The Holy Grail Of Networking: Tailscale

The Holy Grail Of Networking: Tailscale

It’s been a long time since I’ve been impressed this much with a piece of software. I love this software almost as much as I love Node-red. I’ve wanted the ability to have different machines in different locations all connected in a way that I could browse them simply and easily without needing a degree in IPSEC or Advanced Cisco Networking to actually set them up. Yesterday, I stumbled across Tailscale. TL:DR It’s a game changer!

Tailscale.com
Tailscale.com

In this post, I’m going to go through a quick tutorial on how to set it up on your devices. I’ll focus mainly on Unraid, Windows and Linux. By the time we’ve done that, you’ll have the hang of it. I also installed it on my iPad and Android phone literally within seconds. If that’s not enough to get you excited, In the second half of the post, I’m going to show you some tricks which literally blew my mind. Let’s get after it!

I was watching a video on Youtube yesterday by Ibracorp (link below). If you use Unraid, i’d strongly suggest you follow him. He’s right up there with Spaceinvader One. He was showing how to configure Tailscale. I hadn’t even heard of Tailscale before this point, yet within an hour or so, I had the network set up I could only have dreamed about! Tailscale is what’s known as a Zero config vpn. It’s built on Wireguard so it’s fast and relatively lightweight, but it doesn’t require a single port forward. Yes, you read that right:

NOT A SINGLE PORT FORWARD!

 

I have both wireguard, and openvpn set up on my main workstations and servers as back up, but compared to this, they seem basic and clunky to set up. Previously I messed around with Zerotier (a similar concept i.e. zero config) but I had mixed results with that. The administration side of things wasn’t great, and I could never get Unraid to connect properly with it. I watched the video, and decided to give Tailscale I try. I’ll skip quickly through the steps I took here for those of you that measure attention span in terms of instagram posts 🙂

Unraid

My Network Layout SImplified
My Network Layout Simplified

Consider my current set up. My remote network is in another country, and is on subnet 192.168.1.0/24. My local network is 192.168.2.0/24. What we want to do is bridge these networks in a quick and efficient way, so that we can effectively browse them both as if they were on the network. Let’s start with Unraid.

Go to the community applications tab and find and install Tailscale. Next we go to the template and add the Tailscale container (not the client).

Tailscale Community Apps
Tailscale Community Apps

 

Add this argument in the UP_FLAGS field: –advertise-routes=192.168.1.0/24

Tailscale Conatiner Template
Tailscale Conatiner Template

Change the subnet to whatever your remote network is that you want to access. In laymans terms, we’re asking Unraid here to set up a tailscale server for direct access, but also to allow routes to other machines on the 192.168.1.0 network.

Now hit apply, and you’re done. You’ll have to check in the container logs, and you should see a URL where you will need to go and authenticate.

Checking the Logs for the Tailscale authentication link
Checking the Logs for the Tailscale authentication link

I chose to authenticate using github, but you have options here. Copy and paste the link and authenticate. This will effectively create a tailscale account for you. All administration of Tailscale will be done here. After a moment you should see your unraid machine appear and hopefully if you’ve followed these steps, it will show connected.

 

Windows

Now that we have Unraid connected to Tailscale, we need to test it out. Download and install the tailscale installer from here. Alternatively you can use Chocolatey to download it, using the simple powershell command (as admin):

Choco install tailscale -y

If you’re not using chocolatey, you should be! Not only is it easy to install or uninstall applications, it allows for easy automated updating. You can read more about that here. Once installed, you will need to authenticate again using the same account you used previously for Unraid (github in my case). Once authenticated, you should see in your machine list your windows pc. Again, hopefully it should show connected. At this point you should now be able to use the ip address that Tailscale has assigned next to your Unraid machine to connect directly.

Tailscale Machine List
Tailscale Machine List

At this point you’re done! That’s it. No port forwarding. No scanning QR codes, or trying to work out public v private keys. No using putty, no sha, you don’t even have to look at the number 2048! How cool is that? One caveat. You will have to be connected to the Tailscale network to be able to simply use the IP addresses. So if you close down the Tailscale daemon on the taskbar, the address won’t go through. Also for servers it’s probably a good idea to remove the expiry on the authentication keys. You can do this by clicking on the three dots at the end of the line.

