Configuring Tailscale Subnet Routing to Access Docker Containers by LAN IP

I’ve been running various Docker containers on my Synology NAS for years, and while Tailscale has been excellent for accessing the NAS itself remotely, I found myself frustrated by one specific limitation: I could only access my Docker containers by their LAN IP addresses when I was actually connected to my home network.

When I was away from home, even though I could reach my Synology via Tailscale address or Magic DNS, trying to access something like 192.168.1.144:7878 for Radarr would just time out.

That’s where Tailscale’s subnet routers come in. This feature allows you to access all devices on your home network—including your Docker containers—using their actual LAN IP addresses.

What We’re Solving

We want to access our Docker containers using their LAN IP addresses consistently, regardless of whether we’re connected to our home network or accessing remotely through Tailscale.

Prerequisites

• Tailscale already set up on your machine. You can use this guide to set it up.

Setting Up Subnet Routing

Step 1: Configure Your Synology as a Subnet Router

First, you’ll need to SSH into your Synology. Once you’re connected, run this command:

sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node --reset

Important: Make sure to replace 192.168.1.0/24 with the correct subnet for your network. In my case, my Synology has the IP address 192.168.1.144, so I use 192.168.1.0/24. You can find your network’s subnet by checking your router’s configuration or running ip route on your Synology.

Step 2: Enable Subnet Routing in Tailscale Admin Console

The command above advertises your local network routes to Tailscale, but you need to explicitly enable them in the admin console:

1. Go to the Tailscale admin console at https://login.tailscale.com/admin/machines
2. Find your Synology device in the machines list
3. Click on the device and select “Edit route settings”
4. In the “Subnet routers” section, check the box next to your advertised route (e.g., 192.168.1.0/24)

Testing Your Setup

With that configuration complete, you should now be able to access all your Docker containers using their LAN IP addresses, regardless of whether you’re connected to your home network or not.

For example, if you have a container running on 192.168.1.144:7878, you can access it from anywhere by simply navigating to that address in your browser while connected to Tailscale.

Taking It Further: Reverse Proxy Setup

You can make this setup even more elegant by implementing a reverse proxy. This allows you to access your services using clean subdomains like radarr.kunat.dev instead of remembering IP addresses and port numbers. You can read more about it here.

Resources

• Tailscale documentation on subnet routers
• How To Install And Configure Tailscale On Your Synology Nas
• Setting Up Caddy as a Reverse Proxy on Synology NAS