Hey folks! If you’ve ever wanted to acess your Fly.io private network via Tailscale you are in luck! Check out GitHub - fly-apps/tailscale-router to play with it today and keep an eye out for an official integration maybe coming soon
Let me know how it works for folks!
7 Likes
We’re wanting to prevent an application on Fly from being publicly accessible. Our company is using Tailscale VPN for other purposes. Would this allow us to connect to our Fly instance over HTTPS provided we’re connected to Tailscale?
1 Like
Yep! This will be a bit more fleshed out in terms of an official integration soon also.
2 Likes
@DAlperin Thanks! This is really helpful!
Hi there!
was this official integration ever released? I can’t find anything about it, so is it still planned?
I’m not aware of anything official, integration-wise. For my setup it just came down to using iptables-legacy (since Fly doesn’t have kernel-level support for nftables).
opened 01:51PM - 09 Dec 23 UTC
closed 10:51PM - 16 Dec 23 UTC
L2 Few
P3 Can't get started
waiting-for-info
containers
needs-decision
### What is the issue?
The main thing:
```
health("router"): error: setting… up filter/ts-input: running [/sbin/iptables -t filter -N ts-input --wait]: exit status 4: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
```
The machine can connect to other machines in the tailnet by ip address, but not via MagicDNS.
Complete logs from a recent bootup:
```
2023/12/09 13:28:37 logtail started
2023/12/09 13:28:37 Program starting: v1.54.1-tb78b24570, Go 1.21.4: []string{"tailscaled", "--state=/var/lib/tailscale/tailscaled.state", "--socket=/var/run/tailscale/tailscaled.sock"}
2023/12/09 13:28:37 LogID: 4de9ac0d2e29fe4712c0a1e555c47b8e0263df745e9675d34e9a03a39dbdbf22
2023/12/09 13:28:37 logpolicy: using system state directory "/var/lib/tailscale"
logpolicy.ConfigFromFile /var/lib/tailscale/tailscaled.log.conf: open /var/lib/tailscale/tailscaled.log.conf: no such file or directory
logpolicy.Config.Validate for /var/lib/tailscale/tailscaled.log.conf: config is nil
2023/12/09 13:28:37 wgengine.NewUserspaceEngine(tun "tailscale0") ...
2023/12/09 13:28:37 router: default choosing iptables
2023/12/09 13:28:37 router: v6nat = false
2023/12/09 13:28:37 router: failed to determine ip command fwmask support: exit status 1
2023/12/09 13:28:37 dns: [rc=unknown ret=direct]
2023/12/09 13:28:37 dns: using "direct" mode
2023/12/09 13:28:37 dns: using *dns.directManager
2023/12/09 13:28:37 link state: interfaces.State{defaultRoute=eth0 ifs={eth0:[172.19.0.26/29 172.19.0.27/29 2604:1380:4500:b1e:0:f520:de0:1/127 fdaa:1:dac8:a7b:11a:f520:de0:2/112 llu6]} v4=true v6=true}
2023/12/09 13:28:37 magicsock: disco key = d:37c839d5cdab041c
2023/12/09 13:28:37 Creating WireGuard device...
2023/12/09 13:28:37 Bringing WireGuard device up...
2023/12/09 13:28:37 Bringing router up...
2023/12/09 13:28:37 Clearing router settings...
2023/12/09 13:28:37 Starting network monitor...
2023/12/09 13:28:37 Engine created.
2023/12/09 13:28:37 external route: up
2023/12/09 13:28:37 pm: migrating "_daemon" profile to new format
2023/12/09 13:28:37 envknob: PORT="8080"
2023/12/09 13:28:37 logpolicy: using system state directory "/var/lib/tailscale"
2023/12/09 13:28:37 got LocalBackend in 28ms
2023/12/09 13:28:37 Start
2023/12/09 13:28:37 Backend: logs: be:4de9ac0d2e29fe4712c0a1e555c47b8e0263df745e9675d34e9a03a39dbdbf22 fe:
2023/12/09 13:28:37 Switching ipn state NoState -> NeedsLogin (WantRunning=false, nm=false)
2023/12/09 13:28:37 blockEngineUpdates(true)
2023/12/09 13:28:37 wgengine: Reconfig: configuring userspace WireGuard config (with 0/0 peers)
2023/12/09 13:28:37 wgengine: Reconfig: configuring router
2023/12/09 13:28:37 wgengine: Reconfig: configuring DNS
2023/12/09 13:28:37 dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:0}
2023/12/09 13:28:37 dns: Resolvercfg: {Routes:{} Hosts:0 LocalDomains:[]}
2023/12/09 13:28:37 dns: OScfg: {}
2023/12/09 13:28:37 health("overall"): error: state=NeedsLogin, wantRunning=false
2023/12/09 13:28:37 Start
2023/12/09 13:28:37 generating new machine key
2023/12/09 13:28:37 machine key written to store
2023/12/09 13:28:37 control: client.Shutdown()
2023/12/09 13:28:37 control: client.Shutdown
2023/12/09 13:28:37 control: mapRoutine: exiting
2023/12/09 13:28:37 control: authRoutine: exiting
2023/12/09 13:28:37 control: updateRoutine: exiting
2023/12/09 13:28:37 control: Client.Shutdown done.