 

Linux

Now that we have the network up and running, let’s add an Ubuntu server into the mix. Mine is running 21.04, and houses my complete local docker stack. SSH into the server as normal and run the following commands:

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | sudo apt-key add

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | sudo tee /etc/apt/sources.list.d/tailscale.list

sudo apt-get update

sudo apt-get install tailscale

You should then see the tailscale authentication link appear on the screen. Like before, copy it to the browser, and authenticate again. Once authenticated you will need to run just one more command:

sudo tailscale up

You should now see your Ubuntu server appear in your machine list. Again, assuming there’s a little green icon and it shows connected, you should be able to SSH into the server using your normal credentials, only this time you don’t need to use the local IP address. You can use the tailscale one that they’ve assigned you. i.e. ssh [email protected].

 

Tablets and Smartphones

Now for these, installing tailscale is as simple as downloading and installing the app. I’m not going to take you through this. You download, authenticate and then flick the toggle in the apps (same for Android and iOS). Once authenticated in the app you’ll see them appear in the machine list. You toggle on or off to connect to the network. On my OnePlus 9 pro, I toggled the connection to On and could instantly browse my Unraid server and ssh into my Ubuntu server using the Tailscale generated IP addresses.

The above literally took me about 30minutes to run through and I was completely connected. Now here’s how to take it a step further.

Tips and Tricks

Let’s start with Unraid. Once you have your Tailscale container working, open up the console in Unraid and paste in the following:

echo ‘net.ipv4.ip_forward = 1’ | sudo tee -a /etc/sysctl.conf
echo ‘net.ipv6.conf.all.forwarding = 1’ | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

This essentially enables port forwarding. Remember we already included the “–advertise-routes=192.168.1.0/24” in our original container configuration. If for whatever reason you wanted to reverse or reset this, you would simply change the = 1 to = 0 above, i.e. echo ‘net.ipv4.ip_forward = 1’ | sudo tee -a /etc/sysctl.conf would become echo ‘net.ipv4.ip_forward = 0’ | sudo tee -a /etc/sysctl.conf

Now click on the three dots after your unraid machine in Tailscale’s admin console.

Reviewing the Route Settings
Reviewing the Route Settings
Enabling the Subnet
Enabling the Subnet

 

Click on review route settings. You should hopefully see your subnet appear in the top. Click to enable. Wait a few moments, and then you should now see the subnet appear underneath the tailscale-generated IP address.

Alternative IP addresses
Alternative IP addresses

You should now be able to browse the remote LAN. In my instance, everything on 192.168.1.0/24 became available to me. Even for the Unraid machine itself, it meant I could use it’s default 192.168.1.X address or the 100.X.X.X address that Tailscale was giving me. This means if you have a device that you cannot connect to Tailscale, you can now still access it. That remote IP camera or smart plug, no problem! This is great. That’s not all. It also means that in Windows, I can now map an unraid server share as a simple network drive. Literally add the location in windows explorer with your Unraid login credentials and you’re done. No need for complicated file managers or FTP clients, I can drag and drop right from the desktop!

Mapping a network drive in Windows
Mapping a network drive in Windows

Are you impressed yet? No, well there’s more.

 

Home-Assistant

This blog is primarily smarthome focused, so let’s dig a little deeper. I am a keen user of Home-Assistant and Node-red. I was paying for Nabu Casa at one point as I liked the idea of remote access to the home when I was away. Unfortunately, I was struggling to stay connected with Nabu Casa and in the end I gave up on it. Instead I was relying on an OpenVPN connection to access it. I’d toggle the VPN connection On and then use the mobile app as normal. I then had an issue where I moved home and internet provider and now I’m under CG NAT (carrier grade NAT). That is, I am unable to use inward VPN connections, although there are third party solutions like NGROK etc. With Tailscale, this isn’t needed any more. I found someone had written a Tailscale integration for Home-Assistant!

If you’re running Hassio (or supervised) go to the supervisor panel -> add-on store and click the dots on the top right.

Add the following repository:

https://github.com/tsujamin/hass-addons

Then, go to the add-ons section scroll down until you see Tailscale.

