Tailscale: Difference between revisions

(5 intermediate revisions by 3 users not shown)

Line 1:

~~From [https~~://~~tailscale.com Official Website]~~

== Basic setup ==

To enable Tailscale, add the following to your configuration:

{{File|3={

services.tailscale = {

enable = true;

# Enable tailscale at startup

# If you would like to use a preauthorized key

#authKeyFile = "/run/secrets/tailscale_key";

~~<blockquote>~~

};

~~''"Tailscale makes networking easy''~~

}|name=/etc/nixos/configuration.nix|lang=nix}}

~~''Tailscale lets~~ you ~~easily manage access~~ to ~~private resources, quickly SSH into devices on~~ your ~~network, and work securely from anywhere in the world.~~"''

After enabling, you can login to your Tailscale account with:<syntaxhighlight lang="console">

</~~blockquote~~>

# tailscale login

</syntaxhighlight>If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.

== ~~Basic setup~~ ==

For more configuration option, refer to <code>[https://search.nixos.org/options?show=services.tailscale services.tailscale]</code> .

~~You need~~ to

== Native nftables Support (Modern Setup) ==

Recent versions of NixOS encourage the use of [[nftables]] over legacy iptables. Tailscale can be configured to use `nftables` natively, which avoids conflicts and kernel module bloat.

This configuration forces the `nftables` backend and optimizes the service startup:

{ config, pkgs, ... }:

{

# 1. Enable the service and the firewall

services.tailscale.enable = true;

networking.nftables.enable = true;

networking.firewall = {

enable = true;

# Always allow traffic from your Tailscale network

trustedInterfaces = [ "tailscale0" ];

# Allow the Tailscale UDP port through the firewall

allowedUDPPorts = [ config.services.tailscale.port ];

};

# ~~make an account and login at https://login~~.~~tailscale.com~~ (~~or self~~-~~host a compatible [https://github.com/juanfont/headscale Headscale] service; also available NixOS~~)

# 2. Force tailscaled to use nftables (Critical for clean nftables-only systems)

# ~~enable~~ the ~~Tailscale client app on your NixOS machine by adding <code><nowiki>~~services.~~tailscale~~.~~enable~~ = ~~true~~;~~</nowiki></code> and access tokens to your NixOS configuration.~~

# This avoids the "iptables-compat" translation layer issues.

systemd.services.tailscaled.serviceConfig.Environment = [

"TS_DEBUG_FIREWALL_MODE=nftables"

];

~~If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services~~.~~tailscale~~.~~useRoutingFeatures~~</~~nowiki~~>~~</code> to "server", "client" or "both" depending on the role of your machine.~~

# 3. Optimization: Prevent systemd from waiting for network online

# (Optional but recommended for faster boot with VPNs)

systemd.network.wait-online.enable = false;

boot.initrd.systemd.network.wait-online.enable = false;

}

</syntaxhighlight>

== Split DNS ==

Line 62:

Line 99:

[https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 Issue in Tailscale tracker]

=== Some utils/applets asks root auth every time ===

Some GUI applets/utilities cannot control {{ic|tailscaled}} as a regular user and prompt for a password for every action/not connecting. Assigning the user as an operator fixes this:

{{Commands|1=$ sudo tailscale set --operator=USERNAME}}'''Note:''' There is currently a bug with the above command documented in: https://github.com/tailscale/tailscale/issues/18294

The workaround is to login and set the operator as part of connecting to tailscale. This section can be removed once the issue is resolved.

{{Commands|1=# for initial login

sudo tailscale login

# this will set your user as the operator for the future

sudo tailscale up --operator=$USER

# validate your user is an operator

tailscale debug prefs {{!}} grep -i operator}}

== Running multiple Tailnet-accessible services on a single machine ==

Line 83:

Line 136:

== Optimize the performance of subnet routers and exit nodes ==

Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput ~~of your node~~.

Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput. For high-throughput nodes (like subnet routers), disabling UDP Generic Receive Offload (GRO) on the physical interface is recommended to prevent packet drops.

~~You need to have <code>ethtool</code> and <code>~~networkd-dispatcher~~</code> installed, and~~ to ~~create~~ the ~~appropriate rule for Tailscale~~.

In NixOS, this can be automated using `networkd-dispatcher` to ensure the setting persists across reboots and network changes.

~~Supposing the network device you'll be using is called <code>eth0</code>, you can add the following to your <code>configuration.nix</code>:~~<syntaxhighlight lang="nixos">

services ~~= {~~

# In environment.systemPackages, ensure you have pkgs.ethtool

networkd-dispatcher = {

services.networkd-dispatcher = {

enable = true;

rules."50-tailscale" = {

rules."50-tailscale-optimizations" = {

onState = ["routable"];

onState = [ "routable" ];

script = ''

${~~lib~~.~~getExe~~ ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off

${pkgs.ethtool}/bin/ethtool -K eth0 rx-udp-gro-forwarding on rx-gro-list off

'';

};

</syntaxhighlight>

''Note: Replace `eth0` with your actual WAN interface name (e.g. `ens192`).''

