Skip to content

Tailscale Exit Node

Tailscale provides a secure, private mesh VPN to access the homelab from anywhere.

LXC Configuration (The Proxmox Hole-Punch)

To allow a Dockerized Tailscale to act as an Exit Node inside an unprivileged LXC, we had to expose the tun device. In the main Proxmox host shell (/etc/pve/lxc/[ID].conf), we added: 

lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
Enabled IP Forwarding in the LXC shell (/etc/sysctl.conf):

net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1

Docker Configuration To prevent the node from being marked as Ephemeral (temporary) by Tailscale, we enforce a static Auth Key and state directory.

tailscale:
    image: tailscale/tailscale:latest
    network_mode: "host" 
    privileged: true
    environment:
      - TS_AUTHKEY=tskey-auth-...
      - TS_EXTRA_ARGS=--advertise-exit-node
      - TS_STATE_DIR=/var/lib/tailscale
    volumes:
      - /opt/stacks/networking/tailscale:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
      - sys_module