Tailscale: Difference between revisions
imported>Telotortium Initial page stub |
Malteneuss (talk | contribs) m Mention headscale |
||
| (4 intermediate revisions by 3 users not shown) | |||
| Line 8: | Line 8: | ||
== Basic setup == | == Basic setup == | ||
You need to | |||
# make an account and login at https://login.tailscale.com (or self-host a compatible [https://github.com/juanfont/headscale Headscale] service; also available NixOS) | |||
# enable the Tailscale client app on your NixOS machine by adding <code><nowiki>services.tailscale.enable = true;</nowiki></code> and access tokens to your NixOS configuration. | |||
If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine. | |||
== Split DNS: Access self-hosted services at your friends house as if you were there. == | |||
Tailscale support "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. you friend's house) as if you are in that local network. | |||
See KTZ Systems Split DNS overview: https://www.youtube.com/watch?v=Uzcs97XcxiE | |||
Combined with Let's Encrypt using the "DNS-01" challenge you can get browser-trusted HTTPS certificates for local services (not exposed to the internet) and access them with Tailscale from anywhere. | |||
See Wolfgang's Channel Local HTTPS overview: https://www.youtube.com/watch?v=qlcVx-k-02E | |||
== Configuring TLS == | == Configuring TLS == | ||
| Line 21: | Line 35: | ||
* Show how to run for multiple services on a single machine. | * Show how to run for multiple services on a single machine. | ||
}} | }} | ||
== Known issues == | |||
If you encounter issues with IPv6 not working through your NixOS-based exit node, this might be an issue with the tailscale client's detection of whether IPv6 NAT is supported. This is the "checkSupportsV6NAT" function in the tailscale codebase. Enabling <code><nowiki>networking.nftables.enable = true;</nowiki></code> and then rebooting may fix this issue if you are using iptables. | |||
There is also a known issue with DNS when using the default NixOS configuration; see [https://github.com/tailscale/tailscale/issues/4254 GitHub issue 4254]. Enabling [[systemd-resolved]] seems to be some part of the solution to this problem, as well as ensuring that DHCP is not enabled on the "tailscale0" network interface. Please see the GitHub issue for more information. | |||
== Running multiple Tailnet-accessible services on a single machine == | == Running multiple Tailnet-accessible services on a single machine == | ||
| Line 31: | Line 50: | ||
$ sudo tailscale --socket{{=}}${STATE_DIRECTORY}/tailscaled.sock up --auth-key{{=}}tskey-key-MYSERVICE_KEY_FROM_TAILSCALE_ADMIN_CONSOLE --hostname{{=}}MYSERVICE --reset | $ sudo tailscale --socket{{=}}${STATE_DIRECTORY}/tailscaled.sock up --auth-key{{=}}tskey-key-MYSERVICE_KEY_FROM_TAILSCALE_ADMIN_CONSOLE --hostname{{=}}MYSERVICE --reset | ||
}} | }} | ||
==Using Userspace Networking (experimental)== | |||
Tailscale inside containers can use [https://tailscale.com/kb/1112/userspace-networking userspace networking mode] to avoid needing host tunnel device permissions. | |||
This can be accomplished by setting <code><nowiki>services.tailscale.interfaceName = "userspace-networking";</nowiki></code> in your NixOS config. | |||
{{Expansion| | {{Expansion| | ||
* Set up Systemd services for the additional host names | * Set up Systemd services for the additional host names | ||
}} | }} | ||