Tailscale: Difference between revisions

(8 intermediate revisions by 4 users not shown)

Line 1:

~~From~~ [https://tailscale.~~com Official Website~~]

== Basic setup ==

To enable Tailscale, add the following to your configuration:

{{File|3={

services.tailscale = {

enable = true;

# Enable tailscale at startup

# If you would like to use a preauthorized key

#authKeyFile = "/run/secrets/tailscale_key";

};

}|name=/etc/nixos/configuration.nix|lang=nix}}

After enabling, you can login to your Tailscale account with:<syntaxhighlight lang="console">

# tailscale login

</syntaxhighlight>If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.

For more configuration option, refer to <code>[https://search.nixos.org/options?show=services.tailscale services.tailscale]</code> .

== Native nftables Support (Modern Setup) ==

Recent versions of NixOS encourage the use of [[nftables]] over legacy iptables. Tailscale can be configured to use `nftables` natively, which avoids conflicts and kernel module bloat.

~~<blockquote>~~

This configuration forces the `nftables` backend and optimizes the service startup:

~~Tailscale makes networking easy~~

~~Tailscale lets you easily manage access to private resources~~, ~~quickly SSH into devices on your network~~, ~~and work securely from anywhere in the world~~.

~~</blockquote>~~

{ config, pkgs, ... }:

== ~~Basic setup~~ ==

{

~~You need to~~

# 1. Enable the service and the firewall

services.tailscale.enable = true;

networking.nftables.enable = true;

networking.firewall = {

enable = true;

# Always allow traffic from your Tailscale network

trustedInterfaces = [ "tailscale0" ];

# Allow the Tailscale UDP port through the firewall

allowedUDPPorts = [ config.services.tailscale.port ];

};

# ~~make an account and login at https://login~~.~~tailscale.com~~ (~~or self~~-~~host a compatible [https://github.com/juanfont/headscale Headscale] service; also available NixOS~~)

# 2. Force tailscaled to use nftables (Critical for clean nftables-only systems)

# ~~enable~~ the ~~Tailscale client app on your NixOS machine by adding <code><nowiki>~~services.~~tailscale~~.~~enable~~ = ~~true~~;~~</nowiki></code> and access tokens to your NixOS configuration.~~

# This avoids the "iptables-compat" translation layer issues.

systemd.services.tailscaled.serviceConfig.Environment = [

"TS_DEBUG_FIREWALL_MODE=nftables"

];

~~If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services~~.~~tailscale~~.~~useRoutingFeatures~~</~~nowiki~~>~~</code> to "server", "client" or "both" depending on the role of your machine.~~

# 3. Optimization: Prevent systemd from waiting for network online

# (Optional but recommended for faster boot with VPNs)

systemd.network.wait-online.enable = false;

boot.initrd.systemd.network.wait-online.enable = false;

}

</syntaxhighlight>

== Split DNS~~: Access self-hosted services at your friends house as if you were there.~~ ==

== Split DNS ==

Tailscale ~~support~~ "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. ~~you~~ friend's house) as if you are in that local network.

Tailscale supports "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. your friend's house) as if you are in that local network.

See KTZ Systems Split DNS overview: https://www.youtube.com/watch?v=Uzcs97XcxiE

Line 25:

Line 62:

== Configuring TLS ==

{{Expansion|

* Set up Systemd service to run this command at regular intervals to avoid cert expiration.

* Show how to run for multiple services on a single machine.

}}

Per [https://tailscale.com/kb/1153/enabling-https/?q=tls#provision-tls-certificates-for-your-devices Enabling HTTPS in the Tailscale documentation], run the following:

Line 41:

Line 83:

services.tailscale.permitCertUid = "caddy";

</syntaxhighlight>

~~{{Expansion|~~

* Set up Systemd service to run this command at regular intervals to avoid cert expiration.

* Show how to run for multiple services on a single machine.

}}

== Known issues ==

Line 55:

Line 91:

=== DNS ===

There is also a known issue with DNS when using the default NixOS configuration; see [https://github.com/tailscale/tailscale/issues/4254 GitHub issue 4254]. Enabling [[systemd-resolved]] seems to be some part of the solution to this problem, as well as ensuring that DHCP is not enabled on the "tailscale0" network interface. Please see the GitHub issue for more information.