@@ Line 1: / Line 1: @@
-From [https://tailscale.com Official Website]
+== Basic setup ==
+To enable Tailscale, add the following to your configuration:
+{{File|3={
+  services.tailscale = {
+    enable = true;
+    # Enable tailscale at startup
+    # If you would like to use a preauthorized key
+    #authKeyFile = "/run/secrets/tailscale_key";
-<blockquote>
+  };
-''"Tailscale makes networking easy''
+}|name=/etc/nixos/configuration.nix|lang=nix}}
-''Tailscale lets you easily manage access to private resources, quickly SSH into devices on your network, and work securely from anywhere in the world."''
+After enabling, you can login to your Tailscale account with:<syntaxhighlight lang="console">
-</blockquote>
+# tailscale login
+</syntaxhighlight>If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
-== Basic setup ==
+For more configuration option, refer to <code>[https://search.nixos.org/options?show=services.tailscale services.tailscale]</code> .
-You need to
+== Native nftables Support (Modern Setup) ==
+Recent versions of NixOS encourage the use of [[nftables]] over legacy iptables. Tailscale can be configured to use `nftables` natively, which avoids conflicts and kernel module bloat.
+This configuration forces the `nftables` backend and optimizes the service startup:
+<syntaxhighlight lang="nixos">
+{ config, pkgs, ... }:
+{
+  # 1. Enable the service and the firewall
+  services.tailscale.enable = true;
+  networking.nftables.enable = true;
+  networking.firewall = {
+    enable = true;
+    # Always allow traffic from your Tailscale network
+    trustedInterfaces = [ "tailscale0" ];
+    # Allow the Tailscale UDP port through the firewall
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
-# make an account and login at https://login.tailscale.com (or self-host a compatible [https://github.com/juanfont/headscale Headscale] service; also available NixOS)
+  # 2. Force tailscaled to use nftables (Critical for clean nftables-only systems)
-# enable the Tailscale client app on your NixOS machine by adding <code><nowiki>services.tailscale.enable = true;</nowiki></code> and access tokens to your NixOS configuration.
+  # This avoids the "iptables-compat" translation layer issues.
+  systemd.services.tailscaled.serviceConfig.Environment = [
+    "TS_DEBUG_FIREWALL_MODE=nftables"
+  ];
-If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
+  # 3. Optimization: Prevent systemd from waiting for network online
+  # (Optional but recommended for faster boot with VPNs)
+  systemd.network.wait-online.enable = false;
+  boot.initrd.systemd.network.wait-online.enable = false;
+}
+</syntaxhighlight>
 == Split DNS ==
@@ Line 62: / Line 99: @@
 [https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 Issue in Tailscale tracker]
+=== Some utils/applets asks root auth every time ===
+Some GUI applets/utilities cannot control {{ic|tailscaled}} as a regular user and prompt for a password for every action/not connecting. Assigning the user as an operator fixes this:
+{{Commands|1=$ sudo tailscale set --operator=USERNAME}}'''Note:''' There is currently a bug with the above command documented in: https://github.com/tailscale/tailscale/issues/18294
+The workaround is to login and set the operator as part of connecting to tailscale. This section can be removed once the issue is resolved.
+{{Commands|1=# for initial login
+sudo tailscale login
+# this will set your user as the operator for the future
+sudo tailscale up --operator=$USER
+# validate your user is an operator
+tailscale debug prefs {{!}} grep -i operator}}
 == Running multiple Tailnet-accessible services on a single machine ==
@@ Line 83: / Line 136: @@
 == Optimize the performance of subnet routers and exit nodes ==
-Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput of your node.
+Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput. For high-throughput nodes (like subnet routers), disabling UDP Generic Receive Offload (GRO) on the physical interface is recommended to prevent packet drops.
-You need to have <code>ethtool</code> and <code>networkd-dispatcher</code> installed, and to create the appropriate rule for Tailscale.
+In NixOS, this can be automated using `networkd-dispatcher` to ensure the setting persists across reboots and network changes.
-Supposing the network device you'll be using is called <code>eth0</code>, you can add the following to your <code>configuration.nix</code>:<syntaxhighlight lang="nixos">
+<syntaxhighlight lang="nixos">
-services = {
+# In environment.systemPackages, ensure you have pkgs.ethtool
-  networkd-dispatcher = {
+services.networkd-dispatcher = {
-    enable = true;
+  enable = true;
-    rules."50-tailscale" = {
+  rules."50-tailscale-optimizations" = {
-      onState = ["routable"];
+    onState = [ "routable" ];
-      script = ''
+    script = ''
-        ${lib.getExe ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off
+      ${pkgs.ethtool}/bin/ethtool -K eth0 rx-udp-gro-forwarding on rx-gro-list off
-      '';
+    '';
-    };
    };
 };
 </syntaxhighlight>
+''Note: Replace `eth0` with your actual WAN interface name (e.g. `ens192`).''