Tailscale: Difference between revisions

imported>Cablespaghetti
Notes about DNS issues
m Mention headscale
(2 intermediate revisions by 2 users not shown)
Line 8: Line 8:


== Basic setup ==
== Basic setup ==
Enabling tailscale is as simple as adding <code><nowiki>services.tailscale.enable = true;</nowiki></code> to your Nix config.  
You need to
 
# make an account and login at https://login.tailscale.com (or self-host a compatible [https://github.com/juanfont/headscale Headscale] service; also available NixOS)
# enable the Tailscale client app on your NixOS machine by adding <code><nowiki>services.tailscale.enable = true;</nowiki></code> and access tokens to your NixOS configuration.


If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
== Split DNS: Access self-hosted services at your friends house as if you were there. ==
Tailscale support "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. you friend's house) as if you are in that local network.
See KTZ Systems Split DNS overview: https://www.youtube.com/watch?v=Uzcs97XcxiE
Combined with Let's Encrypt using the "DNS-01" challenge you can get browser-trusted HTTPS certificates for local services (not exposed to the internet) and access them with Tailscale from anywhere.
See Wolfgang's Channel Local HTTPS overview: https://www.youtube.com/watch?v=qlcVx-k-02E


== Configuring TLS ==
== Configuring TLS ==
Line 38: Line 50:
$ sudo tailscale --socket{{=}}${STATE_DIRECTORY}/tailscaled.sock up --auth-key{{=}}tskey-key-MYSERVICE_KEY_FROM_TAILSCALE_ADMIN_CONSOLE --hostname{{=}}MYSERVICE --reset
$ sudo tailscale --socket{{=}}${STATE_DIRECTORY}/tailscaled.sock up --auth-key{{=}}tskey-key-MYSERVICE_KEY_FROM_TAILSCALE_ADMIN_CONSOLE --hostname{{=}}MYSERVICE --reset
}}
}}
==Using Userspace Networking (experimental)==
Tailscale inside containers can use [https://tailscale.com/kb/1112/userspace-networking userspace networking mode] to avoid needing host tunnel device permissions.
This can be accomplished by setting <code><nowiki>services.tailscale.interfaceName = "userspace-networking";</nowiki></code> in your NixOS config.


{{Expansion|
{{Expansion|
* Set up Systemd services for the additional host names
* Set up Systemd services for the additional host names
}}
}}