Automated Tailscale setup and configuration scripts for Proxmox LXC containers with network optimization

Tailscale Proxmox Scripts

Automated scripts for setting up Tailscale in Proxmox LXC containers with proper network configuration and optimizations. These scripts simplify the process of creating secure mesh networks using Tailscale within containerized environments.

Overview

These scripts automate the complex process of configuring LXC containers for Tailscale, including device permissions, network optimizations, and subnet routing.

What is Tailscale?

Tailscale is a zero-config VPN built on WireGuard that creates secure networks between your devices. It provides:

Zero-configuration networking: Automatic mesh network setup
End-to-end encryption: Built on WireGuard protocol
Cross-platform support: Works on all major platforms
Subnet routing: Route traffic through specific nodes
Exit nodes: Use devices as internet gateways

Script Components

hypervisor-ct-conf.sh

tailscale.sh

Prerequisites

System Requirements

Proxmox VE 7.0 or later
LXC container (privileged or unprivileged)
Internet connectivity for downloading Tailscale
Tailscale account with authentication key

Network Planning

Plan your subnet routing carefully. Overlapping subnets can cause routing conflicts.

Consider these network aspects:

Local subnets to advertise through Tailscale
Tailscale subnet (automatically assigned)
Exit node requirements (if needed)
Firewall rules for container access

Script Usage

Step 1: Container Configuration Script (Proxmox Host)

Run the hypervisor configuration script on your Proxmox host:

# Download and run the container configuration script
bash -c "$(wget -qO - https://gitlab.j551n.com/j551n/tailscale_scripts/-/raw/main/hypervisor-ct-conf.sh)"

What this script does:

Lists all available LXC containers
Prompts you to select target container
Adds Tailscale device permissions to container config
Configures TUN/TAP interface access

If you prefer manual configuration, add these lines to your container config:

# Edit container configuration
nano /etc/pve/lxc/[CONTAINER_ID].conf

# Add these lines:
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

Configuration explanation:

lxc.cgroup2.devices.allow: c 10:200 rwm: Allows access to TUN device
lxc.mount.entry: Mounts TUN interface into container

Step 2: Reboot Container

Container reboot is required for device permissions to take effect.

# Reboot the container
pct reboot [CONTAINER_ID]

# Or stop and start
pct stop [CONTAINER_ID]
pct start [CONTAINER_ID]

Step 3: Tailscale Installation Script (Inside Container)

Enter your LXC container and run the Tailscale installation script:

# Enter container console
pct enter [CONTAINER_ID]

# Run Tailscale installation script
bash -c "$(wget -qO - https://gitlab.j551n.com/j551n/tailscale_scripts/-/raw/main/tailscale.sh)"

Script features:

Installs required packages (sudo, ethtool, curl)
Enables IP forwarding and IPv6 forwarding
Configures network optimizations
Installs and configures Tailscale
Sets up subnet routing

For manual installation, follow these steps inside the container:

# Update package list
apt update

# Install required packages
apt install -y sudo ethtool curl

# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf
echo 'net.ipv4.conf.all.accept_source_route = 1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.accept_source_route = 1' >> /etc/sysctl.conf
sysctl -p

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Start Tailscale daemon
systemctl start tailscaled
systemctl enable tailscaled

Script Configuration Options

Basic Tailscale Setup

Configure Tailscale with a single subnet route:

# Replace with your authentication key and subnet
tailscale up --auth-key="tskey-auth-..." \
  --accept-routes \
  --advertise-routes="192.168.1.0/24"

Parameters:

--auth-key: Your Tailscale authentication key
--accept-routes: Accept routes from other nodes
--advertise-routes: Advertise local subnet to Tailscale network

Configure multiple subnet routes:

# Multiple subnets separated by commas
tailscale up --auth-key="tskey-auth-..." \
  --accept-routes \
  --advertise-routes="192.168.1.0/24,10.0.0.0/24"

Use cases:

