Tailscale builds on top of WireGuard and provides OAuth2 (SSO), OpenID, and SAML authentication for peers to build a mesh network. It is crossplatform, has ACL settings and internal DNS.
Install tailscale. Alternatively, one can use unstable builds by installing the tailscale-gitAUR or tailscale-unstable-binAUR package.
It is also possible to run tailscale as a Docker container. This way, one can run multiple exit nodes on a single machine, each with its own tailnet.
To use tailscale, enable/start
tailscaled.service and run the server as follows:
# tailscale up
You can authenticate a headless machine by specifying the auth key:
# tailscale up --authkey=tskey-KEY
Using a custom Control Server
Using a custom control server like headscale is possible.
To login run
# tailscale up --login-server https://example.com
On headless systems a non-interactive login using a token is possible.
# tailscale up --login-server https://example.com --authkey your_auth_key
Running as a Docker container
Follow this guide for a general idea of how to run tailscale as a docker container.
As an exit node
In order to be able to use a tailscale instance running as a docker container as an exit node, we need to use a smaller MTU for the container's network. This is due to an MTU-related issue.
If you don't have one already, create a custom network:
# docker network create --opt com.docket.network.driver.mtu=1280 my_custom_network
Then, use that network for the container instance:
# docker run --detach --name=my_tailscale_container --network=my_custom_network --volume /var/lib/tailscale-exitnode-1:/var/lib/tailscale --env TS_STATE_DIR=/var/lib/tailscale --env TS_USERSPACE=1 --env TS_AUTHKEY=tskey-auth-XXX --env TS_EXTRA_ARGS='--advertise-exit-node' tailscale/tailscale
- By default, docker will create a network of type
bridge, so no need to specify it here.
- Use an auth key to authenticate the node. Authenticating with the regular SSO method usually takes too long, and the process may time out before initial authentication is successful.
TS_USERSPACE=1so that the container doesn't need elevated permissions (
- Bind mount an unused directory on the host (
/var/lib/tailscaleinside the container, and also define
TS_STATE_DIR=/var/lib/tailscale, so that tailscale will use a persistent state file. Without these, the exit node will use volatile memory to keep state, and thus get a new ID and tailnet IP address every time the container is restarted.