Tailscale: Difference between revisions

(10 intermediate revisions by 6 users not shown)

Line 1:

~~From [https~~:~~//tailscale.com Official Website]~~

== Basic setup ==

To enable Tailscale, add the following to your configuration:

~~<blockquote>~~

{{File|3={

~~Tailscale makes networking easy~~

services.tailscale = {

enable = true;

# Enable tailscale at startup

~~Tailscale lets~~ you ~~easily manage access~~ to ~~private resources, quickly SSH into devices on your network, and work securely from anywhere in the world.~~

# If you would like to use a preauthorized key

</~~blockquote>~~

#authKeyFile = "/run/secrets/tailscale_key";

== ~~Basic setup ==~~

};

~~You need to~~

}|name=/etc/nixos/configuration.nix|lang=nix}}

# ~~make an account and~~ login ~~at https:~~/~~/login.tailscale.com (~~or ~~self-host a compatible [https://github.com/juanfont/headscale Headscale] service;~~ also ~~available NixOS)~~

After enabling, you can login to your Tailscale account with:<syntaxhighlight lang="console">

~~# enable the Tailscale client app on your NixOS machine by adding~~ <code><nowiki>services.tailscale.~~enable = true;~~</nowiki></code> ~~and access tokens~~ to your ~~NixOS configuration~~.

# tailscale login

</syntaxhighlight>If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.

~~If you are using features like subnet routers or exit nodes you will also need~~ to ~~set~~ <code>~~<nowiki>~~services.tailscale.~~useRoutingFeatures</nowiki>~~</code> ~~to "server", "client" or "both" depending on the role of your machine~~.

For more configuration option, refer to <code>[https://search.nixos.org/options?show=services.tailscale services.tailscale]</code> .

== Split DNS~~: Access self-hosted services at your friends house as if you were there.~~ ==

== Split DNS ==

Tailscale ~~support~~ "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. ~~you~~ friend's house) as if you are in that local network.

Tailscale supports "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. your friend's house) as if you are in that local network.

See KTZ Systems Split DNS overview: https://www.youtube.com/watch?v=Uzcs97XcxiE

Line 25:

Line 29:

== Configuring TLS ==

{{Expansion|

* Set up Systemd service to run this command at regular intervals to avoid cert expiration.

* Show how to run for multiple services on a single machine.

}}

Per [https://tailscale.com/kb/1153/enabling-https/?q=tls#provision-tls-certificates-for-your-devices Enabling HTTPS in the Tailscale documentation], run the following:

Line 31:

Line 40:

}}

~~{{Expansion|~~

As an alternative, you can set up [https://wiki.nixos.org/wiki/Caddy Caddy] to create and manage SSL certs automatically as [https://tailscale.com/kb/1190/caddy-certificates Caddy recognizes Tailscale urls]. After replacing <code><MACHINE_NAME></code>, <code><TAILNET_NAME></code>, <code><port></code> with your tailscale machine name, tailscale tailnet name, and the port of the local service you want to forward, you can add the following to your <code>configuration.nix</code>:<syntaxhighlight lang="nixos">

* Set up ~~Systemd~~ service to ~~run this command at regular intervals~~ to ~~avoid cert expiration~~.

services.caddy = {

* Show how to ~~run for multiple~~ services ~~on a single machine~~.

enable = true;

}}

virtualHosts."<MACHINE_NAME>.<TAILNET_NAME>".extraConfig = ''

reverse_proxy 127.0.0.1:<port>

'';

};

# Allow the Caddy user(and service) to edit certs

services.tailscale.permitCertUid = "caddy";

</syntaxhighlight>

== Known issues ==

If you encounter issues with IPv6 not working through your NixOS-based exit node, this might be an issue with the tailscale client's detection of whether IPv6 NAT is supported. This is the "checkSupportsV6NAT" function in the tailscale codebase. Enabling <code><nowiki>networking.nftables.enable = true;</nowiki></code> and then rebooting may fix this issue if you are using iptables.

=== IPv6 ===

If you encounter issues with IPv6 not working through your NixOS-based exit node, this might be an issue with the Tailscale client's detection of whether IPv6 NAT is supported. This is the "checkSupportsV6NAT" function in the Tailscale codebase. Enabling <code><nowiki>networking.nftables.enable = true;</nowiki></code> and then rebooting may fix this issue if you are using iptables.

=== DNS ===

There is also a known issue with DNS when using the default NixOS configuration; see [https://github.com/tailscale/tailscale/issues/4254 GitHub issue 4254]. Enabling [[systemd-resolved]] seems to be some part of the solution to this problem, as well as ensuring that DHCP is not enabled on the "tailscale0" network interface. Please see the GitHub issue for more information.

=== No internet when using exit node ===

When you turn on exit nodes, NixOS's reverse path filter immediately starts dropping all incoming traffic related to wireguard tunnels, tailscale's control plane connection, etc. etc.