=== No internet when using exit node ===

When you turn on exit nodes, NixOS's reverse path filter immediately starts dropping all incoming traffic related to wireguard tunnels, tailscale's control plane connection, etc. etc.

The quick fix for NixOS users is to set the following option in your NixOS config:

<code>networking.firewall.checkReversePath = "loose";</code>

[https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 Issue in Tailscale tracker]

=== Some utils/applets asks root auth every time ===

Some GUI applets/utilities cannot control {{ic|tailscaled}} as a regular user and prompt for a password for every action/not connecting. Assigning the user as an operator fixes this:

== Running multiple Tailnet-accessible services on a single machine ==

Line 76:

Line 125:

== Optimize the performance of subnet routers and exit nodes ==

Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput ~~of your node~~.

Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput. For high-throughput nodes (like subnet routers), disabling UDP Generic Receive Offload (GRO) on the physical interface is recommended to prevent packet drops.

~~You need to have <code>ethtool</code> and <code>~~networkd-dispatcher~~</code> installed, and~~ to ~~create~~ the ~~appropriate rule for Tailscale~~.

In NixOS, this can be automated using `networkd-dispatcher` to ensure the setting persists across reboots and network changes.

~~Supposing the network device you'll be using is called <code>eth0</code>, you can add the following to your <code>configuration.nix</code>:~~<syntaxhighlight lang="nixos">

services ~~= {~~

# In environment.systemPackages, ensure you have pkgs.ethtool

networkd-dispatcher = {

services.networkd-dispatcher = {

enable = true;

rules."50-tailscale" = {

rules."50-tailscale-optimizations" = {

onState = ["routable"];

onState = [ "routable" ];

script = ''

${~~lib~~.~~getExe~~ ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off

${pkgs.ethtool}/bin/ethtool -K eth0 rx-udp-gro-forwarding on rx-gro-list off

'';

};

</syntaxhighlight>

''Note: Replace `eth0` with your actual WAN interface name (e.g. `ens192`).''

