Difference between revisions of "Tailscale"

From Indie IT Wiki
Line 137: Line 137:
  
 
=== Linux ===
 
=== Linux ===
 +
 +
Generate a User on the Headscale server first, then register a Node linked to that User.
 +
 +
==== Users ====
 +
 +
docker exec headscale headscale users create <USER_NAME>
 +
 +
==== Nodes ====
  
 
'''Method 1: Register a machine using normal login'''
 
'''Method 1: Register a machine using normal login'''
Line 144: Line 152:
 
  tailscale up --login-server <YOUR_HEADSCALE_URL>
 
  tailscale up --login-server <YOUR_HEADSCALE_URL>
  
On the server, run the headscale users and nodes commands ...
+
On the server, run the headscale nodes command to register that client machine node using that key to a User ...
  
  docker exec headscale headscale --user <USER_NAME> nodes register --key <YOUR_MACHINE_KEY>
+
  docker exec headscale headscale nodes register --key <YOUR_MACHINE_KEY> --user <USER_NAME>
  
 
'''Method 2: Register a machine using a pre authenticated key'''
 
'''Method 2: Register a machine using a pre authenticated key'''
  
Generate a key using the command line ...
+
Generate a key linked to a User ...
  
  docker exec headscale headscale --user <USER_NAME> preauthkeys create --reusable --expiration 24h
+
  docker exec headscale headscale preauthkeys create --reusable --expiration 24h --user <USER_NAME>
  
This will return a pre-authenticated key that can be used to connect a node to headscale during the tailscale command on the client ...
+
This will return a pre-authenticated key that can be used to connect a node to headscale during the tailscale login command on the client ...
  
 
  tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
 
  tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>

Revision as of 11:51, 31 May 2024

Introduction

Tailscale is a VPN service that uses WireGuard to create a fast, secure, and simple peer-to-peer network. Tailscale is a zero config VPN that works on any platform, service, or runtime. It encrypts all connections using WireGuard and integrates with 100+ tools for easy deployment and management.

Tailscale is a modern VPN built on top of Wireguard. It works like an overlay network between the computers of your networks - using NAT traversal.

Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the control server.

The control server works as an exchange point of Wireguard public keys for the nodes in the Tailscale network. It assigns the IP addresses of the clients, creates the boundaries between each user, enables sharing machines between users, and exposes the advertised routes of your nodes.

A Tailscale network (tailnet) is private network which Tailscale assigns to a user in terms of private users or an organisation.

Self Hosting

You can self host a Tailscale server with Headscale + Headscale UI.

Headscale is an open source, self-hosted implementation of the Tailscale control server. Headscale's goal is to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small open-source organisation.

Headscale UI is a web frontend for the headscale Tailscale-compatible coordination server.

YouTube - Jim's Garage - Self Host Tailscale with Headscale

Configure and run Headscale

Docker

You can self host a Tailscale server with Headscale + Headscale UI + Traefik docker containers.

Follow the instructions on the respective web sites and the YouTube (outdated though!) video to get started, including grabbing copies of the docker compose and headscale config/config.yaml files, then edit the first 3 options as follows ...

server_url: https://headscale.mydomain.com
listen_addr: 0.0.0.0:8080
metrics_listen_addr: 0.0.0.0:9090

Running headscale in a container

This is the directory layout for a Docker Compose method ...

