How to Set Up Tailscale on Docker

In this tutorial, we will look at how to set up Tailscale on Docker.

Tailscale is a zero-configuration VPN, which means that without any port forwarding, you’ll be able to access all the devices on your local network. Running Tailscale in a Docker container is a great option as you can configure the container, connect it to your Tailscale account, then access your local network.

Tailscale is a great option for really anyone, though there are some users who have a CGNAT where using Tailscale is necessary for VPN connectivity.

How to Set Up Tailscale on Docker

We will look at how to set up Tailscale on Docker below, but make sure that you have Docker installed first. This tutorial will show how to install Docker and Portainer, but you can ignore the Portainer section for this tutorial (unless you want to install it).

1. Before we proceed, we need to configure the pre-authentication key. This can be created on the Tailscale website. If you don’t already have an account, create one, then log in and select Settings, then Keys.

configuring an auth key on the tailscale website.

2. Select generate auth key so that we can create the key for Docker. Select Generate Key (the settings can stay as default).

generating an auth key in pfsense for tailscale.

3. After the key has been generated, copy it, then proceed to the docker configuration.

copying the auth key generated.

4. Open the terminal on the device where you’re running Docker (or SSH into it), then run the command below. Please note that you will have to add the Auth Key that we created above.

NOTE: There are two different commands you can run here. The first will not advertise routes and the second will. When you advertise a route, you’re allowing other devices on your local network to be accessed through Tailscale.

4.1. If you only want to access the device you’re installing Tailscale on, run the command below.

sudo docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --cap-add=NET_ADMIN --cap-add=NET_RAW --env TS_AUTHKEY=[AUTH KEY] tailscale/tailscale
docker run command. How to Set Up Tailscale on Docker.

4.2. If you want to access all devices on your local subnet, run the command below substituting the Auth Key and the Subnet. In my case, the subnet is, though your subnet is most likely different.

Please note that there are also other environment variables you can use if desired.

sudo docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --cap-add=NET_ADMIN --cap-add=NET_RAW --env TS_AUTHKEY=[AUTH KEY] --env TS_ROUTES=[SUBNET] tailscale/tailscale
docker run command.

5. After running the command above, the container should pull and install. At this point, the actual Tailscale configuration is complete.

docker container installing.

6. If you log in to the Tailscale website, you should see the device that you configured appearing in your account.

machine added to tailscale.

If you used the TS_ROUTES environment variable above, you should also see a small subnets icon (though a few additional configuration steps are required).

subnets icon if defined in docker.

Subnet Routes – How to Set Up Tailscale on Docker

On other devices, setting up a Tailscale Exit Node allows you to route all traffic through Tailscale (meaning a full-tunnel VPN in the screenshot below).

showing how a split-tunnel vpn routes only local traffic to the network while a full tunnel routes everything.

Unfortunately, as of the writing of this tutorial, I could not get the exit node feature to work. Therefore, I was only able to configure a split-tunnel VPN using Docker. If the container is updated in the future, I will update these instructions.

A few things must be configured to set up subnet access (split tunnel) in Tailscale:

1. On the Tailscale website, select Machines, then the three ellipses next to your Docker system, then Edit Route Settings.

editing the route settings on tailscale.

3. Enable the subnet route. This will allow you to access local devices by their IP address. Please keep in mind that this is a split-tunnel VPN (meaning only being able to access the subnet in the screenshot below).

route settings on tailscale website.

5. Tailscale is now configured! You can now add other devices or simply connect to Tailscale from an external network to access all of your local devices.

Conclusion: How to Set Up Tailscale on Docker

This tutorial looked at how to set up Tailscale on Docker. Tailscale couldn’t possibly be easier to set up and it’s (in my opinion) the easiest and fastest way of setting up a VPN server on almost any device.

It is important to note that this isn’t a traditional VPN the way that OpenVPN or WireGuard is (which can be run on routers like pfSense or OPNsense), but it’s the fastest way to access your local network and doesn’t require any port forwarding.

Thanks for checking out the tutorial on how to set up Tailscale on Docker. If you have any questions on how to set up Tailscale on Docker, please leave them in the comments!

This Post Has 2 Comments

  1. Prez

    I see that the exit node option is greyed out. How to enable it?

    1. WunderTech

      I’m very sorry for the oversight. Initially, I thought that you could set up an Exit Node on Docker but after testing, I couldn’t get it to work. Your comment made me realize that I uploaded the old version of the instructions as opposed to the new version, so I just re-uploaded the correct version. If the container is ever updated in the future, I will update these instructions. Thanks for pointing that out!

Leave a Reply