How to Access Multiple LXC Containers Through a Single Tailscale Connection

Context

After setting up Tailscale in an AlmaLinux LXC container, I wanted to access other containers in the same Proxmox host (subnet) without installing Tailscale on each one. This can be achieved by advertising routes through the container that already has Tailscale installed.

My setup is as follows (simplified for this example):

  • I have a Proxmox instance with 3 VMs/ LXC Containers
  • I use opnSense as a Firewall for the internal network. (IP: 10.0.10.1)
  • LXC_1 has tailscale installed (IP: 10.0.10.5)
  • LXC_2 has no tailscale (IP: 10.0.10.6)
  • I have a DESKTOP_1 at home, in another location, that need to access LXC_2.

Only the opnSense VM is accessible from outside the internal network. Here is a simple diagram to visualize this:

InternetProxmox Host(Hosted Server)HomeOther ComputersopnSense VM10.0.10.1LXC_1with Tailscale10.0.10.5LXC_2no Tailscale10.0.10.6DESKTOP_1with TailscaleTailscale VPNPublicRoute AdvertisementExternal AccessAccess via Tailscaleand Route Advertisement

Steps

The following steps allowed me to access LXC_2 and its services without installing tailscale on it.

1. Advertise Routes on Tailscale Host

On the container with Tailscale installed, run:

tailscale up --advertise-routes=10.0.10.0/24  # Replace with your subnet

You might see warnings about IPv6 forwarding and UDP GRO forwarding. While not critical, you can optimize these later.

2. Enable Route in Tailscale Admin Console

  1. Go to the Tailscale admin console
  2. Find your machine (it should show a "subnets" label)
  3. Click the three dots menu
  4. Select "Edit route settings"
  5. Enable the new subnet route
  6. Save changes

3. Accept Routes on Client Machines

On your client machine (like your desktop), run:

sudo tailscale up --accept-routes

Testing the Connection

You should now be able to:

  • Ping other containers in the subnet
  • Access services running on other containers
  • Use SSH to connect to other containers

For example: ping 10.0.10.6 should work from your client machine, even though that container doesn't have Tailscale installed.

Notes

  • This approach requires only one Tailscale instance for multiple containers
  • All containers must be in the same subnet
  • The container running Tailscale acts as a gateway

References

Comments

Comments powered by Disqus