Skip to content

mhajder/ts-vpn-exit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yaml
docker-compose.yaml
 
 

Repository files navigation

Tailscale Exit Node over VPN (Gluetun)

Routes Tailscale exit-node traffic through a commercial VPN provider using Gluetun + the official Tailscale image.

When a Tailscale client selects this node as an exit node, all its internet traffic leaves through the VPN tunnel.

Architecture

Tailscale client
    │  (encrypted Tailscale tunnel)
    ▼
┌─────────────────────────────────────────┐
│  Docker host                            │
│                                         │
│  ┌──────────────────────────────────┐   │
│  │  gluetun  (qmcgaw/gluetun)       │   │
│  │  owns /dev/net/tun + VPN route   │   │
│  │                                  │   │
│  │  ┌──────────────────────────┐    │   │
│  │  │  tailscale               │    │   │
│  │  │  (tailscale/tailscale)   │    │   │
│  │  │  network_mode: gluetun   │    │   │
│  │  │  TS_USERSPACE=true       │    │   │
│  │  └──────────────────────────┘    │   │
│  └──────────────────────────────────┘   │
└─────────────────────────────────────────┘
    │  (VPN-encrypted traffic)
    ▼
VPN provider → Internet

tailscale shares the network namespace of gluetun via network_mode: "service:gluetun". Every packet Tailscale forwards exits through the WireGuard/OpenVPN tunnel that Gluetun maintains.

TS_USERSPACE=true is required because Gluetun already owns /dev/net/tun; Tailscale uses its built-in userspace network stack instead of opening a second tun device.

Requirements

  • A Gluetun-supported VPN provider (Mullvad, AirVPN, NordVPN, ProtonVPN, Surfshark, …). Full list and per-provider variables: https://github.com/qdm12/gluetun-wiki
  • A Tailscale auth key (Reusable + Pre-authorized recommended).

Quick start

1. Configure the VPN provider

Edit docker-compose.yaml and replace the Gluetun environment variables with your provider's credentials. The default example uses Mullvad WireGuard:

environment:
  - VPN_SERVICE_PROVIDER=mullvad
  - VPN_TYPE=wireguard
  - WIREGUARD_PRIVATE_KEY=<your-private-key>
  - WIREGUARD_ADDRESSES=10.64.0.1/32
  # - SERVER_COUNTRIES=Netherlands

2. Set your Tailscale auth key

environment:
  - TS_AUTHKEY=tskey-auth-xxxxxxxx

3. Start

docker compose up -d

4. Approve the exit node

In the Tailscale admin console (https://login.tailscale.com/admin/machines) find the new node and enable "Use as exit node".

Environment variables

Tailscale

Variable Default Description
TS_AUTHKEY (required) Tailscale auth key
TS_EXTRA_ARGS --advertise-exit-node --advertise-connector --accept-dns=false Extra tailscale up flags
TS_STATE_DIR /var/lib/tailscale State directory
TS_USERSPACE true Must stay true when sharing Gluetun's namespace

Gluetun

Provider-specific — see the Gluetun wiki.

License

This project is licensed under the MIT License - see the LICENSE file for details.

About

Tailscale Exit Node over VPN (Gluetun)

Topics

docker vpn tailscale exit-node gluetun

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors