I have self-hosted headscale container running on a Linode instance. I also have a remote Raspberry Pi device running tailscale with IP 100.64.0.3 and it connects to my Linode instance which has its own tailscale installation with IP 100.64.0.1
A Traefik reverse proxy container running on Linode instance routes to applications running on Raspberry Pi using its Tailscale IP address (http://100.64.0.3:80). The overall setup looks like the below image:
This was working fine till last week when I updated Docker and Tailscale on both Linode and Raspberry Pi and post-update, the Traefik container is unable to receive packets from Raspberry Pi using its tailscale IP (100.64.0.3). I am however able to ping and perform curl request from the Linode instance shell.
Below are the version of the application I am running
Traefik → traefik:v3.0 Docker Image (Version: 3.0.0)
Headscale → latest-alpine Docker Image (Version: 0.17.0-beta3)
Tailscale → 1.66.3 On both Linode and Raspberry Pi
Docker → 26.1.3 On both Linode and Raspberry Pi
Below is the Traefik docker-compose.yml file
services:
traefik:
image: traefik:v3.0
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
#privileged: true
networks:
web:
aliases:
...
ports:
- "80:80" # HTTP
- "443:443" # HTTPS
env_file:
- ./.env
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data:/data
- ./data/routes.yml:/routes.yml
- ./logs/:/logs/
command:
- "--accesslog=true"
- "--accesslog.filePath=/logs/access.log"
- '--api=false'
- '--api.dashboard=false'
- '--api.insecure=false'
- '--global.sendAnonymousUsage=false'
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`example.com`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`example.com`)"
- "traefik.http.routers.traefik-secure.middlewares=authentik@file"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=https"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
web:
external: true
Below is the ping response from Linode (100.64.0.1) to Raspberry Pi (100.64.0.3)
root@localhost:~# ping 100.64.0.3
PING 100.64.0.3 (100.64.0.3) 56(84) bytes of data.
64 bytes from 100.64.0.3: icmp_seq=1 ttl=64 time=36.0 ms
64 bytes from 100.64.0.3: icmp_seq=2 ttl=64 time=35.7 ms
64 bytes from 100.64.0.3: icmp_seq=3 ttl=64 time=44.2 ms
64 bytes from 100.64.0.3: icmp_seq=4 ttl=64 time=44.8 ms
Below is the ping response from Traefik container inside Linode to Raspberry Pi (100.64.0.3)
/ # ping 100.64.0.3
PING 100.64.0.3 (100.64.0.3): 56 data bytes
^C
--- 100.64.0.3 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
/ #
Again, I have not made any change to the configuration other than updating to the latest version of Tailscale and Docker. I do not recall the previous version of Docker or Tailscale before update.
Any help is much appreciated, thanks in advance