Jump to content

Tailscale: Difference between revisions

From Official NixOS Wiki
← Older edit
VisualWikitext
imported>Cablespaghetti
Notes about DNS issues
Phobos (talk | contribs)
57 edits
No edit summary
 
(15 intermediate revisions by 9 users not shown)
Line 1: Line 1:
From [https://tailscale.com Official Website]
== Basic setup ==
To enable Tailscale, add the following to your configuration:
 
{{File|3={
  services.tailscale = {
    enable = true;
    # Enable tailscale at startup
 
    # If you would like to use a preauthorized key
  #authKeyFile = "/run/secrets/tailscale_key";


<blockquote>
  };
Tailscale makes networking easy
}|name=/etc/nixos/configuration.nix|lang=nix}}


Tailscale lets you easily manage access to private resources, quickly SSH into devices on your network, and work securely from anywhere in the world.
After enabling, you can login to your Tailscale account with:<syntaxhighlight lang="console">
</blockquote>
# tailscale login
</syntaxhighlight>If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.


== Basic setup ==
For more configuration option, refer to <code>[https://search.nixos.org/options?show=services.tailscale services.tailscale]</code> .
Enabling tailscale is as simple as adding <code><nowiki>services.tailscale.enable = true;</nowiki></code> to your Nix config.  
 
== Split DNS ==
Tailscale supports "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. your friend's house) as if you are in that local network.
 
See KTZ Systems Split DNS overview: https://www.youtube.com/watch?v=Uzcs97XcxiE
 
Combined with Let's Encrypt using the "DNS-01" challenge you can get browser-trusted HTTPS certificates for local services (not exposed to the internet) and access them with Tailscale from anywhere.


If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
See Wolfgang's Channel Local HTTPS overview: https://www.youtube.com/watch?v=qlcVx-k-02E


== Configuring TLS ==
== Configuring TLS ==
{{Expansion|
* Set up Systemd service to run this command at regular intervals to avoid cert expiration.
* Show how to run for multiple services on a single machine.
}}
Per [https://tailscale.com/kb/1153/enabling-https/?q=tls#provision-tls-certificates-for-your-devices Enabling HTTPS in the Tailscale documentation], run the following:
Per [https://tailscale.com/kb/1153/enabling-https/?q=tls#provision-tls-certificates-for-your-devices Enabling HTTPS in the Tailscale documentation], run the following:


Line 19: Line 40:
}}
}}


{{Expansion|
As an alternative, you can set up [https://wiki.nixos.org/wiki/Caddy Caddy] to create and manage SSL certs automatically as [https://tailscale.com/kb/1190/caddy-certificates Caddy recognizes Tailscale urls]. After replacing <code><MACHINE_NAME></code>, <code><TAILNET_NAME></code>, <code><port></code> with your tailscale machine name, tailscale tailnet name, and the port of the local service you want to forward, you can add the following to your <code>configuration.nix</code>:<syntaxhighlight lang="nixos">
* Set up Systemd service to run this command at regular intervals to avoid cert expiration.
services.caddy = {
* Show how to run for multiple services on a single machine.
  enable = true;
}}
  virtualHosts."<MACHINE_NAME>.<TAILNET_NAME>".extraConfig = ''
    reverse_proxy 127.0.0.1:<port>
  '';
};
# Allow the Caddy user(and service) to edit certs
services.tailscale.permitCertUid = "caddy";
</syntaxhighlight>


== Known issues ==
== Known issues ==
If you encounter issues with IPv6 not working through your NixOS-based exit node, this might be an issue with the tailscale client's detection of whether IPv6 NAT is supported. This is the "checkSupportsV6NAT" function in the tailscale codebase. Enabling <code><nowiki>networking.nftables.enable = true;</nowiki></code> and then rebooting may fix this issue if you are using iptables.


