Leveraging Tailscale Docker Mod - Simplified Networking and Secure Application Hosting

Introduction

Combining the ease of Docker with the security of Tailscale in a universal docker mod offers exciting possibilities. This blog post explores how the Tailscale Docker mod enables effortless access to remote applications while maintaining robust security measures.

Docker has revolutionized the way we deploy applications, making containerization an essential part of modern software development, and Tailscale has emerged as a powerful tool for creating secure networks and establishing encrypted connections between devices.

I've been considering adding more Tailscale nodes to my network for a while now. I had been running a few self-hosted applications behind Cloudflare tunnels, but I wasn't satisfied with the outcome. Even though traffic was securely being tunnelled through Cloudflare, my apps were still accessible from the open internet. It would be ideal to only expose the parts of the network that should be public, like a website or service that you host for others. What are your thoughts on using Tailscale to connect to your apps instead?

What is the Tailscale Docker Mod?

The Tailscale Docker mod is a universal modification for images provided by linuxserver.io, a community of image maintainers and a popular repository for Docker images.
By incorporating this mod into a container, you can harness the capabilities of Tailscale within your dockerized applications. The mod automatically installs the Tailscale daemon into the container and manages its lifecycle. The container is then accessible as a node on your Tailet. This can, for example, allow multiple containers, running on different servers or virtual machines, to seamlessly communicate over a secure WireGuard tunnel without the need for manual network management. Another use case would be to only allow specific Tailscale users to connect to the node using ACLs. This improves the security of the application, since the application is only accessible by a limited number of people over this specific connection. Thus, you get an additional factor of security, even before a user can log into an application.

Simplified Network Communication

Let's illustrate the advantages of the Tailscale Docker mod with an example. Imagine you have two servers – one hosting a database and the other running an application. By implementing the Tailscale Docker mod in both containers, you can establish a secure and encrypted connection between these servers using WireGuard. This means that the database server can securely transfer data to the application server over the tailnet, with minimal configuration required.

Anywhere Access via your Tailscale tailnet

The Tailscale Docker mod introduces the concept of the tailnet, which refers to the network spanned by Tailscale hosts. This network ensures that all containers running the mod, as well as users’ machines and other servers running the tailscale daemon, can communicate with each other, irrespective of their physical locations. Therefore, regardless of whether your servers are in the same data center or spread across the globe, they can seamlessly exchange information through the secure Tailscale tunnel.

TLS Certificates and Tailscale Serve

One of the noteworthy benefits of combining Tailscale with Docker is the use of Tailscale serve, a reverse proxy built into the daemon that will be running on all machines. This feature allows you to serve applications with a Let's Encrypt TLS certificate effortlessly. With tailscaled handling the certificate management, you can focus on other things without the hassle of manual certificate generation or setting up an acme client yourself. Since many dockerized applications expect to be reverse proxied anyway and don’t expect to handle TLS themselves any more, this worked seamlessly in my tests. Gitea, nextcloud et al. run great behind Tailscale.

Secure Self-Hosting Made Simple

Tailscale Docker mod offers a fantastic solution for self-hosting applications, granting access only to specific users, teams, or family members. By leveraging Tailscale's end-to-end encryption, you can ensure that your applications remain accessible only to the people you specifically chose. Users accessing the application through a browser won't be aware of the underlying Tailscale encryption. Keep in mind, though, that the encryption provided by Tailscale itself, namely the WireGuard VPN which is the base of the network, merely acts as another layer of encryption. I still recommend that you host the application over TLS in addition to guard against a wide variety of attacks.

Taking it a Step Further with Tailscale Funnel

I know, I know, sometime you want to share an app with a wider audience. For those seeking to make their applications accessible to the broader internet, tailscale funnel comes into play. Tailscale funnel enables you to make your applications reachable on the internet through a subdomain under a vanity URL. Though the solution is convenient and secure, it has one limitation compared to using cloudflared and the Cloudflare dashboard. With Tailscale funnel, you can only pick a subdomain under a few options, e.g., myapp.vanity-url.ts.net or otherapp.awesome-sauce.ts.net, whereas Cloudflare allows you to host applications under a domain name that you control fully. Another upside is, of course, that you do not need to buy a domain, the subdomain comes for free with MagicDNS and Tailscale.
Tailscale also does not offer SSO integration for the applications. You will still need to set this up in another way if you need it.

Useful for development

With Tailscale you can mimic a powerful feature that you get for example for Cloudflare pages or from other integrated hosting platforms: Ephermal testing sites. With Tailscale, you can host a container publicly or privately for a short amount of time to test out features or check out the result of a pull request. The following two files are part of an example static single page application and how it will be started with compose.

# syntax=docker/dockerfile:1
FROM node:18 AS build


COPY . /app
WORKDIR /app
RUN <<EOF
    npm ci
    npm run build
EOF

FROM lscr.io/linuxserver/nginx:latest AS host
COPY --from=build /app/dist /config/www

version: '3.7'
services:
  app:
    build: .
    environment:
      - TAILSCALE_AUTHKEY=tskey-auth-you-thought-i-would-give-you-a-key-l0l
      - TAILSCALE_USE_SSH=0
      - TAILSCALE_STATE_DIR=/var/lib/tailscale
      - TAILSCALE_SERVE_PORT=80
      - TAILSCALE_SERVE_MODE=https
      - TAILSCALE_HOSTNAME=${RANDOM_HOST_NAME}
      - DOCKER_MODS=ghcr.io/tailscale-dev/docker-mod:main
    volumes:
      - tailscale:/var/lib/tailscale
volumes:
  tailscale:

Since our hosting image is based on linuxserver's nginx image, we can simply add the Tailscale mod and provide the environment variables to plumb it into our Tailnet. Using, for example, environment variables and a random name generator, you could then conceivably copy the aforementioned feature of ephermally hosted websites.

Conclusion

In conclusion, the Tailscale Docker mod provides a seamless way to integrate the benefits of Docker and Tailscale, offering simplified networking and secure application hosting for your containers. By effortlessly creating secure WireGuard tunnels and utilizing Tailscale Serve for TLS certificates, you can enhance the privacy and security of your applications while maintaining ease of access for authorized users. While Tailscale Funnel opens up the possibility of making your applications accessible to the internet, it comes with certain domain limitations. Nonetheless, the Tailscale Docker mod remains an excellent choice for developers and system administrators looking to streamline network management and bolster their application security.