this post was submitted on 24 Mar 2025
13 points (81.0% liked)

Selfhosted

60526 readers
939 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

My ISP uses CG NAT which is stopping me from reaching my internal network, so I'm thinking about using Tailscale to allow me to connect to my server and hence to my internal network.

But I'm not very comfortable giving 100% access to Tailscale to my internal network, so I was thinking if I could limit it only to what it requires to connect to the internet and to a wireguard service running in the same container. This would in turn connect to a wireguard server in the container's host and provide me with full network access.

I know, as long as they have a service running in the server, even if inside a container, they can always be able to access the host. But even do I would feel safer if at least tried to contain it.

Does anyone know if this is possible? And can it be done through Docker Compose?

you are viewing a single comment's thread
view the rest of the comments
[–] codemichael@lemmy.world 6 points 1 year ago

Yes, you can run Tailscale in a container. You could create a second VLAN, attach it to your hosts interface, add a macvlan docker interface to the container and put it directly on your network.

If you have concerns about the software running on your host I would recommend getting a dedicated piece of hardware instead (rpi, zimaboard, etc).

How paranoid are you wanting to be? You can either go Headscale, or Tailnet Lock (my preference) to give your self some peace of mind. It completely depends on your threat model, which you didn't mention.