=== IPv6 ===
If you encounter issues with IPv6 not working through your NixOS-based exit node, this might be an issue with the Tailscale client's detection of whether IPv6 NAT is supported. This is the "checkSupportsV6NAT" function in the Tailscale codebase. Enabling <code><nowiki>networking.nftables.enable = true;</nowiki></code> and then rebooting may fix this issue if you are using iptables.
=== DNS ===
There is also a known issue with DNS when using the default NixOS configuration; see [https://github.com/tailscale/tailscale/issues/4254 GitHub issue 4254]. Enabling [[systemd-resolved]] seems to be some part of the solution to this problem, as well as ensuring that DHCP is not enabled on the "tailscale0" network interface. Please see the GitHub issue for more information.
There is also a known issue with DNS when using the default NixOS configuration; see [https://github.com/tailscale/tailscale/issues/4254 GitHub issue 4254]. Enabling [[systemd-resolved]] seems to be some part of the solution to this problem, as well as ensuring that DHCP is not enabled on the "tailscale0" network interface. Please see the GitHub issue for more information.
=== No internet when using exit node ===
When you turn on exit nodes, NixOS's reverse path filter immediately starts dropping all incoming traffic related to wireguard tunnels, tailscale's control plane connection, etc. etc.
The quick fix for NixOS users is to set the following option in your NixOS config:
<code>networking.firewall.checkReversePath = "loose";</code>
[https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 Issue in Tailscale tracker]


== Running multiple Tailnet-accessible services on a single machine ==
== Running multiple Tailnet-accessible services on a single machine ==
Line 38: Line 76:
$ sudo tailscale --socket{{=}}${STATE_DIRECTORY}/tailscaled.sock up --auth-key{{=}}tskey-key-MYSERVICE_KEY_FROM_TAILSCALE_ADMIN_CONSOLE --hostname{{=}}MYSERVICE --reset
$ sudo tailscale --socket{{=}}${STATE_DIRECTORY}/tailscaled.sock up --auth-key{{=}}tskey-key-MYSERVICE_KEY_FROM_TAILSCALE_ADMIN_CONSOLE --hostname{{=}}MYSERVICE --reset
}}
}}
==Using Userspace Networking (experimental)==
Tailscale inside containers can use [https://tailscale.com/kb/1112/userspace-networking userspace networking mode] to avoid needing host tunnel device permissions.
This can be accomplished by setting <code><nowiki>services.tailscale.interfaceName = "userspace-networking";</nowiki></code> in your NixOS config.


{{Expansion|
{{Expansion|
* Set up Systemd services for the additional host names
* Set up Systemd services for the additional host names
}}
}}
== Optimize the performance of subnet routers and exit nodes ==
Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput of your node.
You need to have <code>ethtool</code> and <code>networkd-dispatcher</code> installed, and to create the appropriate rule for Tailscale.
Supposing the network device you'll be using is called <code>eth0</code>, you can add the following to your <code>configuration.nix</code>:<syntaxhighlight lang="nixos">
services = {
  networkd-dispatcher = {
    enable = true;
    rules."50-tailscale" = {
      onState = ["routable"];
      script = ''
        ${lib.getExe ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off
      '';
    };
  };
};
</syntaxhighlight>

Latest revision as of 17:02, 25 November 2025

Basic setup

To enable Tailscale, add the following to your configuration:

❄︎ /etc/nixos/configuration.nix
{
  services.tailscale = {
    enable = true;
    # Enable tailscale at startup

    # If you would like to use a preauthorized key
   #authKeyFile = "/run/secrets/tailscale_key";

  };
}

After enabling, you can login to your Tailscale account with:

# tailscale login

If you are using features like subnet routers or exit nodes you will also need to set services.tailscale.useRoutingFeatures to "server", "client" or "both" depending on the role of your machine.

For more configuration option, refer to services.tailscale .

Split DNS

Tailscale supports "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. your friend's house) as if you are in that local network.

See KTZ Systems Split DNS overview: https://www.youtube.com/watch?v=Uzcs97XcxiE

Combined with Let's Encrypt using the "DNS-01" challenge you can get browser-trusted HTTPS certificates for local services (not exposed to the internet) and access them with Tailscale from anywhere.

