🔧 Fix: Docker Container Can't Reach Tailscale

When your container runs in bridge mode and needs the host's Tailscale network

1

Diagnose the problem

Containers in Docker bridge mode have their own network namespace. They can't see Tailscale interfaces on the host.

docker inspect <container> | grep NetworkMode
# If it says "bridge" or "default", that's your issue
2

Option A: Host networking (simplest)

Give the container full access to the host's network stack, including Tailscale.

docker run --network host your-image
3

Option B: Tailscale sidecar (cleanest)

Run Tailscale in its own container, share the network namespace with your app container.

docker run -d --name ts-sidecar \
  --cap-add NET_ADMIN \
  tailscale/tailscale

docker run --network container:ts-sidecar \
  your-image
4

Option C: Route through the host (bridge-friendly)

Keep bridge mode but add a route so container traffic to Tailscale IPs goes through the host.

# On the host:
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 \
  -d 100.64.0.0/10 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
⚠️ Unraid note: The Tailscale plugin runs on the host. If you're using the Community Apps plugin to manage Docker, you may need to edit the container template to change the network type.
💡 Quick test: From inside the container, try ping 100.95.37.98 (or any Tailscale IP). If it times out, the routing isn't working yet.