/root/docker/stacks/headscale
|-- config
|   `-- config.yaml
|-- data
|   |-- db.sqlite
|   `-- noise_private.key
|-- docker-compose.yaml
`-- run
    `-- headscale.sock

3 directories, 5 files

... and this is the docker compose YAML file which has both Headscale and Headscale UI containers ...

services:

  headscale:
    container_name: headscale
    volumes:
        - ./config:/etc/headscale/
        - ./data:/var/lib/headscale/
        - ./run:/var/run/headscale/
    ports:
        - 8080:8080
        - 9090:9090
    image: headscale/headscale:0.23.0-alpha12
    environment:
      - TZ=Europe/London
    command: serve
    restart: unless-stopped
    networks:
      traefik:
        ipv4_address: 172.19.0.28
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.headscale.rule=PathPrefix(`/`) && Host(`headscale.mydomain.com`)"
      - "traefik.http.routers.headscale.entrypoints=websecure"
      - "traefik.http.routers.headscale.service=headscale"
      - "traefik.http.services.headscale.loadbalancer.server.port=8080"
      - "traefik.http.services.headscale.loadbalancer.server.scheme=http"

  headscale-ui:
    image: ghcr.io/gurucomputing/headscale-ui:latest
    pull_policy: always
    container_name: headscale-ui
    restart: unless-stopped
    ports:
        - 9999:80
    networks:
      traefik:
        ipv4_address: 172.19.0.29
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik"
      - "traefik.http.routers.headscale-ui.rule=PathPrefix(`/web`) && Host(`headscale.mydomain.com`)"
      - "traefik.http.routers.headscale-ui.entrypoints=websecure"
      - "traefik.http.routers.headscale-ui.service=headscale-ui"
      - "traefik.http.routers.headscale-ui.middlewares=auth"
      - "traefik.http.services.headscale-ui.loadbalancer.server.port=80"
      - "traefik.http.services.headscale-ui.loadbalancer.server.scheme=http"
      - "traefik.http.middlewares.auth.basicauth.users=funkyusername:xxxxxxxxxxxxxxxxhashedxxxxpasswordxxxxxxxxxxxxxxx"

networks:
  traefik:
    external: true

Start up the containers, and you should see these lines in the docker logs ...

headscale     | 2024-05-31T10:53:13+01:00 INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite
headscale     | 2024-05-31T10:53:13+01:00 INF Setting up a DERPMap update worker frequency=86400000
headscale     | 2024-05-31T10:53:13+01:00 INF listening and serving HTTP on: 0.0.0.0:8080
headscale-ui  | {"level":"info","ts":1717149193.3994539,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
headscale-ui  | {"level":"info","ts":1717149193.4059176,"msg":"serving initial configuration"}

Test the headscale server with curl and the docker image ...

curl 0.0.0.0:9090/metrics
docker exec headscale headscale --help
docker exec headscale headscale version
docker exec headscale headscale nodes list
docker exec headscale headscale apikeys list

Navigate to the Headscale UI web address you provided in the config.yml file with /web at the end - https://headscale.mydomain.com/web) and then you will see an error about Authentication and missing API key.

Generate your server's API key. You only get one chance to see this ...

docker exec headscale headscale apikeys create

... copy it, then go the Headscale UI Settings page and paste it there with your 'server_url' from the config file.

There is NO save settings button, it does it automatically but you can then press the Test Server Settings button.

Yay - you have successfuly set up your own self-hosted Tailscale server! :-)

Now you can add your first client device.

Client Devices

Linux

Generate a User on the Headscale server first, then register a Node linked to that User.

Users

docker exec headscale headscale users create <USER_NAME>

Nodes

Method 1: Register a machine using normal login

On a client machine, run the tailscale login command, which will output a machine key ...

tailscale up --login-server <YOUR_HEADSCALE_URL>

On the server, run the headscale nodes command to register that client machine node using that key to a User ...

docker exec headscale headscale nodes register --key <YOUR_MACHINE_KEY> --user <USER_NAME>

Method 2: Register a machine using a pre authenticated key

Generate a key linked to a User ...

docker exec headscale headscale preauthkeys create --reusable --expiration 24h --user <USER_NAME>

This will return a pre-authenticated key that can be used to connect a node to headscale during the tailscale login command on the client ...

tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>

Authentication

https://github.com/gmiles32/headscale-authelia

Remote Access

Remote Access using Tailscale

RustDesk > settings > Network > Direct IP Access + IP Address Whitelisting