Difference between revisions of "TailScale"

From Da Nerd Mage Wiki
Jump to navigation Jump to search
 
(29 intermediate revisions by the same user not shown)
Line 1: Line 1:
>
>
{{{!}} class="wikitable" style="float: right; width: 322px;" border="2"
{{{!}} class="wikitable" style="float: right; width: 322px;" border="2"
{{!}}+ Proven on:
{{!}}+ Proven on:
{{!}}- <!-- Debian -->
{{!}}- --="" debian=""
{{!}} style="text-align: center; width: 60px;" {{!}} [[File:Logo Debian.png{{!}}60px{{!}}link=https://www.debian.org/{{!}}center{{!}}middle{{!}}frameless]]
{{!}} style="text-align: center; width: 60px;" {{!}} [[File:Logo Debian.png{{!}}60px{{!}}link=https://www.debian.org/{{!}}center{{!}}middle{{!}}frameless]]
{{!}} style="text-align: center; width: 40px;" {{!}} 11 (bullseye)
{{!}} style="text-align: center; width: 40px;" {{!}} 11 (bullseye)
{{!}} (later versions too...)
{{!}}- --="" pfsense=""
{{!}} style="text-align: center; width: 60px;" {{!}} [[File:Logo pfSense.png{{!}}60px{{!}}link=https://www.pfsense.org/{{!}}center{{!}}middle{{!}}frameless]]
{{!}} style="text-align: center; width: 40px;" {{!}} 2.6.0
{{!}}
{{!}}
<br>
<br>
{{!}}}
{{!}}}
'''<span style="color: rgb(132, 63, 161); font-size: 24pt;" >WIP!!!</span>'''
 
* [https://tailscale.com/kb/1017/install/ Tailscale quickstart] (Get individual machines onto your private TailScale network)
 
= Installing on Linux =
'''As always...'''
'''As always...'''


Start with:
Start with:


*<code>sudo apt update</code>
*<code>sudo apt update && sudo apt upgrade</code>
*<code>sudo apt upgrade</code>
A note about [[PVE LXC Containers#Using Tailscal on an LXC{{!}}LXCs & TailScale]]
 
I'd suggest just using the script method that they provide on [https://tailscale.com/kb/1031/install-linux this page].
 
* <code>curl -fsSL https://tailscale.com/install.sh {{!}} sh</code>
The first time you start it by entering <code>tailscale up</code> it will display a URL. Open a web browser & go to this URL to authorise the machine on your tailnet.
 
From this point on, <code>tailscale up</code> will be done automatically on bootup.
 
= Installing on Other Things =
* [https://tailscale.com/kb/1079/install-android Installing on Android]
* [https://tailscale.com/kb/1022/install-windows Installing on Windows]
* [https://tailscale.com/kb/1016/install-mac Installing on Mac]
* [https://tailscale.com/kb/1131/synology Installing on Synology DSM]
 
= The Actual Day-to-Day usage =
In general, Tailscale is pretty much transparent.


= TailScale HowTo =
Mostly, you do all the same things you would expect on an IP-based network.


* [https://tailscale.com/kb/1017/install/ Tailscale quickstart] (Get individual machines onto your private TailScale network)
The big difference is that every machine on your tailnet has a secondary address that pretty much ignores the non-tailnet topology. (i.e.: As long as the machine is connected to the Internet in general, it's reachable by the tailnet IP address.)
 
Reaching it by that address requires that the machine you're accessing from have tailscale installed & running.


= TailScale & pfSense =
= TailScale on pfSense =
* [https://www.youtube.com/watch?v=Fg_jIPVcioY A Tailscale Package for pfSense!] (video)
* [https://www.youtube.com/watch?v=Fg_jIPVcioY A Tailscale Package for pfSense!] (video)
** exit node
** exit node
Line 31: Line 60:
* <span style="font-size: 18pt;">[https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/ How to Set Up Tailscale on pfSense]</span>
* <span style="font-size: 18pt;">[https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/ How to Set Up Tailscale on pfSense]</span>


== Inbound NAT ==
== The Steps ==
For some reason, nobody talks about how to use TailScale to actually access your pfSense managed network from the OUTSIDE.
=== Installing ===
# Select&nbsp;'''System,&nbsp;'''then'''&nbsp;Package Manager.'''
# Search for&nbsp;'''Tailscale''', then install the Tailscale package.
# Select&nbsp;'''VPN''', then&nbsp;'''Tailscale&nbsp;'''to launch the Tailscale settings.
# At this point, we need to configure the pre-authentication key. This can be created on the&nbsp;[https://tailscale.com/ Tailscale website]. If you don?t already have an account, create one, then log in and select&nbsp;'''Settings''', then&nbsp;'''Keys.'''
# Select&nbsp;'''generate auth key&nbsp;'''so that we can create the key for pfSense. Select&nbsp;'''Generate Key&nbsp;'''(the settings can stay as default)'''.'''
# After the key has been generated,&nbsp;'''copy&nbsp;'''it, then go back to the&nbsp;'''Authentication&nbsp;'''section of Tailscale on pfSense.
# Paste the key that was just created, then select&nbsp;'''save.'''
# After saving, select&nbsp;'''Settings''', then enable Tailscale and&nbsp;'''Save'''.