The quick fix for NixOS users is to set the following option in your NixOS config:

<code>networking.firewall.checkReversePath = "loose";</code>

[https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 Issue in Tailscale tracker]

== Running multiple Tailnet-accessible services on a single machine ==

Line 66:

Line 92:

Supposing the network device you'll be using is called <code>eth0</code>, you can add the following to your <code>configuration.nix</code>:<syntaxhighlight lang="nixos">

~~environment.systemPackages = with pkgs; [~~

~~...~~

~~ethtool~~

~~networkd-dispatcher~~

];

~~...~~

services = {

networkd-dispatcher = {

Line 78:

Line 98:

onState = ["routable"];

script = ''

#!${~~pkgs~~.~~runtimeShel1~~}

${lib.getExe ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off

~~ethtool~~ -K eth0 rx-udp-gro-forwarding on rx-gro-list off

~~exit 0~~

'';

};

@@ Line 1: / Line 1: @@
-From [https://tailscale.com Official Website]
+== Basic setup ==
+To enable Tailscale, add the following to your configuration:
-<blockquote>
+{{File|3={
-Tailscale makes networking easy
+  services.tailscale = {
+    enable = true;
+    # Enable tailscale at startup
-Tailscale lets you easily manage access to private resources, quickly SSH into devices on your network, and work securely from anywhere in the world.
+    # If you would like to use a preauthorized key
-</blockquote>
+   #authKeyFile = "/run/secrets/tailscale_key";
-== Basic setup ==
+  };
-You need to
+}|name=/etc/nixos/configuration.nix|lang=nix}}
-# make an account and login at https://login.tailscale.com (or self-host a compatible [https://github.com/juanfont/headscale Headscale] service; also available NixOS)
+After enabling, you can login to your Tailscale account with:<syntaxhighlight lang="console">
-# enable the Tailscale client app on your NixOS machine by adding <code><nowiki>services.tailscale.enable = true;</nowiki></code> and access tokens to your NixOS configuration.
+# tailscale login
+</syntaxhighlight>If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
-If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
+For more configuration option, refer to <code>[https://search.nixos.org/options?show=services.tailscale services.tailscale]</code> .
-== Split DNS: Access self-hosted services at your friends house as if you were there. ==
+== Split DNS ==
-Tailscale support "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. you friend's house) as if you are in that local network.
+Tailscale supports "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. your friend's house) as if you are in that local network.
 See KTZ Systems Split DNS overview: https://www.youtube.com/watch?v=Uzcs97XcxiE
@@ Line 25: / Line 29: @@
 == Configuring TLS ==
+{{Expansion|
+* Set up Systemd service to run this command at regular intervals to avoid cert expiration.
+* Show how to run for multiple services on a single machine.
+}}
 Per [https://tailscale.com/kb/1153/enabling-https/?q=tls#provision-tls-certificates-for-your-devices Enabling HTTPS in the Tailscale documentation], run the following:
@@ Line 31: / Line 40: @@
 }}
-{{Expansion|
+As an alternative, you can set up [https://wiki.nixos.org/wiki/Caddy Caddy] to create and manage SSL certs automatically as [https://tailscale.com/kb/1190/caddy-certificates Caddy recognizes Tailscale urls]. After replacing <code><MACHINE_NAME></code>, <code><TAILNET_NAME></code>, <code><port></code> with your tailscale machine name, tailscale tailnet name, and the port of the local service you want to forward, you can add the following to your <code>configuration.nix</code>:<syntaxhighlight lang="nixos">
-* Set up Systemd service to run this command at regular intervals to avoid cert expiration.
+services.caddy = {
-* Show how to run for multiple services on a single machine.
+  enable = true;
-}}
+  virtualHosts."<MACHINE_NAME>.<TAILNET_NAME>".extraConfig = ''
+    reverse_proxy 127.0.0.1:<port>
+  '';
+};
+# Allow the Caddy user(and service) to edit certs
+services.tailscale.permitCertUid = "caddy";
+</syntaxhighlight>
 == Known issues ==
-If you encounter issues with IPv6 not working through your NixOS-based exit node, this might be an issue with the tailscale client's detection of whether IPv6 NAT is supported. This is the "checkSupportsV6NAT" function in the tailscale codebase. Enabling <code><nowiki>networking.nftables.enable = true;</nowiki></code> and then rebooting may fix this issue if you are using iptables.
+=== IPv6 ===
+If you encounter issues with IPv6 not working through your NixOS-based exit node, this might be an issue with the Tailscale client's detection of whether IPv6 NAT is supported. This is the "checkSupportsV6NAT" function in the Tailscale codebase. Enabling <code><nowiki>networking.nftables.enable = true;</nowiki></code> and then rebooting may fix this issue if you are using iptables.
+=== DNS ===
 There is also a known issue with DNS when using the default NixOS configuration; see [https://github.com/tailscale/tailscale/issues/4254 GitHub issue 4254]. Enabling [[systemd-resolved]] seems to be some part of the solution to this problem, as well as ensuring that DHCP is not enabled on the "tailscale0" network interface. Please see the GitHub issue for more information.
+=== No internet when using exit node ===
+When you turn on exit nodes, NixOS's reverse path filter immediately starts dropping all incoming traffic related to wireguard tunnels, tailscale's control plane connection, etc. etc.
+The quick fix for NixOS users is to set the following option in your NixOS config:
+<code>networking.firewall.checkReversePath = "loose";</code>
+[https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 Issue in Tailscale tracker]
 == Running multiple Tailnet-accessible services on a single machine ==
@@ Line 66: / Line 92: @@
 Supposing the network device you'll be using is called <code>eth0</code>, you can add the following to your <code>configuration.nix</code>:<syntaxhighlight lang="nixos">
-environment.systemPackages = with pkgs; [
- ...
- ethtool
- networkd-dispatcher
-];
-...
 services = {
    networkd-dispatcher = {
@@ Line 78: / Line 98: @@
        onState = ["routable"];
        script = ''
-         #!${pkgs.runtimeShel1}
+         ${lib.getExe ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off
-        ethtool -K eth0 rx-udp-gro-forwarding on rx-gro-list off
-        exit 0
        '';
      };