Dockerfile

@@ -157,6 +157,24 @@ RUN mkdir -p /out/usrlocalbin && \
     ln -s /usr/local/bin/tailscale.combined /out/usrlocalbin/tailscale && \
     ln -s /usr/local/bin/tailscale.combined /out/usrlocalbin/tailscaled
 
+# Entrypoint wrapper: enable IP forwarding inside the container's network
+# namespace, then exec tailscaled. tailscaled does NOT reliably enable IPv6
+# forwarding itself in a container netns ("IPv6 forwarding is disabled" warning),
+# which silently breaks advertised IPv6 subnet routes. The sysctls ARE writable
+# from inside a RouterOS container, so we set both here. Written in the builder
+# stage so it ships in the same single /usr/local/bin COPY layer (preserves the
+# overlayfs single-copy property). `exec` keeps tailscaled as PID 1.
+RUN printf '%s\n' \
+      '#!/bin/sh' \
+      '# Enable IPv4/IPv6 forwarding. Required for advertised subnet routes and' \
+      '# exit-node functionality.' \
+      'for f in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv6/conf/all/forwarding; do' \
+      '  if [ -w "$f" ]; then echo 1 > "$f" 2>/dev/null || echo "warn: could not write $f"; fi' \
+      'done' \
+      'exec /usr/local/bin/tailscaled "$@"' \
+      > /out/usrlocalbin/entrypoint.sh && \
+    chmod +x /out/usrlocalbin/entrypoint.sh
+
 # =============================================================================
 # Stage 2: Custom minimal busybox
 # =============================================================================
@@ -274,7 +292,9 @@ ENV PATH=/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 # -----------------------------------------------------------------------------
 VOLUME ["/var/lib/tailscale"]
 
-ENTRYPOINT ["/usr/local/bin/tailscaled"]
+# entrypoint.sh enables IP forwarding (incl. IPv6) in the container netns, then
+# exec's tailscaled with the CMD flags below as its arguments.
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 
 # Default flags:
 #   --no-logs-no-support  disables logtail uploads (logtail binary code is

docs/DESIGN.md

@@ -70,8 +70,21 @@ in a future release stays omitted until deliberately added to the Dockerfile.
   saves a real ~195 kB of flash (424 kB → 229 kB), not just transfer size.
 
 The final image is built `FROM scratch` — there is no base distro layer.
-It contains only the busybox binary + applet symlinks, the CA bundle, and
-the Tailscale binary.
+It contains only the busybox binary + applet symlinks, the CA bundle, the
+Tailscale binary, and a tiny `entrypoint.sh`.
+
+### Entrypoint: IP forwarding
+
+`ENTRYPOINT` is a small `entrypoint.sh` that enables IPv4 and IPv6 forwarding
+(`net.ipv4.ip_forward`, `net.ipv6.conf.all.forwarding`) in the container's
+network namespace, then `exec`s `tailscaled` (so the daemon stays PID 1). This
+is necessary because `tailscaled` does **not** reliably enable IPv6 forwarding
+itself inside a container netns — it logs "IPv6 forwarding is disabled" and
+advertised IPv6 subnet routes silently fail. The sysctls are writable from
+inside a RouterOS container, so the entrypoint sets them directly; no
+host-side or `/container` configuration is required. The script is created in
+the builder stage so it ships in the same single `/usr/local/bin` `COPY` layer
+(preserving the [single-copy property](#avoiding-overlayfs-layer-duplication)).
 
 ### Avoiding overlayfs layer duplication
 

docs/USAGE.md

@@ -95,7 +95,8 @@ The daemon is now running but **not yet authenticated**.
 
 ### 5. Authenticate
 
-> This image runs `tailscaled` directly and does **not** bundle Tailscale's
+> This image runs `tailscaled` via a tiny entrypoint (which enables IP
+forwarding, then `exec`s the daemon) and does **not** bundle Tailscale's
 `containerboot` wrapper, so the `TS_AUTHKEY` environment variable is **not**
 read automatically. You authenticate with `tailscale up --authkey=...` after the
 container starts.