tailscale: Docker breaks when Tailscale configured to use an exit node; possibly MTU related
What is the issue?
On a Linux machine running tailscale at the same time as docker breaks docker networking. This happens with tailscale setup both as an exit node and without being an exit node. I suspect it’s something with double NAT but haven’t had a chance to really dig into it. Every request times out, ICMP doesn’t work, and DNS resolution fails.
Steps to reproduce
Install tailscale and docker on an Ubuntu 20.04.3 host using docker’s default instructions. Then do the following:
docker run --rm curlimages/curl:7.81.0 -L -v https://142.251.45.14
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:--
connect to 142.251.45.14 port 443 failed: Operation timed out
sudo tcpdump -i tailscale0 -nn | grep 142.251.45.14
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tailscale0, link-type RAW (Raw IP), capture size 262144 bytes
17:06:42.334357 IP 100.68.54.40.54398 > 142.251.45.14.443: Flags [S], seq 1485597718, win 64240, options [mss 1460,sackOK,TS val 1836179883 ecr 0,nop,wscale 7], length 0
17:06:42.377871 IP 142.251.45.14.443 > 100.68.54.40.54398: Flags [S.], seq 2574399181, ack 1485597719, win 65535, options [mss 1430,sackOK,TS val 2133358151 ecr 1836179883,nop,wscale 8], length 0
17:06:42.377931 IP 142.251.45.14.443 > 172.17.0.2.54398: Flags [S.], seq 2574399181, ack 1485597719, win 65535, options [mss 1430,sackOK,TS val 2133358151 ecr 1836179883,nop,wscale 8], length 0
17:06:42.686402 IP 142.251.45.14.443 > 100.68.54.40.54398: Flags [S.], seq 2574399181, ack 1485597719, win 65535, options [mss 1430,sackOK,TS val 2133358459 ecr 1836179883,nop,wscale 8], length 0
17:06:42.686457 IP 142.251.45.14.443 > 172.17.0.2.54398: Flags [S.], seq 2574399181, ack 1485597719, win 65535, options [mss 1430,sackOK,TS val 2133358459 ecr 1836179883,nop,wscale 8], length 0
17:06:43.365274 IP 100.68.54.40.54398 > 142.251.45.14.443: Flags [S], seq 1485597718, win 64240, options [mss 1460,sackOK,TS val 1836180914 ecr 0,nop,wscale 7], length 0
17:06:43.411817 IP 142.251.45.14.443 > 100.68.54.40.54398: Flags [S.], seq 2574399181, ack 1485597719, win 65535, options [mss 1430,sackOK,TS val 2133359185 ecr 1836179883,nop,wscale 8], length 0
17:06:43.411853 IP 142.251.45.14.443 > 172.17.0.2.54398: Flags [S.], seq 2574399181, ack 1485597719, win 65535, options [mss 1430,sackOK,TS val 2133359185 ecr 1836179883,nop,wscale 8], length 0
➜ sudo systemctl stop tailscaled
docker run --rm curlimages/curl:7.81.0 -L -v https://142.251.45.14
* Trying 142.251.45.14:443...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 142.251.45.14 (142.251.45.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /cacert.pem
* CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [909 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: self signed certificate
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
EDIT: Here is how my tailscale setup currently works. Iv’e tried both just accept routes and wth the exit node configuration, neither of them works.
sudo tailscale up --reset --accept-routes
Additionally this only breaks for containers, the rest of my networking is fine. Everything resolves on the host using both the exit node and jsut the subnet routes.
Are there any recent changes that introduced the issue?
None that I’m aware of, this is all pretty new.
OS
Linux
OS version
Ubuntu 20.04
Tailscale version
1.20.2
Bug report
BUG-5f2281a1312470cb6258ce2a27c2cc7e0d5293077c0128ce8fc2e709f1506059-20220204220621Z-98fcadb960cd208a
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 16
- Comments: 25 (3 by maintainers)
Hey guys, I have been fighting the same issue for a couple of days until I realised that Tailscale updates routing table for all routes except for anything directly bound to localhost or machine IP. Long story short,
--exit-node-allow-lan-accesskey fixed it for me.Have same problem and:
sudo tailscale up --exit-node=IP --exit-node-allow-lan-access=trueworks for me.Setting the MTU size on the docker and tailscale interface to the same value seems to fix the problem for me.
On my computer tailscale0 interface had mtu 1280 and docker0 interface mtu 1500.
/etc/docker/daemon.json{ "mtu": 1280 }restart docker daemon.
The container needs to have persistent storage for settings to be preserved across a restart of the container.
docker run -d -v /opt/path/for/my/container/workload:/var/lib ...On tailscale 1.38.4, HTTP connections and outgoing ICMP (ping) works, but DNS still doesn’t work. (i.e. I can browse 1.1.1.1/help, but not google.com)
Using the flag
--exit-node-allow-lan-access=trueto work around this issue works only if my laptop’s DNS server is set to a local LAN IP address (usually the home router).A better workaround is outlined in this article. What I did was first create a new bridge network:
Then specify that network when creating the container:
Our Linux users are having the same issue …both exitnode and linux tailscale are at 1.20.4