Multiple VLANs in your network
Different network segments
Bridging separate networks

Configure as an exit node for internet traffic:

# Enable exit node functionality
tailscale up --auth-key="tskey-auth-..." \
  --accept-routes \
  --advertise-routes="192.168.1.0/24" \
  --advertise-exit-node

Requirements for exit nodes:

Reliable internet connection
Sufficient bandwidth
Proper firewall configuration

Network Optimizations

The script automatically applies these optimizations:

UDP GRO Forwarding

GRO List Optimization

IP Forwarding

# Network optimization commands (applied automatically)
NETDEV=$(ip route show 0/0 | cut -f5 -d' ')
ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off

# Make optimizations persistent
printf '#!/bin/sh\n\nethtool -K %s rx-udp-gro-forwarding on rx-gro-list off\n' "$NETDEV" > /etc/networkd-dispatcher/routable.d/50-tailscale
chmod 755 /etc/networkd-dispatcher/routable.d/50-tailscale

Advanced Script Configuration

Authentication Keys

Use reusable authentication keys for automated deployments, or one-time keys for manual setups.

Create reusable authentication keys in Tailscale admin console:

Go to Settings → Keys
Generate auth key
Enable Reusable
Set appropriate Expiry
Configure Tags if needed

# Use reusable key for multiple containers
tailscale up --auth-key="tskey-auth-reusable-..."

One-time keys are consumed after first use:

# One-time key (default behavior)
tailscale up --auth-key="tskey-auth-onetime-..."

Benefits:

Enhanced security
Prevents key reuse
Automatic cleanup

Use tagged keys for organized device management:

# Create key with tags in admin console
# Tags: tag:server, tag:container, tag:production

tailscale up --auth-key="tskey-auth-tagged-..." \
  --hostname="proxmox-container-web"

Batch Container Configuration

For deploying Tailscale across multiple containers:

Batch Configuration

Network Segmentation

#!/bin/bash
# Batch container configuration script

CONTAINERS=(101 102 103 104)
SUBNETS=("192.168.1.0/24" "192.168.2.0/24" "10.0.1.0/24" "10.0.2.0/24")

for i in "${!CONTAINERS[@]}"; do
    CTID="${CONTAINERS[$i]}"
    SUBNET="${SUBNETS[$i]}"
    
    echo "Configuring container $CTID for subnet $SUBNET"
    
    # Configure container
    cat >> /etc/pve/lxc/${CTID}.conf << EOF
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
EOF
    
    # Reboot container
    pct reboot $CTID
    
    # Wait for container to start
    sleep 30
    
    # Install Tailscale (would need to be done interactively or with expect)
    echo "Container $CTID configured. Install Tailscale manually with subnet $SUBNET"
done

Monitoring and Troubleshooting

Status Monitoring

Monitor Tailscale connection status:

# Check Tailscale status
tailscale status

# Detailed status with IPs
tailscale status --peers

# Check if routes are being advertised
tailscale status --self

# View connection logs
journalctl -u tailscaled -f

Test network connectivity through Tailscale:

# Test connectivity to Tailscale peers
ping 100.x.x.x

# Test subnet routing
ping 192.168.1.1  # Through Tailscale route

# Trace route through Tailscale
traceroute -n 192.168.1.1

# Check routing table
ip route show | grep tailscale

Monitor Tailscale performance:

# Monitor network interface statistics
watch -n 1 'cat /proc/net/dev | grep tailscale'

# Check WireGuard statistics
wg show

# Monitor CPU usage
top -p $(pgrep tailscaled)

# Network throughput testing
iperf3 -c [tailscale-peer-ip]

Common Issues and Solutions

Common issues often relate to firewall configuration, routing conflicts, or authentication problems.

