├── Dockerfile
├── README.md
├── install-tailscale.sh
├── render.yaml
└── run-tailscale.sh


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM debian:latest
 2 | WORKDIR /render
 3 | 
 4 | ARG TAILSCALE_VERSION
 5 | ENV TAILSCALE_VERSION=$TAILSCALE_VERSION
 6 | 
 7 | RUN apt-get -qq update \
 8 |   && apt-get -qq install --upgrade -y --no-install-recommends \
 9 |     apt-transport-https \
10 |     ca-certificates \
11 |     netcat-openbsd \
12 |     wget \
13 |     dnsutils \
14 |   > /dev/null \
15 |   && apt-get -qq clean \
16 |   && rm -rf \
17 |     /var/lib/apt/lists/* \
18 |     /tmp/* \
19 |     /var/tmp/* \
20 |   && :
21 | 
22 | RUN echo "+search +short" > /root/.digrc
23 | COPY run-tailscale.sh /render/
24 | 
25 | COPY install-tailscale.sh /tmp
26 | RUN /tmp/install-tailscale.sh && rm -r /tmp/*
27 | 
28 | CMD ./run-tailscale.sh
29 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Run Tailscale on Render
 2 | 
 3 | ![image](https://github.com/render-examples/tailscale/assets/168030/2513267e-6503-45c6-b596-3713160ae4ec)
 4 | 
 5 | [Tailscale](https://tailscale.com) is a zero-config VPN service built on top of [Wireguard](https://www.wireguard.com/). It's great for accessing devices and applications behind firewalls, and you can use it to connect to all your private services on Render with this repo.
 6 | 
 7 | A Tailscale [subnet router](https://tailscale.com/kb/1019/subnets/) acts as a gateway to your Render private network, enabling connections to any and all internal IPs (of the form `10.x.x.x`) in your Render network.
 8 | 
 9 | ## Deployment
10 | 
11 | ### One Click Deploy
12 | 
13 | Use the button below to deploy a Tailscale subnet router on Render. [Generate a Tailscale auth key](https://login.tailscale.com/admin/settings/authkeys) and provide that as the `TAILSCALE_AUTHKEY` environment variable in Render. Use a one-off key for maximum security.
14 | 
15 | <a href="https://render.com/deploy?repo=https://github.com/render-examples/tailscale/tree/main">
16 |   <img src="https://render.com/images/deploy-to-render-button.svg" alt="Deploy to Render">
17 | </a>
18 | 
19 | ## Usage
20 | Deploying this repo will create a subnet router in your Tailscale network. The first time you deploy, you'll need to [enable the subnet routes](https://tailscale.com/kb/1019/subnets/#step-3-enable-subnet-routes-from-the-admin-panel) you want access to from the Tailscale admin panel. Once the subnet router is up and running, you can connect to other private services in your Render network. To find the internal IP address for a Render private service, go to the web shell for your subnet router service and run `dig` with the [private service's host name](https://render.com/docs/private-services#connecting-to-a-private-service) as the only argument.
21 | 
22 | 


--------------------------------------------------------------------------------
/install-tailscale.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | set -x
3 | TAILSCALE_VERSION=${TAILSCALE_VERSION:-1.64.0}
4 | TS_FILE=tailscale_${TAILSCALE_VERSION}_amd64.tgz
5 | wget -q "https://pkgs.tailscale.com/stable/${TS_FILE}" && tar xzf "${TS_FILE}" --strip-components=1
6 | cp -r tailscale tailscaled /render/
7 | 
8 | mkdir -p /var/run/tailscale /var/cache/tailscale /var/lib/tailscale
9 | 


--------------------------------------------------------------------------------
/render.yaml:
--------------------------------------------------------------------------------
 1 | services:
 2 |   - type: worker
 3 |     name: render-subnet-router
 4 |     env: docker
 5 |     autoDeploy: false
 6 |     envVars:
 7 |       - key: TAILSCALE_AUTHKEY
 8 |         sync: false
 9 |       - key: TAILSCALE_VERSION
10 |         value: 1.64.0
11 |       - key: ADVERTISE_ROUTES
12 |         value: 10.0.0.0/8
13 |     disk:
14 |       name: tailscale-state
15 |       mountPath: /var/lib/tailscale
16 |       sizeGB: 1
17 | 
18 | 


--------------------------------------------------------------------------------
/run-tailscale.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | /render/tailscaled --tun=userspace-networking --socks5-server=localhost:1055 &
 4 | PID=$!
 5 | 
 6 | ADVERTISE_ROUTES=${ADVERTISE_ROUTES:-10.0.0.0/8}
 7 | until /render/tailscale up --authkey="${TAILSCALE_AUTHKEY}" --hostname="${RENDER_SERVICE_NAME}" --advertise-routes="$ADVERTISE_ROUTES"; do
 8 |   sleep 0.1
 9 | done
10 | export ALL_PROXY=socks5://localhost:1055/
11 | tailscale_ip=$(/render/tailscale ip)
12 | echo "Tailscale is up at IP ${tailscale_ip}"
13 | 
14 | wait ${PID}
15 | 


--------------------------------------------------------------------------------