[GH-ISSUE #267] Rules and Tailscale #6165

New Issue

Closed

opened 2026-04-25 15:01:03 -05:00 by GiteaMirror · 11 comments

GiteaMirror commented 2026-04-25 15:01:03 -05:00

Owner

Copy Link

Originally created by @jaydis1 on GitHub (Mar 3, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/267

Hello,

Love the rules feature, exactly what I needed.
I'm wondering if it is possible to always allow Tailscale IP's. Tailscale is installed on the server where Pangolin is installed.
Hacky workarounds welcome!

Originally created by @jaydis1 on GitHub (Mar 3, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/267 Hello, Love the rules feature, exactly what I needed. I'm wondering if it is possible to always allow Tailscale IP's. Tailscale is installed on the server where Pangolin is installed. Hacky workarounds welcome!

GiteaMirror added the question label 2026-04-25 15:01:03 -05:00

GiteaMirror closed this issue 2026-04-25 15:01:03 -05:00

GiteaMirror commented 2026-04-25 15:01:04 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Mar 3, 2025):

Tailscale uses the 100.64.0.0/10 CGNAT range by default to assign IPv4 addresses to nodes in a tailnet. I think you could add that as a range and it should work?

<!-- gh-comment-id:2695484165 --> @oschwartz10612 commented on GitHub (Mar 3, 2025): Tailscale uses the 100.64.0.0/10 CGNAT range by default to assign IPv4 addresses to nodes in a tailnet. I think you could add that as a range and it should work?

GiteaMirror commented 2026-04-25 15:01:05 -05:00

Author

Owner

Copy Link

@jaydis1 commented on GitHub (Mar 3, 2025):

I first tried a single Tailscale IP which didn't work.

When I try to allow 100.64.0.0/10, it tells me invalid IP.

I wonder if this doesn't work because the request is not being made over Tailscale?

<!-- gh-comment-id:2695487495 --> @jaydis1 commented on GitHub (Mar 3, 2025): I first tried a single Tailscale IP which didn't work. When I try to allow 100.64.0.0/10, it tells me invalid IP. I wonder if this doesn't work because the request is not being made over Tailscale?

GiteaMirror commented 2026-04-25 15:01:05 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Mar 3, 2025):

You will want to use "IP Range" in the dropdown not IP. It should accept that CIDR.

But yeah if your requests are not coming from tailscale itself it will not do anything. They probably are not if I had to guess because it is going through your VPS interface to traefik from public internet right?

<!-- gh-comment-id:2695495675 --> @oschwartz10612 commented on GitHub (Mar 3, 2025): You will want to use "IP Range" in the dropdown not IP. It should accept that CIDR. But yeah if your requests are not coming from tailscale itself it will not do anything. They probably are not if I had to guess because it is going through your VPS interface to traefik from public internet right?

GiteaMirror commented 2026-04-25 15:01:06 -05:00

Author

Owner

Copy Link

@jaydis1 commented on GitHub (Mar 3, 2025):

IP Range worked, silly oversight by me.

Correct, just a very standard setup. Jellyfin at home -> VPS via Pangolin -> public internet.

Anything you can think of to make this work? Somehow point to the Tailscale IP of Jellyfin in Pangolin?

<!-- gh-comment-id:2695501551 --> @jaydis1 commented on GitHub (Mar 3, 2025): IP Range worked, silly oversight by me. Correct, just a very standard setup. Jellyfin at home -> VPS via Pangolin -> public internet. Anything you can think of to make this work? Somehow point to the Tailscale IP of Jellyfin in Pangolin?

GiteaMirror commented 2026-04-25 15:01:06 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Mar 3, 2025):

Is the goal to do the following?

Your computer ---> tailscale ---> Pangolin VPS ---> Newt ---> Jellyfin?

If this is the case you could try using the public IP of the VPS itself in the rules or the IP of the VPS's tailscale interface. I would expect traffic to "leave" the VPS from the tailscale interface destined to the public IP and do some sort of loopback. You could also try 127.0.0.1 but I am not sure if that would work.

<!-- gh-comment-id:2695512091 --> @oschwartz10612 commented on GitHub (Mar 3, 2025): Is the goal to do the following? ``` Your computer ---> tailscale ---> Pangolin VPS ---> Newt ---> Jellyfin? ``` If this is the case you could try using the public IP of the VPS itself in the rules or the IP of the VPS's tailscale interface. I would expect traffic to "leave" the VPS from the tailscale interface destined to the public IP and do some sort of loopback. You could also try 127.0.0.1 but I am not sure if that would work.

