Skip to content

DockTail

VPN & Tunnels

A Docker‑label‑driven tool that automatically exposes containers as Tailscale Services, eliminating the need to publish container ports.

Track releases GitHub Website
Go Latest 1.4.0 · 1mo ago Security brief →

Features

  • Automatic discovery of Docker containers via `docktail.*` labels
  • Creates native Tailscale services (HTTP, HTTPS, TCP) without extra device slots
  • Supports TLS‑terminated TCP and Tailscale Funnel for public access
  • Stateless runtime that reconciles services on container restart or IP change

Recent releases

View all 6 releases →
1.4.0 Feature
Notable features
  • Ability to connect to a service using only funnel without running Services in the container
Full changelog

We now support using only funnel to connect to a service, without running any Services on that container.

Thanks for all the feedback 🙏

View release on GitHub
1.3.0 New feature
Notable features
  • IGNORE_SERVICE_NAMES env var protects named svc: services during regular reconciliation and shutdown cleanup
  • Normalization accepts both plain names (foo) and prefixed svc:foo format
Full changelog
  • add IGNORE_SERVICE_NAMES to protect named svc: services from DockTail reconciliation cleanup
  • apply the ignore list during both regular reconciliation and shutdown cleanup, with normalization so either foo or svc:foo works
  • document the new env var and add e2e coverage for a manually created protected service (svc:e2e-manual-protected)
View release on GitHub
1.2.0 New feature
Notable features
  • Publish a container as multiple distinct services simultaneously via different ports using `docktail.service.*` labels
Full changelog

First of all, thanks for all the feedback so far. Keep it coming! This feature came from a community request and adds the ability to publish a container as multiple different services at the same time through different ports. This can look something like this:

services:
  gluetun:
    image: gluetun:latest
    labels:
      - "docktail.service.enable=true"
      - "docktail.service.name=qbittorrent"
      - "docktail.service.port=8000"
      - "docktail.service.1.name=bitmagnet"
      - "docktail.service.1.port=8001"
View release on GitHub
1.1.0 Feature
Notable features
  • Removed requirement to publish host ports when exposing DockTail as a Tailscale Service
Full changelog

This release makes it a lot easier and more secure to use DockTail for your setup. You're no longer required to publish ports to the host for the to be published as a Tailscale Service!

You don't need to change anything and legacy setups should continue to work the same as before. Refer to the ReadMe to see how to use it without port publishing.

Thanks for all the positive feedback in the last few weeks! 🎉

View release on GitHub
1.0.0 New feature
Notable features
  • Label-based container discovery and service advertisement
  • HTTP, HTTPS (auto TLS), and TCP protocol support
  • OAuth integration for automatic service creation
Full changelog

Stable release of DockTail - automatically expose Docker containers as Tailscale Services using label-based configuration.

Highlights

  • Label-based container discovery and service advertisement
  • HTTP, HTTPS (auto TLS), and TCP protocol support
  • OAuth integration for automatic service creation
  • Tailscale Funnel for public internet access
  • Stateless Docker container with periodic reconciliation

Thanks to everyone who gave feedback and reported issues during early access!

Getting Started

See the README for setup instructions.

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
751
Forks
23
Languages
Go HTML Shell
View on GitHub Homepage Documentation

Install & Platforms

Install via
docker

Similar tools

DockFlare
Dock-Dploy
dockman
Hubleys
RGJorge/containerflow

Alternative to

TSDProxy ScaleTail tsbridge

Beta — feedback welcome: [email protected]