Small Tailscale Container with kernel support using /dev/net/tun

TL;DR.

• Open-sourced a small Tailscale subnet-router image purpose-built for RouterOS /container, with pre-built .tar archives for ARMv7 (RB3011, RB4011, hAP series) and ARM64 (RB5009, L009, CHR).
• Loads via /container/add file=…, no registry round-trip.
• Scripts included
• Needs you to use the latest V7.23rc [testing] is released! to correctly set the routing order (see [FIXED] RouterOS 7.22+ Container TUN Gateway Broken (sing-box / mihomo) - #11 by CGGXANNX)

→ GitHub - rod-dot-codes-org/tailscale-router-mikrotik: Minimal Tailscale subnet-router OCI image for MikroTik RouterOS — kernel TUN + iptables-legacy · GitHub

Why another one. I started on*fluent-networks/tailscale-mikrotik*— it works, but two things kept biting me:

1. The entrypoint runs tailscale up --reset on every boot, which wipes anything set with tailscale set afterwards. So --webclient (the :5252 UI + /metrics) doesn't persist across container
   restarts unless you re-set it every time.
2. The RUNNING_SCRIPT hook treats its value as a file path, so the obvious "just run my command after up" workaround silently no-ops.

Plus the image isn't pinned to a specific upstream Tailscale tag, so you can wake up to behavior changes you didn't ask for.

What this image does differently:

• Pinned to a specific upstream Tailscale tag (currently v1.96.5). Bumping is one var change in build.sh.
• Trimmed via featuretags — drops ssh, taildrop, serve, funnel, exit-node, magicdns. Final size: 16.65 MB (arm/v7) / 29.91 MB (arm64).
• Kernel TUN + iptables-legacy by default. RouterOS kernel ships xtables but not nf_tables; default tailscaled (which prefers nft on modern kernels) hangs the wgengine watchdog ~45s on
  first packet. The entrypoint repoints /usr/sbin/iptables at xtables-legacy-multi and forces TS_DEBUG_FIREWALL_MODE=iptables.
• tailscale up runs once per state directory; tailscale set --webclient after, persistent.
• accept_ra=2 set automatically when you advertise routes (otherwise the container only gets link-local v6 because Linux ignores RAs once forwarding is on).
• Bind-mountable entrypoint. Iterate on entrypoint logic without rebuilding the image — scp -p the new entrypoint.sh to /usb1/..., restart the container.

Hope you like - but warning, this is what's running on my home RB3011 today, so it's tested in exactly one environment. Issues / PRs welcome, and curious whether the same patterns hold up on
RB5009 or CHR for anyone using it.

Proof that it works vv

Screenshot 2026-05-02 at 16.28.151908×672 159 KB

Screenshot 2026-05-02 at 16.28.291344×316 61.8 KB