See Wolfgang's Channel Local HTTPS overview: https://www.youtube.com/watch?v=qlcVx-k-02E

Configuring TLS

☶︎
This article or section needs to be expanded. Further information may be found in the related discussion page. Please consult the pedia article metapage for guidelines on contributing.

Per Enabling HTTPS in the Tailscale documentation, run the following: 

$ sudo tailscale cert ${MACHINE_NAME}.${TAILNET_NAME}

As an alternative, you can set up Caddy to create and manage SSL certs automatically as Caddy recognizes Tailscale urls. After replacing <MACHINE_NAME>, <TAILNET_NAME>, <port> with your tailscale machine name, tailscale tailnet name, and the port of the local service you want to forward, you can add the following to your configuration.nix:

services.caddy = {
  enable = true;
  virtualHosts."<MACHINE_NAME>.<TAILNET_NAME>".extraConfig = ''
    reverse_proxy 127.0.0.1:<port>
  '';
};
# Allow the Caddy user(and service) to edit certs
services.tailscale.permitCertUid = "caddy";

Known issues

IPv6

If you encounter issues with IPv6 not working through your NixOS-based exit node, this might be an issue with the Tailscale client's detection of whether IPv6 NAT is supported. This is the "checkSupportsV6NAT" function in the Tailscale codebase. Enabling networking.nftables.enable = true; and then rebooting may fix this issue if you are using iptables.

DNS

There is also a known issue with DNS when using the default NixOS configuration; see GitHub issue 4254. Enabling systemd-resolved seems to be some part of the solution to this problem, as well as ensuring that DHCP is not enabled on the "tailscale0" network interface. Please see the GitHub issue for more information.

No internet when using exit node

When you turn on exit nodes, NixOS's reverse path filter immediately starts dropping all incoming traffic related to wireguard tunnels, tailscale's control plane connection, etc. etc. The quick fix for NixOS users is to set the following option in your NixOS config:

networking.firewall.checkReversePath = "loose";

Issue in Tailscale tracker

Running multiple Tailnet-accessible services on a single machine

The essence is to run multiple tailscaled daemons on a machine, with the additional daemons using userspace networking rather than tun, which seems to intercept connections to all Tailscale IPs on a machine. Basically for an additional service MYSERVICE run the following commands: 

$ STATE_DIRECTORY=/var/lib/tailscale/tailscaled-tt_rss
$ sudo mkdir -p ${STATE_DIRECTORY}
$ sudo env STATE_DIRECTORY=${STATE_DIRECTORY} tailscaled --statedir=${STATE_DIRECTORY} --socket=${STATE_DIRECTORY}/tailscaled.sock --port=0 --tun=user
$ sudo tailscale --socket=${STATE_DIRECTORY}/tailscaled.sock up --auth-key=tskey-key-MYSERVICE_KEY_FROM_TAILSCALE_ADMIN_CONSOLE --hostname=MYSERVICE --reset

Using Userspace Networking (experimental)

Tailscale inside containers can use userspace networking mode to avoid needing host tunnel device permissions.

This can be accomplished by setting services.tailscale.interfaceName = "userspace-networking"; in your NixOS config.

☶︎
This article or section needs to be expanded. Further information may be found in the related discussion page. Please consult the pedia article metapage for guidelines on contributing.

Optimize the performance of subnet routers and exit nodes

Tailscale gives recommendations on how to optimize UDP throughput of your node.

You need to have ethtool and networkd-dispatcher installed, and to create the appropriate rule for Tailscale.

Supposing the network device you'll be using is called eth0, you can add the following to your configuration.nix:

services = {
  networkd-dispatcher = {
    enable = true;
    rules."50-tailscale" = {
      onState = ["routable"];
      script = ''
        ${lib.getExe ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off
      '';
    };
  };
};
Retrieved from "https://wiki.nixos.org/w/index.php?title=Tailscale&oldid=28753"