Tailscale on a Proxmox host

Proxmox is a popular open-source solution for running virtual machines and containers, built on top of a Debian Linux platform.

Installing Tailscale allows the Proxmox console to be accessed from anywhere, without needing to open firewall ports or manually configure a VPN.

Access to the proxmox Web UI via Tailscale

Enable HTTPS access to the Proxmox Web UI

The Proxmox Web UI is served over HTTPS by default on port 8006. The default certificate is self-signed, so you will need to accept the certificate warning in your browser. With Tailscale installed on the Proxmox host, you can generate a valid certificate, removing the need to accept the warning.

The following script will use Tailscale to generate a certificate for the Proxmox host and install it in the Proxmox certificate store. You may want to run this script as a cron job to ensure the certificate is kept up to date.

#!/bin/bash
NAME="$(tailscale status --json | jq '.Self.DNSName | .[:-1]' -r)"
tailscale cert "${NAME}"
pvenode cert set "${NAME}.crt" "${NAME}.key" --force --restart

Another options is to use Tailscale Serve to proxy the Proxmox Web UI. This will allow you to access the Web UI using a valid certificate, automatically generated by Serve. In addition, you can omit the port number from the URL, as Serve can proxy the request on the default HTTPS port 443.

sudo tailscale serve https+insecure://localhost:8006

Troubleshooting

Installing Tailscale within a VM

Proxmox can run virtual machines, emulating a hardware device and allowing an unmodified operating system to run within it. Tailscale can be installed in the OS within the virtual machine as normal.

Installing Tailscale within an LXC

Proxmox can also run lightweight Linux containers called LXC/LXD and can run them privileged or unprivileged. Tailscale can run within LXC/LXD containers, though running within an unprivileged container requires an adjustment in the config.

resolv.conf within LXC

By default Proxmox writes its own DNS config to /etc/resolv.conf within LXCs. Even if the LXC gets its DNS configuration via DHCP, Proxmox will overwrite /etc/resolv.conf with its own. If Tailscale is installed on Proxmox and using MagicDNS, Proxmox will write that config to the container’s /etc/resolv.conf:

# --- BEGIN PVE ---
nameserver 100.100.100.100
search example.ts.net
# --- END PVE ---

If the LXC itself does not have Tailscale installed, this configuration is unlikely to work and DNS lookups will time out.

Two options to mitigate this behavior are:

  • Configure tailscale without MagicDNS on the Proxmox host with tailscale up --accept-dns=false.
  • Create a file named /etc/.pve-ignore.resolv.conf within each LXC’s filesystem that will tell Proxmox not to overwrite /etc/resolv.conf.