From abe1a3e7681438d846a669164524cfd80267ddd3 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Mon, 23 Mar 2026 08:22:41 +0000
Subject: [PATCH] integration: add ConnectToNetwork and peer relay ping support

Add ConnectToNetwork to TailscaleClient interface and
TailscaleInContainer, matching the existing pattern on
HeadscaleInContainer and DERPServerInContainer. This enables
dual-homing Tailscale containers to additional Docker networks
after creation.

Also accept "via relay" in the Ping helper's non-direct mode,
alongside "via DERP". Peer relay pings output "via peer-relay(...)"
which was previously rejected as errTailscalePingNotDERP.

Updates #2180
---
 integration/tailscale.go | 2 ++
 integration/tsic/tsic.go | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/integration/tailscale.go b/integration/tailscale.go
index f397133e..4c9a761b 100644
--- a/integration/tailscale.go
+++ b/integration/tailscale.go
@@ -10,6 +10,7 @@ import (
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/ory/dockertest/v3"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/netcheck"
 	"tailscale.com/types/key"
@@ -56,6 +57,7 @@ type TailscaleClient interface {
 	MustID() types.NodeID
 	ReadFile(path string) ([]byte, error)
 	PacketFilter() ([]filter.Match, error)
+	ConnectToNetwork(network *dockertest.Network) error
 
 	// FailingPeersAsString returns a formatted-ish multi-line-string of peers in the client
 	// and a bool indicating if the clients online count and peer count is equal.
diff --git a/integration/tsic/tsic.go b/integration/tsic/tsic.go
index 879949d5..1cc4f46d 100644
--- a/integration/tsic/tsic.go
+++ b/integration/tsic/tsic.go
@@ -1393,7 +1393,7 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string, opts ...PingOption) err
 	}
 
 	if !args.direct {
-		if strings.Contains(result, "via DERP") {
+		if strings.Contains(result, "via DERP") || strings.Contains(result, "via relay") {
 			return nil
 		} else {
 			return errTailscalePingNotDERP
@@ -1615,6 +1615,11 @@ func (t *TailscaleInContainer) GetNodePrivateKey() (*key.NodePrivate, error) {
 	return &p.Persist.PrivateNodeKey, nil
 }
 
+// ConnectToNetwork connects the Tailscale container to an additional Docker network.
+func (t *TailscaleInContainer) ConnectToNetwork(network *dockertest.Network) error {
+	return t.container.ConnectToNetwork(network)
+}
+
 // PacketFilter returns the current packet filter rules from the client's network map.
 // This is useful for verifying that policy changes have propagated to the client.
 func (t *TailscaleInContainer) PacketFilter() ([]filter.Match, error) {