GiteaMirror commented 2026-04-25 15:01:08 -05:00

Author

Owner

Copy Link

@jaydis1 commented on GitHub (Mar 3, 2025):

That is the goal, yes. I want my Tailscale devices (and other specific IP's) to bypass authentication, while rest of the world gets the auth page.
Tried the VPS IP and Pangolin Tailscale IP, didn't help unfortunately.

Jellyfin and Newt are both installed on my Unraid server at home with Pangolin on a cheap VPS.

<!-- gh-comment-id:2695537140 --> @jaydis1 commented on GitHub (Mar 3, 2025): That is the goal, yes. I want my Tailscale devices (and other specific IP's) to bypass authentication, while rest of the world gets the auth page. Tried the VPS IP and Pangolin Tailscale IP, didn't help unfortunately. Jellyfin and Newt are both installed on my Unraid server at home with Pangolin on a cheap VPS.

GiteaMirror commented 2026-04-25 15:01:09 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Mar 3, 2025):

Are you forcing traffic to all go through tailscale? Like is the pangolin tailscale node an exit node in tailscale? If not your requests are probably going over the open internet.

One thing you can do is turn on the debug logs in config.yml and restart the container and watch the logs when you access. It should print out the source IP of the requests and that should help you narrow down what is going on.

<!-- gh-comment-id:2695543614 --> @oschwartz10612 commented on GitHub (Mar 3, 2025): Are you forcing traffic to all go through tailscale? Like is the pangolin tailscale node an exit node in tailscale? If not your requests are probably going over the open internet. One thing you can do is turn on the debug logs in config.yml and restart the container and watch the logs when you access. It should print out the source IP of the requests and that should help you narrow down what is going on.

GiteaMirror commented 2026-04-25 15:01:10 -05:00

Author

Owner

Copy Link

@jaydis1 commented on GitHub (Mar 3, 2025):

No, it's not an exit node. I think that would probably work but I find the exit node feature really slows everything down. I will still try it though.

Should be as simple as whitelisting the public IP of the VPS for the resource and connecting to the Pangolin Tailscale exit node right?

<!-- gh-comment-id:2695553472 --> @jaydis1 commented on GitHub (Mar 3, 2025): No, it's not an exit node. I think that would probably work but I find the exit node feature really slows everything down. I will still try it though. Should be as simple as whitelisting the public IP of the VPS for the resource and connecting to the Pangolin Tailscale exit node right?

GiteaMirror commented 2026-04-25 15:01:11 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Mar 3, 2025):

Yeah without sending your traffic through tailscale you dont know how it is getting to pangolin to whitelist if that makes sense.

Yeah I would do that and look at the logs and see if it even works and if it does what the source is.

<!-- gh-comment-id:2695580790 --> @oschwartz10612 commented on GitHub (Mar 3, 2025): Yeah without sending your traffic through tailscale you dont know how it is getting to pangolin to whitelist if that makes sense. Yeah I would do that and look at the logs and see if it even works and if it does what the source is.

GiteaMirror commented 2026-04-25 15:01:11 -05:00

Author

Owner

Copy Link

@EmeraldPi commented on GitHub (Mar 5, 2025):

I would think you could accomplish what you actually want to do (tailscale bypass auth) by using a custom DNS in tailscale (for instance I use NextDNS) and set the record for pangolin in that DNS to the container's or host's tailscale IP. Then the origin IP should be over tailscale for your devices.

<!-- gh-comment-id:2699344071 --> @EmeraldPi commented on GitHub (Mar 5, 2025): I would think you could accomplish what you actually want to do (tailscale bypass auth) by using a custom DNS in tailscale (for instance I use NextDNS) and set the record for pangolin in that DNS to the container's or host's tailscale IP. Then the origin IP should be over tailscale for your devices.

GiteaMirror commented 2026-04-25 15:01:12 -05:00

Author

Owner

Copy Link

@jaydis1 commented on GitHub (Mar 5, 2025):

I would think you could accomplish what you actually want to do (tailscale bypass auth) by using a custom DNS in tailscale (for instance I use NextDNS) and set the record for pangolin in that DNS to the container's or host's tailscale IP. Then the origin IP should be over tailscale for your devices.

This sounds perfect! I use ControlD so I will give this a try.

<!-- gh-comment-id:2700880239 --> @jaydis1 commented on GitHub (Mar 5, 2025): > I would think you could accomplish what you actually want to do (tailscale bypass auth) by using a custom DNS in tailscale (for instance I use NextDNS) and set the record for pangolin in that DNS to the container's or host's tailscale IP. Then the origin IP should be over tailscale for your devices. This sounds perfect! I use ControlD so I will give this a try.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/fast-uri-3.1.2

crowdin_dev

dev

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.3

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label question

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#6165