What I've figured out so far...
=== Setup ===
# Inside the Tailscale settings on pfSense, enable the&nbsp;'''offer to be an exit node for outbound internet traffic from the Tailscale network&nbsp;'''option. Also, set the&nbsp;'''Advertised Routes&nbsp;'''as your local subnet (that you'd like to be able to access from external networks), then&nbsp;'''save.'''
# On the Tailscale website, select&nbsp;'''Machines''', then the three ellipses next to your pfSense system, then&nbsp;'''Edit Route Settings'''.
# Select&nbsp;'''use as exit node'''. The exit node functionality is now set up and can be used by client devices.
# <span style="color: rgb(132, 63, 161);">On whatever application you're using, select</span>&nbsp;<span style="color: rgb(132, 63, 161);">'''Use Exit Node&nbsp;'''and change the exit node to be pfSense. If you do</span>&nbsp;<span style="color: rgb(132, 63, 161);">''not&nbsp;''want to use the exit node, select</span>&nbsp;<span style="color: rgb(132, 63, 161);">'''None''', but ensure that</span>&nbsp;<span style="color: rgb(132, 63, 161);">'''Allow LAN Access&nbsp;'''is enabled so that you?re able to connect to your local devices</span>. (WTF does this actually mean???)
# Tailscale is now configured! You can now add other devices or simply connect to Tailscale from an external network to access all of your local devices.


Assign the TailScale interface:
=== Accessing It ===
==== On a Linux machine with TailScale installed ====
Start Tailscale with the command line:


'''Interfaces / Assignments''' & click "Add" beside "tailscale0 (tailscale0)".
* <code>sudo tailscale up --accept-routes</code>
 
At this point, the network maintained by the above pfSense router is accessible by IP addresses from this machine...
Then, in your NAT settings, '''Firewall / NAT / Port Forward''', When you create a NAT forward that uses TailScale, select the '''Tailscale''' interface & '''Any''' as the destination. This will allow you to treat the TailScale IP address just like you would normally treat the WAN address.
== Yet to be figured out... ==
 
* Going the other direction
In theory, [https://tailscale.com/kb/1019/subnets/ this page] is relevant...
** i.e.: setting up pfSense to add a TailScale shared network to the local network
 
* Accessing the remote network using hostnames
Research required.
 
There IS some possibility that "'''exit node'''", as used by tailscale, does NOT mean what it seems...&nbsp; hhhmmm...


= HeadScale =
= HeadScale =
* [https://github.com/juanfont/headscale Headscale]
* [https://github.com/juanfont/headscale Headscale]
<span style="color: rgb(255, 0, 0);">'''[[Now Do A Backup!{{!}}Now Do A Backup!]]'''</span>
[[Category:ServerBuilding]]
[[Category:ServerBuilding]]

Latest revision as of 17:38, 20 October 2024

> >

Proven on:
Logo Debian.png
11 (bullseye) (later versions too...)
Logo pfSense.png
2.6.0


Installing on Linux

As always...

Start with:

  • sudo apt update && sudo apt upgrade

A note about LXCs & TailScale

I'd suggest just using the script method that they provide on this page.

The first time you start it by entering tailscale up it will display a URL. Open a web browser & go to this URL to authorise the machine on your tailnet.

From this point on, tailscale up will be done automatically on bootup.

Installing on Other Things

The Actual Day-to-Day usage

In general, Tailscale is pretty much transparent.

Mostly, you do all the same things you would expect on an IP-based network.

The big difference is that every machine on your tailnet has a secondary address that pretty much ignores the non-tailnet topology. (i.e.: As long as the machine is connected to the Internet in general, it's reachable by the tailnet IP address.)

Reaching it by that address requires that the machine you're accessing from have tailscale installed & running.

TailScale on pfSense

The Steps

Installing

  1. Select System, then Package Manager.
  2. Search for Tailscale, then install the Tailscale package.
  3. Select VPN, then Tailscale to launch the Tailscale settings.
  4. At this point, we need to configure the pre-authentication key. This can be created on the Tailscale website. If you don?t already have an account, create one, then log in and select Settings, then Keys.
  5. Select generate auth key so that we can create the key for pfSense. Select Generate Key (the settings can stay as default).
  6. After the key has been generated, copy it, then go back to the Authentication section of Tailscale on pfSense.
  7. Paste the key that was just created, then select save.
  8. After saving, select Settings, then enable Tailscale and Save.

Setup

  1. Inside the Tailscale settings on pfSense, enable the offer to be an exit node for outbound internet traffic from the Tailscale network option. Also, set the Advertised Routes as your local subnet (that you'd like to be able to access from external networks), then save.
  2. On the Tailscale website, select Machines, then the three ellipses next to your pfSense system, then Edit Route Settings.
  3. Select use as exit node. The exit node functionality is now set up and can be used by client devices.
  4. On whatever application you're using, select Use Exit Node and change the exit node to be pfSense. If you do not want to use the exit node, select None, but ensure that Allow LAN Access is enabled so that you?re able to connect to your local devices. (WTF does this actually mean???)
  5. Tailscale is now configured! You can now add other devices or simply connect to Tailscale from an external network to access all of your local devices.

Accessing It

On a Linux machine with TailScale installed

Start Tailscale with the command line:

  • sudo tailscale up --accept-routes

At this point, the network maintained by the above pfSense router is accessible by IP addresses from this machine...

Yet to be figured out...

  • Going the other direction
    • i.e.: setting up pfSense to add a TailScale shared network to the local network
  • Accessing the remote network using hostnames

HeadScale