Skip to content

mhajder/ts-tor-exit

BranchesTags

Repository files navigation

Tailscale Exit Node over Tor (single container)

This image runs:

  • tailscaled as a Tailscale exit node
  • tor as a transparent proxy (TransPort) and DNS resolver (DNSPort)

Traffic from clients using this node as Tailscale exit node is redirected through Tor.

Important limits

  • Tor transparent proxy supports TCP traffic. UDP apps (for example QUIC-only flows) may fail or fall back.
  • Exit-node behavior also depends on your Tailscale ACL/admin approval for exit nodes.

Build

docker build -t ts-tor-exit .

Run (docker run)

docker run -d --name ts-tor-exit \
  --restart unless-stopped \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
 --security-opt no-new-privileges \
  --device /dev/net/tun:/dev/net/tun \
  --sysctl net.ipv4.ip_forward=1 \
  --sysctl net.ipv6.conf.all.forwarding=1 \
  --hostname=tor-exit \
  -e TS_AUTHKEY=tskey-auth-xxxxxxxx \
  -e TS_EXTRA_ARGS="--advertise-exit-node --advertise-connector --accept-dns=false" \
  -v ts_tor_state:/var/lib/tailscale \
  -v tor_state:/var/lib/tor \
  ts-tor-exit

Run (docker compose)

services:
  ts-tor-exit:
    build: .
    image: ts-tor-exit:latest
    container_name: ts-tor-exit
    hostname: tor-exit
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
    security_opt:
      - no-new-privileges:true
    devices:
      - /dev/net/tun:/dev/net/tun
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    environment:
      - TS_AUTHKEY=tskey-auth-xxxxxxxx
      - TS_EXTRA_ARGS=--advertise-exit-node --advertise-connector --accept-dns=false
    volumes:
      - ts_tor_state:/var/lib/tailscale
      - tor_state:/var/lib/tor

volumes:
  ts_tor_state:
    name: ts_tor_state
  tor_state:
    name: tor_state

DNS for Tor addresses

The container configures Tor DNSPort and redirects DNS traffic through it. This enables .onion resolution for clients that send normal DNS queries while using this exit node.

If you want all tailnet clients to query this node directly as DNS server, set your Tailnet DNS nameserver in Tailscale admin to this node's Tailscale IP after it joins.

SOCKS proxy for Tor addresses

To enable SOCKS on this container for tailnet clients, add:

-e TOR_SOCKS_PORT=9050

Then from a device on your tailnet, use:

curl --proxy socks5h://<TAILSCALE_IP_OF_CONTAINER>:9050 http://<onion>.onion

License

This project is licensed under the MIT License - see the LICENSE file for details.

About

Tailscale Exit Node over Tor (single container)

Topics

docker tor sock5 tailscale exit-node

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages