Tailscale

From ArchWiki

Tailscale builds on top of WireGuard and provides OAuth2 (SSO), OpenID, and SAML authentication for peers to build a mesh network. It is crossplatform, has ACL settings and internal DNS.

Installation

Install tailscale. Alternatively, one can use unstable builds by installing the tailscale-gitAUR or tailscale-unstable-binAUR package.

It is also possible to run tailscale as a Docker container. This way, one can run multiple exit nodes on a single machine, each with its own tailnet.

Third-party clients

  • KTailctl — GUI to monitor and manage Tailscale.
https://github.com/f-koehler/KTailctl || ktailctlAUR
  • trayscale — An unofficial GUI wrapper for the Tailscale CLI client.
https://github.com/DeedleFake/trayscale || trayscaleAUR
  • tailscaledesktop — Unnofficial Tailscale desktop application.
https://gitlab.com/tailscaledesktop/application || tailscaledesktopAUR
  • tailscale-systray-git — Linux port of tailscale system tray menu.
https://github.com/mattn/tailscale-systray || tailscale-systray-gitAUR

Usage

To use tailscale, enable/start tailscaled.service and run the server as follows:

# tailscale up

You can authenticate a headless machine by specifying the auth key:

# tailscale up --authkey=tskey-KEY
Note: By default tailscale will send logs to their servers for central storage. You may want to opt out with one of the following steps:
  • Edit /etc/default/tailscaled to include TS_NO_LOGS_NO_SUPPORT=true
  • Edit /etc/default/tailscaled and add --no-logs-no-support to FLAGS
If you opt out of centralized logging, Tailscale may not be able to provide technical support.

Advanced usage

Using a custom Control Server

Using a custom control server like headscale is possible.

To login run

# tailscale up --login-server https://example.com

On headless systems a non-interactive login using a token is possible.

# tailscale up --login-server https://example.com --authkey your_auth_key

Running as a Docker container

Follow this guide for a general idea of how to run tailscale as a docker container.

As an exit node

In order to be able to use a tailscale instance running as a docker container as an exit node, we need to use a smaller MTU for the container's network. This is due to an MTU-related issue.

If you don't have one already, create a custom network:

# docker network create --opt com.docket.network.driver.mtu=1280 my_custom_network

Then, use that network for the container instance:

# docker run --detach --name=my_tailscale_container --network=my_custom_network --volume /var/lib/tailscale-exitnode-1:/var/lib/tailscale --env TS_STATE_DIR=/var/lib/tailscale --env TS_USERSPACE=1 --env TS_AUTHKEY=tskey-auth-XXX --env TS_EXTRA_ARGS='--advertise-exit-node' tailscale/tailscale

Note that:

  • By default, docker will create a network of type bridge, so no need to specify it here.
  • Use an auth key to authenticate the node. Authenticating with the regular SSO method usually takes too long, and the process may time out before initial authentication is successful.
  • Define TS_USERSPACE=1 so that the container doesn't need elevated permissions (CAP_NET_ADMIN and CAP_NET_RAW).
  • Bind mount an unused directory on the host (/var/lib/tailscale-exitnode-1) to /var/lib/tailscale inside the container, and also define TS_STATE_DIR=/var/lib/tailscale, so that tailscale will use a persistent state file. Without these, the exit node will use volatile memory to keep state, and thus get a new ID and tailnet IP address every time the container is restarted.

See also