- π 1. Initial Server Setup
- π 1.1 Set New Root Password
- π₯ 1.2 Add New User
- βοΈ 1.3 Configure SSH for New User
- π 1.4 Update System
- π 2. SSH Setup
- π 3. Tailscale Initial Setup
- π³ 4. Docker Initial Setup
- π 5. Docker and Tailscale Integration
- βοΈ 5.1 Configure Docker Daemon
- π οΈ 5.2 Modify Docker Service
- π 5.3 Restart Docker
- π§ 5.4 Set Up Docker Engine in Swarm Mode
- π 6. Docker Context Setup
- π 7. Tailscale Subnet & Routing Setup (Optional)
-
For security reasons, change the root password:
passwd
-
Create a new user and add them to the sudo group:
adduser fathur
usermod -aG sudo fathur
-
Set up the SSH directory and keys for the new user:
-
Create /home/fathur/.ssh directory with permissions 700 and ownership "fathur", copy authorized_keys from root, set its ownership to fathur, and ensure permissions are 600 for security.
install -d -m 700 -o fathur -g fathur /home/fathur/.ssh && \ cat /root/.ssh/authorized_keys > /home/fathur/.ssh/authorized_keys && \ chown fathur:fathur /home/fathur/.ssh/authorized_keys && \ chmod 600 /home/fathur/.ssh/authorized_keys
-
Switch to the new user and update the system:
su - fathur sudo apt update && sudo apt upgrade
-
Enhance SSH security by modifying the configuration:
sudo nano /etc/ssh/sshd_config
-
Add or modify these lines:
PermitRootLogin no PasswordAuthentication no -
Restart SSH service:
sudo systemctl restart ssh
-
Install Tailscale:
curl -fsSL https://tailscale.com/install.sh | sh -
Run tailscale:
sudo tailscale up
-
Follow the official latest Docker installation guide for Ubuntu: Docker Installation Guide
-
Install Docker Engine:
sudo apt-get install docker-ce docker-ce-cli containerd.io
-
Add your user to the docker group:
sudo usermod -aG docker ${USER} su - ${USER}
-
Edit the Docker daemon configuration:
sudo nano /etc/docker/daemon.json
-
Add the following (replace with your Tailscale IP):
{ "hosts": ["unix:///var/run/docker.sock", "tcp://100.xxx.xxx.xxx:2375"] }
-
Edit the Docker service file:
sudo nano /usr/lib/systemd/system/docker.service
-
Remove the
-H fd://option from the ExecStart line.
-
Restart Docker:
sudo systemctl daemon-reload sudo systemctl restart docker.service
-
Verify that the changes have been applied with netstat:
sudo apt install net-tools
then
sudo netstat -lntp | grep dockerd -
Check running containers or images with Tailscale IP / machine hostname:
curl http://<tailscale-machine-hostname-or-ip>:2375/containers/json or curl http://<tailscale-machine-hostname-or-ip>/images/json
-
you'll see empty [] while no images / container are running
-
Initialize swarm mode:
docker swarm init
-
Configure the advertise address:
docker swarm init --advertise-addr <MANAGER-IP (your-public ip / your-private-ip)>
-
Manage multiple docker hosts with docker context from local machine
-
Create docker context (on local machine):
docker context create <your-context-name> --docker "host=tcp://<tailscale-machine-hostname/ip-address>:2375"
-
Use the context:
docker context use <context-name>
-
you can now access docker command from local machine e.g:
docker ps
-
Enable IP forwarding, If your Linux system has a /etc/sysctl.d directory, use:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf sudo sysctl -p /etc/sysctl.d/99-tailscale.conf
-
Otherwise, use:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p /etc/sysctl.conf
-
If your Linux node uses firewalld, you might need to allow masquerading due to a known issue. As a workaround, you can allow masquerading with this command:
firewall-cmd --permanent --add-masquerade
-
Check available subnet:
ip -o -f inet addr show | awk '/scope global/ {print $2, $4}'
sudo tailscale up --advertise-routes=<subnet1>,<subnet2>
-
As Exit Node
sudo tailscale up --advertise-exit-node
-
Private Network & Exit Node
sudo tailscale up --advertise-routes=10.15.0.0/16,10.104.0.0/20 --advertise-exit-node
-
All Network & Exit Node
sudo tailscale up --advertise-routes=146.190.80.0/20,10.15.0.0/16,10.104.0.0/20,172.17.0.0/16 --advertise-exit-node
-
Enable Automatic Discovery of Subnet Routes
sudo tailscale up --accept-routes --advertise-routes=192.0.2.0/24,198.51.100.0/24
-
Enable Automatic Discovery of Subnet Routes with All Network & Exit Node
sudo tailscale up --accept-routes --advertise-routes=146.190.80.0/20,10.15.0.0/16,10.104.0.0/20,172.17.0.0/16 --advertise-exit-node
-
(SNAT) (also called masquerading) Disabled
sudo tailscale up --snat-subnet-routes=false
-
NOTE: Make sure to replace the subnets in the example above with the correct ones for your network. All platforms except Apple TV support both IPv4 and IPv6 subnets. Apple TV only supports IPv4 subnets.
-
Optimize UDP GRO Forwarding:
NETDEV=$(ip -o route get 8.8.8.8 | cut -f 5 -d " ") sudo ethtool -K $NETDEV rx-udp-gro-forwarding on rx-gro-list off
-
Make configuration persistent:
printf '#!/bin/sh\n\nethtool -K %s rx-udp-gro-forwarding on rx-gro-list off \n' "$(ip -o route get 8.8.8.8 | cut -f 5 -d " ")" | sudo tee /etc/networkd-dispatcher/routable.d/50-tailscale sudo chmod 755 /etc/networkd-dispatcher/routable.d/50-tailscale
-
Test configuration script:
sudo /etc/networkd-dispatcher/routable.d/50-tailscale test $? -eq 0 || echo 'An error occurred.'