Tailscale

Tailscale builds on top of WireGuard and provides OAuth2 (SSO), OpenID, and SAML authentication for peers to build a mesh network. It is crossplatform, has ACL settings and internal DNS.

Installation

Install tailscale. Alternatively, one can use unstable builds by installing the tailscale-git^AUR or tailscale-unstable-bin^AUR package.

It is also possible to run tailscale as a Docker container. This way, one can run multiple exit nodes on a single machine, each with its own tailnet.

Usage

To use tailscale, enable/start tailscaled.service and run the server as follows:

# tailscale up

You can authenticate a headless machine by specifying the auth key:

# tailscale up --authkey=tskey-KEY

Note: By default tailscale will send logs to their servers for central storage. You may want to opt out with one of the following steps:

Edit /etc/default/tailscaled to include TS_NO_LOGS_NO_SUPPORT=true
Edit /etc/default/tailscaled and add --no-logs-no-support to FLAGS

By opting out of centralized logging, you are also opting out of receiving support from tailscale.

Advanced usage

Using a custom Control Server

Using a custom control server like headscale is possible.

To login run

# tailscale up --login-server https://example.com

On headless systems a non-interactive login using a token is possible.

# tailscale up --login-server https://example.com --authkey your_auth_key

Running as a Docker container

Follow this guide for a general idea of how to run tailscale as a docker container.

As an exit node

In order to be able to use a tailscale instance running as a docker container as an exit node, we need to use a smaller MTU for the container's network. This is due to an MTU-related issue.

If you don't have one already, create a custom network:

# docker network create --opt com.docket.network.driver.mtu=1280 my_custom_network

Then, use that network for the container instance:

# docker run --detach --name=my_tailscale_container --network=my_custom_network --volume /var/lib/tailscale-exitnode-1:/var/lib/tailscale --env TS_STATE_DIR=/var/lib/tailscale --env TS_USERSPACE=1 --env TS_AUTHKEY=tskey-auth-XXX --env TS_EXTRA_ARGS='--advertise-exit-node' tailscale/tailscale

Note that:

By default, docker will create a network of type bridge, so no need to specify it here.
Use an auth key to authenticate the node. Authenticating with the regular SSO method usually takes too long, and the process may time out before initial authentication is successful.
Define TS_USERSPACE=1 so that the container doesn't need elevated permissions (CAP_NET_ADMIN and CAP_NET_RAW).
Bind mount an unused directory on the host (/var/lib/tailscale-exitnode-1) to /var/lib/tailscale inside the container, and also define TS_STATE_DIR=/var/lib/tailscale, so that tailscale will use a persistent state file. Without these, the exit node will use volatile memory to keep state, and thus get a new ID and tailnet IP address every time the container is restarted.