Skip to content
This repository has been archived by the owner on Oct 7, 2023. It is now read-only.
/ tailscale-sidecar Public archive

A TCP proxy used to expose services onto a tailscale network without root. Ideal for container environments.

License

Notifications You must be signed in to change notification settings

markpash/tailscale-sidecar

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

tailscale-sidecar

checks

This program is designed to expose services onto a tailscale network without needing root. Using the tsnet package provided by tailscale, we can listen on a port on a tailscale IP and then proxy the stream to a destination. The use-case for me was running this as a sidecar container in nomad to expose services onto my tailscale network, without needing root or routing.

Currently this only supports tcp because right now because that's all I care about. I may try to make UDP work in the future.

Docker image available:

docker pull ghcr.io/markpash/tailscale-sidecar:latest

Versions of this software track the versions of upstream tailscale. Any features added to this software will be released when the next version of tailscale is released.

Usage

To use this program, it needs to be executed with a few environment variables. They are as follows:

TS_AUTHKEY
TS_SIDECAR_STATEDIR
TS_SIDECAR_NAME
TS_SIDECAR_BINDINGS

TS_AUTHKEY is now enabled for this project. You can provide this variable with a key, consult the tailscale documentation to determine the appropriate key to use. The old TS_LOGIN method still works, but it's not advised and it's not very convenient either.

TS_SIDECAR_STATEDIR is the location where the persistent data for the sidecar will be stored. This is used to not need to re-authorise the instance. In a container setup, you'll want to have this persisted. The default is ./tsstate, which will result in Tailscale using home/nonroot/tsstate in the Docker container.

⚠ Tailscale will not use the specified state directory to store the TLS certificates. When using the Docker container, you should mount home/nonroot/.local/share/tailscale.

TS_SIDECAR_NAME is the name that you wish this program to use to present itself to the tailscale servers, this is what you will see in your panel.

TS_SIDECAR_BINDINGS is the path to the bindings file, which should be a JSON file which has contents much like what's below. The default path for bindings is /etc/ts-sidecar/bindings.json.

Configuration

Configuration should look like this:

[
    {
        "from": 443,
        "to": "127.0.0.1:8000",
        "tls": true
    }
]

Disclaimer

THIS IS NOT OFFICIALLY ENDORSED BY TAILSCALE.

I thought I should put that there just in case someone thought it may be a tailscale product. I'm also not responsible for any of the bad things that might happen as a result of using this software. It works for me but maybe not for you.

About

A TCP proxy used to expose services onto a tailscale network without root. Ideal for container environments.

Topics

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Languages