tailscale

from behind the firewall

What

• WireGuard
• mesh network

Specifics

• private overlay network
• encrypted P2P connections
• private services

Who

• Developers
  • experimental services
• Small business
  • Work From Home
• Enterprise
  • Fine-grained access control

Home setup

VM

Uses my dotfiles on Fedora

Parts

Daemon

$ tailscaled &

$ systemctl start tailscaled

Control client

$ tailscale

Control server

https://login.tailscale.com/

Tailnet

$ tailscale up
To authenticate, visit:

        https://login.tailscale.com/a/8e1c9e44ca05

Success.

Let’s add

GitHub Codespaces

$ tailscale up

Now network should have 2 nodes

Ping

$ tailscale ping ngage
pong from ngage (100.103.237.1) via 10.0.21.193:41642 in 2ms

Direct link?

VM

$ watch -n1 \
	tailscale status

Codespace

$ tailscale ping [nodename]

Uses a relay to establish a path (DERP)

100.103.237.1   ngage                gbraad@      linux   active; direct 10.0.21.193:41642

What about

GitPod Workspace

$ tailscale up
$ tailscale status

100.112.112.8   workspace-to8ua08    gbraad@      linux   -
100.103.237.1   ngage                gbraad@      linux   -
100.88.207.80   ngage-podman         gbraad@      linux   -
100.77.26.55    codespaces-88c2bb    gbraad@      linux   -

Access

• Send files
• SSH

Send files

Sender

$ echo "Hello, World" > hello
$ tailscale file \
	cp hello [nodename]:

Receiver

$ tailscale file \
	get ~/Downloads/
$ cat hello

You could use ssh for this, but does your phone?

SSH

Host

$ tailscale up \
	--ssh                  # advertise SSH

Client

$ tailscale ssh [nodename]
$ ssh [nodename]           # * MagicDNS needs to be enabled

Use of nodename will only work when MagicDNS is used

Scale

• SOCKS5 Proxy
• Exit node

Proxy

$ tailscaled \
	--tun=userspace-networking \
    --socks5-server=localhost:3215

$ curl \
	--proxy socks5://localhost:3215\
	https://ifconfig.co/json

Exit node

Host

$ tailscale up \
	--advertise-exit-node

Client

$ tailscale up \
	--exit-node=[nodename] \
	--exit-node-allow-lan-access
$ curl ifconfig.co

Make sure to allow the use of the exit node from the control server

tsnet (services)

Set up private services

• vmproxy, control and VNC access to a VM
• golink, a URL shortener
• caddy-tailscale, Caddy on a private address
• private-foundryvtt, a tabletop game server

Control server

• Headscale

Alternatives

• Nebula from slack
• ZeroTier is much faster!

Links

• my devenv setup
• dotfiles configuration
• spotsnel experiments