Tailscale

Tailscale builds on top of WireGuard and provides OAuth2 (SSO), OpenID, and SAML authentication for peers to build a mesh network. It is crossplatform, has ACL settings and internal DNS.

Install tailscale.

It is also possible to run tailscale as a Docker container. This way, one can run multiple exit nodes on a single machine, each with its own tailnet.

• KTailctl — GUI to monitor and manage Tailscale.

https://github.com/f-koehler/KTailctl || ktailctl^AUR

• trayscale — An unofficial GUI wrapper for the Tailscale CLI client.

https://github.com/DeedleFake/trayscale || trayscale^AUR

• tailscaledesktop — Unnofficial Tailscale desktop application.

https://gitlab.com/tailscaledesktop/application || tailscaledesktop^AUR

• tailscale-systray-git — Linux port of tailscale system tray menu.

https://github.com/mattn/tailscale-systray || tailscale-systray-git^AUR

To use tailscale, enable/start tailscaled.service and run the server as follows:

# tailscale up

You can authenticate a headless machine by specifying the auth key:

# tailscale up --authkey=tskey-KEY

Using a custom control server like headscale is possible.

To login run

# tailscale up --login-server https://example.com

On headless systems a non-interactive login using a token is possible.

# tailscale up --login-server https://example.com --authkey your_auth_key

Follow this guide for a general idea of how to run tailscale as a docker container.

In order to be able to use a tailscale instance running as a docker container as an exit node, we need to use a smaller MTU for the container's network. This is due to an MTU-related issue.

If you do not have one already, create a custom network:

# docker network create --opt com.docket.network.driver.mtu=1280 my_custom_network

Then, use that network for the container instance:

# docker run --detach --name=my_tailscale_container --network=my_custom_network --volume /var/lib/tailscale-exitnode-1:/var/lib/tailscale --env TS_STATE_DIR=/var/lib/tailscale --env TS_USERSPACE=1 --env TS_AUTHKEY=tskey-auth-XXX --env TS_EXTRA_ARGS='--advertise-exit-node' tailscale/tailscale

Note that:

• By default, docker will create a network of type bridge, so no need to specify it here.
• Use an auth key to authenticate the node. Authenticating with the regular SSO method usually takes too long, and the process may time out before initial authentication is successful.
• Define TS_USERSPACE=1 so that the container does not need elevated permissions (CAP_NET_ADMIN and CAP_NET_RAW).
• Bind mount an unused directory on the host (/var/lib/tailscale-exitnode-1) to /var/lib/tailscale inside the container, and also define TS_STATE_DIR=/var/lib/tailscale, so that tailscale will use a persistent state file. Without these, the exit node will use volatile memory to keep state, and thus get a new ID and tailnet IP address every time the container is restarted.

If you use NetworkManager, you may notice connection issues with other devices within your tailnet. This is due to a management conflict that is happening between NetworkManager and tailscaled.

To clear this up, we need NetworkManager to unmanage the tailscale network devices (e.g. tailscale0).

To do so, simply create a config like /etc/NetworkManager/conf.d/99-tailscale.conf with the contents of:

[keyfile]
unmanaged-devices=interface-name:tailscale0

Then restart NetworkManager.service and tailscaled.service.

You may also need to cycle tailscale:

# tailscale down
# tailscale up

After this, you should be able to ping other devices on your tailnet.

Tailscale expects system with working systemd-resolved to set up DNS server and search suffixes from tailnet configuration, otherwise it tries to overwrite /etc/resolv.conf.

• https://tailscale.com/
• https://github.com/juanfont/headscale