Cannot connect to Tailscale:

# Check if tailscaled is running
systemctl status tailscaled

# Restart Tailscale service
systemctl restart tailscaled

# Check authentication
tailscale status

# Re-authenticate if needed
tailscale up --auth-key="new-key"

TUN device issues:

# Check if TUN device exists
ls -la /dev/net/tun

# Verify container configuration
cat /etc/pve/lxc/[CONTAINER_ID].conf | grep tun

# Check device permissions
ls -la /dev/net/tun

Subnet routes not working:

# Check advertised routes
tailscale status --self

# Verify IP forwarding
sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwarding

# Check routing table
ip route show table all

# Test local subnet connectivity
ping -c 1 192.168.1.1

Route conflicts:

# Check for overlapping routes
ip route show | grep -E "(192\.168|10\.0|172\.16)"

# Remove conflicting routes
ip route del 192.168.1.0/24 via [gateway]

Slow VPN performance:

# Check network optimizations
ethtool -k $(ip route show 0/0 | cut -f5 -d' ') | grep gro

# Re-apply optimizations
NETDEV=$(ip route show 0/0 | cut -f5 -d' ')
ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off

# Check for packet loss
ping -c 100 [tailscale-peer] | grep loss

# Monitor interface errors
cat /proc/net/dev | grep tailscale

Security Considerations

Best Practices

Authentication

Network Security

Container Security

Access Control

# Implement strict Tailscale ACLs
{
  "acls": [
    // Allow admin access to all devices
    {
      "action": "accept",
      "src": ["tag:admin"],
      "dst": ["*:*"]
    },
    // Restrict container access
    {
      "action": "accept",
      "src": ["tag:container"],
      "dst": ["tag:server:80,443"]
    }
  ]
}

Script Customization

Modifying the Scripts

Customizing the hypervisor configuration script:

#!/usr/bin/env bash
# Custom hypervisor configuration

# Add custom container selection logic
select_container_by_name() {
    local container_name="$1"
    CTID=$(pct list | grep "$container_name" | awk '{print $1}')
    
    if [ -z "$CTID" ]; then
        echo "Container '$container_name' not found"
        exit 1
    fi
}

# Add additional security configurations
add_security_config() {
    local ctid="$1"
    cat >> /etc/pve/lxc/${ctid}.conf << EOF
# Additional security for Tailscale
lxc.cap.drop = sys_module
lxc.cap.drop = mac_admin
lxc.cap.drop = mac_override
EOF
}

Customizing the Tailscale installation script:

#!/bin/bash
# Custom Tailscale installation

# Add custom network configuration
configure_custom_network() {
    # Custom firewall rules
    ufw --force enable
    ufw allow in on tailscale0
    ufw allow out on tailscale0
    
    # Custom routing
    echo "100 tailscale" >> /etc/iproute2/rt_tables
    ip rule add from 100.64.0.0/10 table tailscale
}

# Add monitoring setup
setup_monitoring() {
    # Install monitoring tools
    apt install -y prometheus-node-exporter
    
    # Configure Tailscale metrics
    systemctl enable prometheus-node-exporter
    systemctl start prometheus-node-exporter
}

Creating custom automation scripts:

#!/bin/bash
# tailscale-automation.sh - Custom deployment automation

CONFIG_FILE="/etc/tailscale-deployment.conf"

# Load configuration
source "$CONFIG_FILE"

# Automated deployment function
deploy_tailscale_cluster() {
    local containers=("$@")
    
    for container in "${containers[@]}"; do
        echo "Deploying Tailscale to container: $container"
        
        # Configure container
        configure_container "$container"
        
        # Install Tailscale
        install_tailscale "$container"
        
        # Apply custom configuration
        apply_custom_config "$container"
    done
}

# Usage
deploy_tailscale_cluster 101 102 103 104

Conclusion

These Tailscale Proxmox scripts provide:

Automated configuration for Proxmox LXC containers
Network optimization for best performance
Flexible routing options for complex networks
Security features with proper access control
Batch deployment capabilities for multiple containers

Regular monitoring and maintenance ensure optimal performance and security of your Tailscale mesh network deployed via these automation scripts.

Tailscale Proxmox Scripts

On this page