2023/12/09 13:28:37 Backend: logs: be:4de9ac0d2e29fe4712c0a1e555c47b8e0263df745e9675d34e9a03a39dbdbf22 fe:
2023/12/09 13:28:37 Switching ipn state NoState -> NeedsLogin (WantRunning=true, nm=false)
2023/12/09 13:28:37 blockEngineUpdates(true)
2023/12/09 13:28:37 Reconfig(down): no changes made to Engine config
2023/12/09 13:28:37 StartLoginInteractive: url=false
2023/12/09 13:28:37 control: client.Login(false, 2)
2023/12/09 13:28:37 control: LoginInteractive -> regen=true
2023/12/09 13:28:37 control: doLogin(regen=true, hasUrl=false)
2023/12/09 13:28:38 control: control server key from https://controlplane.tailscale.com: ts2021=[fSeS+], legacy=[nlFWp]
2023/12/09 13:28:38 control: Generating a new nodekey.
2023/12/09 13:28:38 control: RegisterReq: onode= node=[1vQtb] fup=false nks=false
2023/12/09 13:28:38 control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=true; authURL=false
2023/12/09 13:28:38 blockEngineUpdates(false)
2023/12/09 13:28:39 control: netmap: got new dial plan from control
2023/12/09 13:28:39 active login: [redacted]
2023/12/09 13:28:39 monitor: gateway and self IP changed: gw=172.19.0.25 self=172.19.0.26
2023/12/09 13:28:39 Switching ipn state NeedsLogin -> Starting (WantRunning=true, nm=true)
2023/12/09 13:28:39 magicsock: SetPrivateKey called (init)
2023/12/09 13:28:39 wgengine: Reconfig: configuring userspace WireGuard config (with 0/21 peers)
2023/12/09 13:28:39 wgengine: Reconfig: configuring router
2023/12/09 13:28:39 health("router"): error: setting up filter/ts-input: running [/sbin/iptables -t filter -N ts-input --wait]: exit status 4: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
2023/12/09 13:28:39 peerapi: serving on http://[redacted]:35402
2023/12/09 13:28:39 peerapi: serving on http://[redacted]:34698
2023/12/09 13:28:39 magicsock: home is now derp-1 (nyc)
2023/12/09 13:28:39 magicsock: endpoints changed: 147.75.50.175:8440 (stun), 147.75.50.175:8080 (stun4localport), [2604:1380:4500:b1e:0:f520:de0:1]:8080 (stun), 172.19.0.26:8080 (local), 172.19.0.27:8080 (local)
2023/12/09 13:28:39 magicsock: adding connection to derp-1 for home-keep-alive
2023/12/09 13:28:39 magicsock: 1 active derp conns: derp-1=cr0s,wr0s
2023/12/09 13:28:39 Switching ipn state Starting -> Running (WantRunning=true, nm=true)
2023/12/09 13:28:39 control: NetInfo: NetInfo{varies=true hairpin=false ipv6=true ipv6os=true udp=true icmpv4=false derp=#1 portmap= link="" firewallmode="ipt-default"}
2023/12/09 13:28:39 derphttp.Client.Connect: connecting to derp-1 (nyc)
```
### Steps to reproduce
```
tailscale up --authkey=${TAILSCALE_AUTHKEY} --timeout=60s
```
### Are there any recent changes that introduced the issue?
The error shows up using the ruby:alpine docker image, which just received an update to alpine 3.19.
https://github.com/docker-library/ruby/pull/433
https://www.alpinelinux.org/posts/Alpine-3.19.0-released.html
The new version of alpine bumps the version of iptables:
```
# /sbin/iptables --version
iptables v1.8.10 (nf_tables)
```
For comparison, this was the previous version used:
```
# /sbin/iptables --version
iptables v1.8.9 (legacy)
```
### OS
Linux
### OS version
Alpine 3.19
### Tailscale version
1.54.1
### Other software
_No response_
### Bug report
BUG-4de9ac0d2e29fe4712c0a1e555c47b8e0263df745e9675d34e9a03a39dbdbf22-20231209135110Z-ea37df7f8d02ead5
1 Like
For posterity: Fly has nftables support now! Our setup no longer uses the iptables-legacy workaround.
Users here in the community have asked for nftables support and here it is:
Fly Machine kernels now support nftables. If you’re running Docker or Tailscale on Fly.io , you should no longer need to use iptables-legacy as a workaround on newer containers.
For existing Machines, running fly deploy or fly m update is required to pick up the new kernel. New Machines will automatically use the new kernel.
Please let us know what problems you run into! A few forum posts lead to this being added:
Nf…
1 Like
I would love to hear about any updates on the official Fly + Tailscale integrations.
I’m going through the existing processes, and there are a few things that are lacking for me.
I’d really like to “turn on tailscale” and then be able to HTTPS to my internal applications. So https://my-app.internal - specifically note that I’m not adding the internal port like 8080, etc.
Since the current process has you stand up a machine, and that machine could recycle at some point, I’d like to make sure that the DNS that I configure in Tailscale won’t change on me in the future.
The tailscale documentation is good for how to add TS to a fly app - but that bypasses your excellent load balancing, and that’s a big part of what I was really excited about.
TY, and looking forward to any updates. Even if its a “No”.
blanst
July 25, 2024, 6:07pm
9
@drusellers you can use tsnet (or tsnet-serve if your app isn’t written in Go) to put expose your Fly app on your Tailscale tailnet.
I am not Fly, but I did get our Fly apps talking to Crunchy Bridge over Tailscale recently, and I was in touch with folks at Fly and Tailscale about it at the time.