Tailscale
Tailscale builds on top of WireGuard and provides OAuth2 (SSO), OpenID, and SAML authentication for peers to build a mesh network. It is crossplatform, has ACL settings and internal DNS.
Installation
Install tailscale. Alternatively, one can use unstable builds by installing the tailscale-gitAUR or tailscale-unstable-binAUR package.
It is also possible to run tailscale as a Docker container. This way, one can run multiple exit nodes on a single machine, each with its own tailnet.
Third-party clients
- KTailctl — GUI to monitor and manage Tailscale.
- trayscale — An unofficial GUI wrapper for the Tailscale CLI client.
- tailscaledesktop — Unnofficial Tailscale desktop application.
- tailscale-systray-git — Linux port of tailscale system tray menu.
Usage
To use tailscale, enable/start tailscaled.service and run the server as follows:
# tailscale up
You can authenticate a headless machine by specifying the auth key:
# tailscale up --authkey=tskey-KEY
- Edit
/etc/default/tailscaledto includeTS_NO_LOGS_NO_SUPPORT=true - Edit
/etc/default/tailscaledand add--no-logs-no-supporttoFLAGS
Advanced usage
Using a custom Control Server
Using a custom control server like headscale is possible.
To login run
# tailscale up --login-server https://example.com
On headless systems a non-interactive login using a token is possible.
# tailscale up --login-server https://example.com --authkey your_auth_key
Running as a Docker container
Follow this guide for a general idea of how to run tailscale as a docker container.
As an exit node
In order to be able to use a tailscale instance running as a docker container as an exit node, we need to use a smaller MTU for the container's network. This is due to an MTU-related issue.
If you don't have one already, create a custom network:
# docker network create --opt com.docket.network.driver.mtu=1280 my_custom_network
Then, use that network for the container instance:
# docker run --detach --name=my_tailscale_container --network=my_custom_network --volume /var/lib/tailscale-exitnode-1:/var/lib/tailscale --env TS_STATE_DIR=/var/lib/tailscale --env TS_USERSPACE=1 --env TS_AUTHKEY=tskey-auth-XXX --env TS_EXTRA_ARGS='--advertise-exit-node' tailscale/tailscale
Note that:
- By default, docker will create a network of type
bridge, so no need to specify it here. - Use an auth key to authenticate the node. Authenticating with the regular SSO method usually takes too long, and the process may time out before initial authentication is successful.
- Define
TS_USERSPACE=1so that the container doesn't need elevated permissions (CAP_NET_ADMINandCAP_NET_RAW). - Bind mount an unused directory on the host (
/var/lib/tailscale-exitnode-1) to/var/lib/tailscaleinside the container, and also defineTS_STATE_DIR=/var/lib/tailscale, so that tailscale will use a persistent state file. Without these, the exit node will use volatile memory to keep state, and thus get a new ID and tailnet IP address every time the container is restarted.
Tips and tricks
Using with NetworkManager
If you use with NetworkManager, you may notice connection issues with other devices on your tailnet. This is due to management conflict happening with NetworkManager and tailscaled.
To get it working, get NetworkManager to set tailscale0 as unmanaged.
To do so, simply create a config like /etc/NetworkManager/conf.d/99-tailscale.conf with the contents of:
[keyfile] unmanaged-devices=interface-name:tailscale0
Then restart NetworkManager and tailscaled.
# sudo systemctl restart NetworkManager # sudo systemctl restart tailscaled
After this, you should be able to ping other devices on your tailnet.