@@ Line 1: / Line 1: @@
-From [https://tailscale.com Official Website]
+== Basic setup ==
+To enable Tailscale, add the following to your configuration:
+{{File|3={
+  services.tailscale = {
+    enable = true;
+    # Enable tailscale at startup
+    # If you would like to use a preauthorized key
+    #authKeyFile = "/run/secrets/tailscale_key";
+  };
+}|name=/etc/nixos/configuration.nix|lang=nix}}
+After enabling, you can login to your Tailscale account with:<syntaxhighlight lang="console">
+# tailscale login
+</syntaxhighlight>If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
+For more configuration option, refer to <code>[https://search.nixos.org/options?show=services.tailscale services.tailscale]</code> .
+== Native nftables Support (Modern Setup) ==
+Recent versions of NixOS encourage the use of [[nftables]] over legacy iptables. Tailscale can be configured to use `nftables` natively, which avoids conflicts and kernel module bloat.
-<blockquote>
+This configuration forces the `nftables` backend and optimizes the service startup:
-Tailscale makes networking easy
-Tailscale lets you easily manage access to private resources, quickly SSH into devices on your network, and work securely from anywhere in the world.
+<syntaxhighlight lang="nixos">
-</blockquote>
+{ config, pkgs, ... }:
-== Basic setup ==
+{
-You need to
+  # 1. Enable the service and the firewall
+  services.tailscale.enable = true;
+  networking.nftables.enable = true;
+  networking.firewall = {
+    enable = true;
+    # Always allow traffic from your Tailscale network
+    trustedInterfaces = [ "tailscale0" ];
+    # Allow the Tailscale UDP port through the firewall
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
-# make an account and login at https://login.tailscale.com (or self-host a compatible [https://github.com/juanfont/headscale Headscale] service; also available NixOS)
+  # 2. Force tailscaled to use nftables (Critical for clean nftables-only systems)
-# enable the Tailscale client app on your NixOS machine by adding <code><nowiki>services.tailscale.enable = true;</nowiki></code> and access tokens to your NixOS configuration.
+  # This avoids the "iptables-compat" translation layer issues.
+  systemd.services.tailscaled.serviceConfig.Environment = [
+    "TS_DEBUG_FIREWALL_MODE=nftables"
+  ];
-If you are using features like subnet routers or exit nodes you will also need to set <code><nowiki>services.tailscale.useRoutingFeatures</nowiki></code> to "server", "client" or "both" depending on the role of your machine.
+  # 3. Optimization: Prevent systemd from waiting for network online
+  # (Optional but recommended for faster boot with VPNs)
+  systemd.network.wait-online.enable = false;
+  boot.initrd.systemd.network.wait-online.enable = false;
+}
+</syntaxhighlight>
-== Split DNS: Access self-hosted services at your friends house as if you were there. ==
+== Split DNS ==
-Tailscale support "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. you friend's house) as if you are in that local network.
+Tailscale supports "Split DNS" where you can access local services (not exposed to the internet) on a different network (e.g. your friend's house) as if you are in that local network.
 See KTZ Systems Split DNS overview: https://www.youtube.com/watch?v=Uzcs97XcxiE
@@ Line 25: / Line 62: @@
 == Configuring TLS ==
+{{Expansion|
+* Set up Systemd service to run this command at regular intervals to avoid cert expiration.
+* Show how to run for multiple services on a single machine.
+}}
 Per [https://tailscale.com/kb/1153/enabling-https/?q=tls#provision-tls-certificates-for-your-devices Enabling HTTPS in the Tailscale documentation], run the following:
@@ Line 41: / Line 83: @@
 services.tailscale.permitCertUid = "caddy";
 </syntaxhighlight>
-{{Expansion|
-* Set up Systemd service to run this command at regular intervals to avoid cert expiration.
-* Show how to run for multiple services on a single machine.
-}}
 == Known issues ==
@@ Line 55: / Line 91: @@
 === DNS ===
 There is also a known issue with DNS when using the default NixOS configuration; see [https://github.com/tailscale/tailscale/issues/4254 GitHub issue 4254]. Enabling [[systemd-resolved]] seems to be some part of the solution to this problem, as well as ensuring that DHCP is not enabled on the "tailscale0" network interface. Please see the GitHub issue for more information.
+=== No internet when using exit node ===
+When you turn on exit nodes, NixOS's reverse path filter immediately starts dropping all incoming traffic related to wireguard tunnels, tailscale's control plane connection, etc. etc.
+The quick fix for NixOS users is to set the following option in your NixOS config:
+<code>networking.firewall.checkReversePath = "loose";</code>
+[https://github.com/tailscale/tailscale/issues/4432#issuecomment-1112819111 Issue in Tailscale tracker]
+=== Some utils/applets asks root auth every time ===
+Some GUI applets/utilities cannot control {{ic|tailscaled}} as a regular user and prompt for a password for every action/not connecting. Assigning the user as an operator fixes this:
+{{Commands|1=$ sudo tailscale set --operator=USERNAME}}
 == Running multiple Tailnet-accessible services on a single machine ==
@@ Line 76: / Line 125: @@
 == Optimize the performance of subnet routers and exit nodes ==
-Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput of your node.
+Tailscale gives [https://tailscale.com/kb/1320/performance-best-practices#enable-on-each-boot recommendations] on how to optimize UDP throughput. For high-throughput nodes (like subnet routers), disabling UDP Generic Receive Offload (GRO) on the physical interface is recommended to prevent packet drops.
-You need to have <code>ethtool</code> and <code>networkd-dispatcher</code> installed, and to create the appropriate rule for Tailscale.
+In NixOS, this can be automated using `networkd-dispatcher` to ensure the setting persists across reboots and network changes.
-Supposing the network device you'll be using is called <code>eth0</code>, you can add the following to your <code>configuration.nix</code>:<syntaxhighlight lang="nixos">
+<syntaxhighlight lang="nixos">
-services = {
+# In environment.systemPackages, ensure you have pkgs.ethtool
-  networkd-dispatcher = {
+services.networkd-dispatcher = {
-    enable = true;
+  enable = true;
-    rules."50-tailscale" = {
+  rules."50-tailscale-optimizations" = {
-      onState = ["routable"];
+    onState = [ "routable" ];
-      script = ''
+    script = ''
-        ${lib.getExe ethtool} -K eth0 rx-udp-gro-forwarding on rx-gro-list off
+      ${pkgs.ethtool}/bin/ethtool -K eth0 rx-udp-gro-forwarding on rx-gro-list off
-      '';
+    '';
-    };
    };
 };
 </syntaxhighlight>
+''Note: Replace `eth0` with your actual WAN interface name (e.g. `ens192`).''