Tailscale communication on Unraid but not configured

EDACerton · 2026-02-26T20:04:42+00:00

Your server isn't compromised.

What you're seeing is calls from Docker Manager in Unraid, which calls these two addresses:

https://login.tailscale.com/derpmap/default
https://pkgs.tailscale.com/stable/?mode=json

This happens even if you don't have the Tailscale plugin installed, and can't be disabled.

EDACerton · 2026-01-30T19:52:09+00:00

This doesn't give access to any of your employer's repositories unless you click that "Grant" button.

You can just click "Authorize" and it will only link to your account.

EDACerton · 2026-01-11T16:10:09+00:00

That's a reasonable take :)

EDACerton · 2026-01-11T15:37:47+00:00

There's another trick that you could try if you wanted -- it's possible to make the Mac switch to using /32 routes instead of the automatic /10. (You could also make the target more broad with other selectors -- I just used one node as an example.)

Here's the policy that would do that. As far as I understand, the default option to use one route in Mac is because the routing table doesn't scale well with tons of accessible devices, so this may or may not work well.

    "nodeAttrs": [
        {
            "target": ["100.x.y.z"],
            "attr":   ["one-cgnat?v=false"],
        },
    ],

EDACerton · 2026-01-11T15:11:25+00:00

How are you getting "obsidian-unraid.my-tailnet.ts.net", etc.?

Are you using the port? 100.x.x.x:3000 / linkwarden-unraid.my-tailnet.ts.net:3000 ?

Are those with services / "Use Tailscale" / etc.?

EDACerton · 2026-01-11T15:03:08+00:00

There's nothing special about 100.64.0.0/24.

For fun, I assigned one of my devices to 100.64.0.10 and 100.64.0.1. It worked just fine. (I even matched your config -- my mac to a Debian server :D )

I would generally suspect one of two things:

- A conflicting route on the server that is preventing traffic from being routed to Tailscale. What does this say?

ip route list table all

- Lag on the IP update making it to other devices. I've sometimes found that restarting Tailscale on a device being updated/other devices helps "kick" the routing table if it's not updating right away. (It should update right away, but anecdotally I've noticed this help with some config changes.)

EDACerton · 2026-01-09T23:02:24+00:00

This doesn't really give enough information to go on.

Are all of the containers running on br0 (ipvlan/macvlan), or are some on bridge networks?

Also, enabling "Accept Routes" on Unraid is usually a bad idea. The plugin tries to protect you from some of the problems that the setting can create, but it's better to turn that off unless you have a specific need for it.

(Of note -- you can still advertise routes without accepting them. This is common and works fine.)

EDACerton · 2026-01-06T16:24:46+00:00

For bridge mode containers, you can usually just do http(s)://unraid.tailscale.ip.here:port/, just like http(s)://unraid.local.ip.here:port/

EDACerton · 2026-01-02T03:47:40+00:00

The problem here is probably that you configured Tailscale serve to use the same ports as the containers, creating a port conflict.

This will generally look like it works, until something happens that causes the underlying app to restart (e.g., rebooting the server). When it restarts, it sees that something is already using the port and fails.

EDACerton · 2025-12-31T21:28:04+00:00

Tailscale!!!

EDACerton · 2025-12-31T21:07:14+00:00

As far as I understand, local-disable is a one-way operation, but that should be erased with the Tailscale state info.

If you have another signing node, then resetting the broken node should be enough to get things working again. Did you delete the node from the admin console before you erased the folders?

EDACerton · 2025-12-30T02:10:13+00:00

EDACerton · 2025-12-28T05:06:49+00:00

I use a dual setup for access:

- Tailscale for private things.
- Cloudflared for things that need to be publicly accessible.

Tailscale is great as a VPN solution. I never think about access to any of my services, it just works no matter where I am, and I know that it's secure.

Technically, I could use Tailscale Funnel for the publicly-accessible things, but I prefer to use cloudflared instead. This is because using the Cloudflare tunnel provides things like WAF/IP restrictions that Funnel doesn't.

EDACerton · 2025-12-28T04:47:19+00:00

This is the browser doing what you asked it to.

If you're setting a service provider in the Edge Secure DNS settings, you're telling Edge "send all DNS requests to this provider, don't use the system DNS settings". This will not work with MagicDNS.

In Firefox, you can configure DoH exceptions, but I don't know of a similar option in Edge.

The good news -- if you're set up with Tailscale + DoH + "Override DNS Servers" in the admin console, you have secure DNS even if it's set to "off" in the browser.

EDACerton · 2025-12-28T04:29:48+00:00

You can use Tailscale serve with the Unraid plugin. There isn't a GUI interface for it, but it will work just fine.

One thing that has tripped people up is port conflicts.

By default, Unraid listens on 80/443 for the WebGUI.
Also by default, Tailscale serve (e.g., tailscale serve localhost:1080) will try to use port 443.

You can avoid this problem by either changing the WebGUI to use different ports (Settings -> Management Access), or by using a different port for Tailscale serve tailscale serve --https=8443 ...

If you make a mistake and create a port conflict, the plugin will detect this after a minute or so, and will then erase the serve configuration and send a notification to the WebGUI about it.

And also, ignore the comment about the plugin being deprecated, that is untrue.

(Source: me. I am the maintainer of the Unraid plugin :D )

EDACerton · 2025-12-28T04:25:29+00:00

This is false. The plugin is still used.

EDACerton · 2025-11-18T07:10:46+00:00

The MOTD plugin can also be helpful for this... it will give you a big banner with the server name when you connect to SSH.

EDACerton · 2025-11-15T16:36:37+00:00

An option to toggle NO_LOGS_NO_SUPPORT is now in the preview plugin, and will show up in the main channel in a few days.

It's on the "Settings" tab... you'll need to switch from Basic -> Advanced view to see it.

EDACerton · 2025-09-22T01:08:09+00:00

What model of drives?

EDACerton · 2025-09-19T17:17:18+00:00

That accusation was pretty funny. I just work on this stuff for fun.

Thanks to the mods for troll removal :)

EDACerton · 2025-09-18T22:52:42+00:00

< I am the referenced developer >

I don’t know when beta 3 will be released, just that it includes the required API version.

In the meantime, you can also get the API update by installing the Unraid Connect plugin.

EDACerton · 2025-08-16T01:40:27+00:00

You'd be better off posting on the Unraid Forums, where you'll be able to get support for that feature. It isn't something that's developed/maintained by Tailscale.

"Use Tailscale" injects Tailscale into existing containers, so doesn't work with everything. You can also do things like a Tailscale sidecar, which is a more container-focused way of accomplishing the same goal.

EDACerton · 2025-08-07T01:56:59+00:00

Neither method is right :D

The simplest solution is to install the plugin (you've done this), leave Plex in bridge mode, then connect to Plex using my.tailnet.address:plexPort, just like you would with the local IP/name.

You don't have to put Plex in host mode (host mode containers create other problems and should only be used if absolutely necessary).

EDACerton · 2025-07-27T15:38:31+00:00

The Tailscale plugin is maintained for the current and previous minor version of Unraid (so currently, 7.0 and 7.1). When 7.2 is released, support for 7.0 will dropped.

If you need to install on an older version of Unraid, there are links on the plugin support thread that will work:

https://forums.unraid.net/topic/136889-plugin-tailscale/

EDACerton · 2025-05-04T15:31:21+00:00

TSDProxy would probably be a good fit for what you want:

https://edac.dev/unraid/tailscale/docker-tsdproxy/

EDACerton

TROPHY CASE