Tailscale on PVE host

D

despens

New Member
Oct 9, 2025
7
0
1
Hello all,

I am setting up a proxmox PVE within a tailscale VPN.

Accessing PVE from within the VPN works nicely (from the "outside").

But proxmox sets up its own DNS server on the host, so it cannot find other machines that are managed via tailscale's "magic DNS".

That means, for instance, that I cannot add another PVE at a different location into a cluster, nor use an OIDC service that is part of the VPN.

Tailscale says the following:
Code: 
# tailscale status
[...]
# Health check:
#     - Linux DNS config not ideal. /etc/resolv.conf overwritten. See https://tailscale.com/s/dns-fight

The tailscale "DNS fight" help section mentions that systemd-resolved could be installed, but I believe proxmox doesn't support that and wants to modify /etc/resolv.conf directly?

Is there a way to make tailscale and proxmox's DNS play along?
 
Thanks for the hint gridiron, that makes sense...!

I was only able to find instructions on how to install tailscale inside LXC containers to be used within these containers, but none on how to connect that to the host system. Do you maybe know about a resource that explains this?
 
I don't use Tailscale myself, but it could potentially be as simple as using Tailscale to connect to the LXC guest, then accessing the PVE web UI via its usual IP and port (assuming you don't have any firewall restrictions in place).
 
Actually, IMHO, tailscale is best when you put it on the edge of your network, like a firewall/router device. I have it on my pfsense, and by using advertised routes, its the only installation of Tailscale inside my home lab. I can access everything from it, as if I was at home. No need to put tailscale on individual servers, etc. Of course this works best if you have a well segmented network, then just advertise the routes (VLANs) you need to to access, instead of the entire network.
 
  • Like
Reactions: Johannes S
I use WireGuard but like you host it on the router (separate box). I like to keep my networking separate in general.
 
Hi,
for setting up the name resolution in a cluster, it is very recommendable to utilize /etc/hosts or even better use the static IPs of the hosts.

I am not sure about your planned setup. Please keep in mind the clusters corosync service needs to meet the below 5ms requirement, or you will experience constant hickups.

BR, Lucas
 
I believe my only issue right now is that proxmox doesn't use the VPN's DNS server, as both tools fight for overwriting `resolv.conf`. I wonder if it would be possible to indeed launch a proxmox container, install tailscale inside there, and have proxmox use that container for name server requests? Is it that what you meant, @gridiron?
 
despens said:
I believe my only issue right now is that proxmox doesn't use the VPN's DNS server, as both tools fight for overwriting `resolv.conf`. I wonder if it would be possible to indeed launch a proxmox container, install tailscale inside there, and have proxmox use that container for name server requests? Is it that what you meant, @gridiron?
Click to expand...

I don't think I would do it that way. I would install Tailscale into a container and use that "node" to get remote access to your PVE host as needed. I wouldn't mess with the PVE host's DNS.
 
I strongly recommend to run tailscale NOT directly on the host too. I would expect that tailscales ( otherwise great) MagicDNS feature will mess with the Host network and ProxmoxVEs software-defined-networks layer. Setting up a lightweight vm or pxc as tailscale subnet Router is the way to go
 
  • Like
Reactions: UdoB
I have tailscale installed on a VM, and I'm advertising the subnet, which lets me reach the PVE host remotely via the web UI and CLI. I had an issue when I forgot to autostart the VM and then lost access to the PVE host after a power outage at the remote site. I am still contemplating whether I should have a tailscale node at the PVE host.
 
ynottony said:
I have tailscale installed on a VM, and I'm advertising the subnet, which lets me reach the PVE host remotely via the web UI and CLI. I had an issue when I forgot to autostart the VM and then lost access to the PVE host after a power outage at the remote site. I am still contemplating whether I should have a tailscale node at the PVE host.
Click to expand...
I would run it on a Raspberry Pi, or some other device on the same subnet that you don't need to reboot with your Proxmox server.
 
gridiron said:
I use WireGuard but like you host it on the router (separate box). I like to keep my networking separate in general.
Click to expand...
I have OpenWRT VM as my router on a Proxmox VE 9 install on a Mini Itx Linux Q330G4 Intel Core I3-4005U,1.7Ghz fanless 4Gigabit LAN system. I Pass 3 of the Ethernet ports directly to the VM, and Also a couple bridges from ProxMox to it. I also run a couple Pi Hole servers, a debian server, and a jellyfin on it.

Instead of WireGuard, which I used to run on it, I use Amnesia-WG https://github.com/Slava-Shchipunov/awg-openwrt, as it is backwards compatible with WireGuard, but it gets past firewalls with DPI. Like Airports and Hospitals. When I was running Wireguard, I just had to change the network protocol from option proto 'wireguard' to option proto 'amneziawg', like this:

Code: 
config interface 'Wireguard'
    option proto 'amneziawg'
    option private_key 'Redacted='
    option listen_port '8675'
    list addresses '10.47.147.1/24'
    option mtu '1420'

and the peers to:
Code: 
config amneziawg_Wireguard
    option description 'Dadimac'
    option public_key 'Redacted='
    list allowed_ips '10.47.147.6/32'
    list allowed_ips 'face:beef::::6/128'
    option route_allowed_ips '1'
    option preshared_key 'Redacted='

I kept my Interface as Wireguard, as all my firewall rules were already configured.

Then in my client config, using the Amnesia-WG client on MacOS, iOS, Windows, Linux, etc, I just add the Amnesia Junk packet, and Magic Header info to it

Code: 
[Interface]
PrivateKey = <client_private_key>
Address = <client_ip_address>
DNS = <dns_server>
MTU = 1320

# AmneziaWG Junk Packet settings
Jc = 31
Jmin = 20
Jmax = 40

# AmneziaWG Magic Header settings
H1 = 1
H2 = 2
H3 = 3
H4 = 4

[Peer]
PublicKey = <server_public_key>
PresharedKey = <preshared_key_if_used>
Endpoint = <server_ip_address>:<server_port>
AllowedIPs = 0.0.0.0/0

I found this script that will do it for you: https://github.com/zimbabwe303/awg_conf_patch

https://docs.amnezia.org/documentation/amnezia-wg/ for more info about Amnesia-WG.
 
You must log in or register to reply here.
Top Bottom