's JVM flags, Tailscale or public whitelist access)
  • Facility Monitoring System (cameras, Wi-fi fire alarms, Wi-fi water alarms, etc.)
  • Remote printer access with Airprint (PaperCut Mobility)
  • Personal RAG knowledgebase (various LLM Wiki github projects)
  • CLAW-style Agents (OpenClaw, NanoClaw, PicoClaw, NanoClaw, Hermes, etc.)
  • Private AI (CPP/GPU infra, AnythingLLM, SST/TTS, ComfyUI, OpenCLI, etc.)
  • Media server (Jellyfin for videos, music, audiobooks, ROM's, etc.)
  • Remote desktop server (Ruskdesk)
  • Centralized uptime monitoring & power management (Kuma & NUT)
  • Central control (Telegram & SMS-via-5G-email, ex, yourcell#@tmomail.net)
  • PXE boot (iVentoy for DBAN/ShredOS, Memtest86+, GParted, Win11, etc.)

Two basic platform choices:

  1. Self-hosted (your hardware at a physically-accessible location)
  2. Virtual cloud server (VPS on the Internet)

For self-hosting:

  • At your house
  • At a friend or family's house
  • At a work location

As far as hosts go:

  • Docker on WSL2 on Windows 11 (easy way to test & tinker!)
  • A Linux host (ex. old desktop or laptop)
  • Proxmox host (my favorite! run Ubuntu as a VM & then Docker within that VM and easily manage it & back it all up!)

As far as VPS's go: (I HIGHLY recommend buying the auto-backup package!)

  • Hetzner
  • Vultr
  • DigitalOcean

Basic setup:

  • Create the Linux CLI host or VM (Ubuntu LTS, Alpine for really old hardware, or WSL2 on Win11)
  • Install Tailscale (Windows package or Linux via CLI)
  • Build your Docker containers!

Recommended tools:

  • Ubuntu LTS as the host (I like 22.04 at home for broader support & 24.04 online for the latest protection)
  • Docker
  • Tailscale (private access)
  • Cloudflare (public access)
  • Personal domain (optional), for convenience ("you.com" from Porkbun, Namecheap, etc., for >$10/year)

For setup, work with a tool like Claude or ChatGPT to get step-by-step installation instructions for your platform, to handle troubleshooting, and to review security & backups. Ultimately, YOU are responsible for the safety & security of any cloud-connected systems, so if in doubt, start out with a FULL lockdown & Tailscale-only access!

Part 1: Create your Tailnet

  1. Create your Tailscale account
  2. Lock down your identity provider (complex password, non-SMS app-based 2FA, printed backup codes, etc.)
  3. Install locally to your workstation host (ex. Windows desktop PC) so that you can access your Docker suite remotely

Part 2: Build your server (VPS as an example)

  1. Spin up Ubuntu 24.04 LTS
  2. Create a non-root admin SSH user
  3. Disable root password login
  4. Update the system (sudo apt update && sudo apt upgrade -y)
  5. Install & configure firewall for OpenSSH

Part 3: Install Docker

  1. Install Docker
  2. Install a Netdata docker (server monitor WebUI)
  3. Install a Dockge docker (Docker monitor & manager WebUI)

Part 4: Install Tailscale on the host (for private access & control)

  1. Install Tailscale
  2. Disable public SSH (test with two sessions open)
  3. Create SSH config (i.e. shortcut login to CLI for management)
  4. Disable password login & use SSH keys (optional)
  5. Install Exit Node (optional, but handy!)

Part 5: Install Cloudflare on the host (for secure public access)

  1. Setup Cloudflare account
  2. Install cloudflared on the host & authenticate it ("cloudflared tunnel login")
  3. Create the tunnel as a service & port-map it to your Docker service of choice (Cloudflare on host tunnels to container ports) using config.yml (routes outside traffic to proper Docker) & subdomain DNS routes as necessary
  4. Add desired security (Zero Trust, WAF, Bot Fight Mode, Auto HTTPS rewrite, Always Use HTTPS, secret token to webhook URL's, rate limiting, Cloudflare Access service tokens for machine auth, etc.)

What you have now:

  • Hardened Linux host server with a WebUI monitor
  • Tailscale-only admin access
  • Unlimited free private Dockers that do ANYTHING YOU WANT, all managed with a WebUI! Your hardware is the only limit!!
  • Secure public web access (via Cloudflare) with no open ports

Setup checklist:

  1. What Docker idea do you want to run?
  2. Do you want to host it onsite, or in the cloud?
  3. Do you need secure public access (Cloudflare) or just 100% private access? (Tailscale)
  4. Do you have a backup system in place? (VPS host, Restic offsite, PBS, etc.)

Notes:

  • Save the setup steps as Docs in your Google Drive. FWIW, if you are brand-new to the Docker ecosystem, you can get VERY good at it in pretty short order!
  • Make sure you have backups running! Because it REALLY stinks to goof something up or have a crash with no recourse!!
  • Be sure to have a chatbot review your security setup to ensure that it is locked down safely. Remember that public access is still public access & is subject to whatever exploits are on the services & ports you choose to expose, so be sure to run updates frequently & lock everything down as much as possible!!

3 of the coolest technologies these days are:

  • Tailscale
  • Proxmox
  • Cheap VPS

You can literally build a personal, worldwide secure mesh platform with this stack!! Have fun & ENJOY!!

reddit.com
u/kaidomac — 3 days ago