Docs / Guides

Tailscale on Google Cloud Run

Google Cloud Run is a popular method of deploying application using containers, rather than managing servers yourself. However, it can be difficult to use Tailscale on Google Cloud Run, since it doesn’t provide a /dev/net/tun device that Tailscale needs.

In Tailscale v1.8 or greater, you can use Tailscale’s userspace networking mode to connect your Cloud Run apps to your Tailscale network.

Step 1: Generate an auth key to authenticate your Cloud Run containers

First, we’ll generate an auth key to allow Cloud Run to authenticate our container to join our network.

Navigate to the auth keys page of the admin console. We recommend using an ephemeral key for this purpose, since it will automatically clean up devices after they shut down.

Tailscale's auth key generation page

Next, navigate to Cloud Run’s Edit & Deploy New Revision page and click on the Variables & Secrets tab. From here, add a new secret, use “Environment variable” as the reference method, and name it TAILSCALE_AUTHKEY. Use the tskey-<key> value as the secret.

Step 2: Configure your Dockerfile to install Tailscale

Next, we’ll use a multistage Dockerfile, where the first stage builds your application, the second fetches and unpacks Tailscale binaries, and the final stage pulls application code and Tailscale into the final image to be uploaded to Google.

In your Dockerfile:

FROM golang:1.16.2-alpine3.13 as builder
COPY . ./
# This is where one could build the application code as well.

FROM alpine:latest as tailscale
COPY . ./
ENV TSFILE=tailscale_1.14.3_amd64.tgz
RUN wget${TSFILE} && \
  tar xzf ${TSFILE} --strip-components=1
COPY . ./

FROM alpine:latest
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*

# Copy binary to production image
COPY --from=builder /app/ /app/
COPY --from=tailscale /app/tailscaled /app/tailscaled
COPY --from=tailscale /app/tailscale /app/tailscale
RUN mkdir -p /var/run/tailscale /var/cache/tailscale /var/lib/tailscale

# Run on container startup.
CMD ["/app/"]

The Dockerfile specifies /app/ as the initial process to run. This script needs to bring Tailscale up and then start the application binary. This is where we can use the TAILSCALE_AUTHKEY variable we defined earlier.

Then, create a file named at the root of your app:


/app/tailscaled --tun=userspace-networking --socks5-server=localhost:1055 &
until /app/tailscale up --authkey=${TAILSCALE_AUTHKEY} --hostname=cloudrun-app
    sleep 0.1
echo Tailscale started
ALL_PROXY=socks5://localhost:1055/ /app/my-app

Done! The next time your Cloud Run container deploys, it should be able to connect to your private Tailscale network.

We’d love to hear about the cool things you build. Mention @tailscale on Twitter or email us at [email protected].

Last updated