Tailscale Repository in Add-ons
Tailscale Repository in Add-ons

Install it and click on documentation. As you can see you’ll need to get a key from here:

Tailscale Menu
Tailscale Menu
Authentication Keys for Tailscale
Authentication Keys for Tailscale

 

Grab the key, paste it into the auth_key section under Configuration in the add-on, and give yourself a hostname. Save and then start the add-on. You’ll see it appear in your machine list and it should show as connected. Best thing about this, is you will be given an IP address 100.x.x.x. Now go to your Home-Assistant mobile app and paste that IP address in as the external URL (remember to add the port and the slash at the end). Turn off your wifi and (as long as you’re connected via Tailscale) you now have external access to Home-Assistant for free. Again, no port forwarding required!

Home-Assistant App Configuration
Home-Assistant App Configuration

Now you won’t get any of the good stuff that Nabu Casa also provides through way of alexa/google integration etc, but not everyone needs that, although I would suggest it’s worth paying the price just to support the devs.

 

Heimdall

Another little item I set up yesterday was my browser’s homepage. I’m a keen user of Heimdall on my main machine. I like that it can use API’s to display additional information about some of the docker containers I’m running. It allows me to use DuckDuckGo as a search engine, but also with the click of a tile, I can now access my servers, my router, my various applications, quickly and easily. I have Heimdall running through portainer on my Linux server. As this is permanently connected to Tailscale now, there’s no reason why I can’t make my Heimdall page my default home page for all my devices regardless of where I am in the world.

 

Pi-Hole

I have pi-hole running on my Unraid server. Thanks to Tailscale, I can now have all my devices use the same Pi-hole as their DNS server (centralised ad-blocking). Although I would recommend you add a secondary DNS server in case you forget to connect to Tailscale to avoid loss of service.

 

Exit Nodes

Last but not least, I haven’t touched on exit nodes. As well as joining all the devices together in one network, Tailscale also allows you to designate some of the devices as an exit node, that is, you can route your internet traffic through them. You may or may not want this depending on your needs. For example, if I want my Unraid server in country B to be an exit node, all I need to do is add an additional UP_FLAGS parameter in the container template:

–advertise-exit-node

(You can paste this directly after advertising the subnet). Then you switch on the exit node where we enabled the subnet routes. As we have already added the port forwarding in Unraid above (via console) this should work immediately. I tested this and my local internet traffic went via the Unraid Server (verified by checking the IP address).

There’s a lot more that can be done with Tailscale, and I am just scratching the surface, but considering I had all of this set up in maybe a couple of hours and it’s working perfectly, I am hugely impressed. I’d wanted a set up like this for years, but my eyes glazed over, everytime someone mentioned Masquerade or IP tables etc.

 

References and Thanks

I want to give thanks where it’s due. The initial video I watched on YouTube can be found here:

They also have a great write up to go with the video which can be found here. There’s a lot more information about exit node configuration and more on MagicDNS.

Ibracorp have a fantastic discord server where people are genuinely helpful and take the time to advise and work with you. I strongly recommend you take a look. https://discord.gg/VWAG7rZ

Huge thanks to @Hawks and @DiscDuck on there for literally holding my hand yesterday and helping me get the subnet passthrough ironed out. It’s not the first time these guys have helped me!

Thank you Hawks & DiscDuck
Thank you Hawks & DiscDuck

In Summary

I am absolutely stoked that I’ve managed to get this set up and have it working as above. This will make my life a lot easier, and whilst I’ll still keep OpenVPN as a backup, it’s meant that I have removed Wireguard and Zerotier from my install. It’s saved me from some port forwarding, and allowed me to close ports on both routers, as well as on my Ubuntu machine (UFW). It’s also allowed me to get around CG NAT locally which was hindering me big time.

If your interested in sharing your own solutions, tips and tricks with like minded people perhaps you’d consider joining our facebook group. The aim of this group will hopefully be more show and tell rather than support, but that’s not to say we can’t lend a helping hand!

https://www.facebook.com/groups/386238285944105

 

Also if you’re interested in supporting the blog, feel free to check out my Smarthome Book available in all good book stores. If you’re thinking of doing a renovation, maybe this will save you some heartache!

Considering a Renovation? Maybe this will save you money!
Considering a Renovation? Maybe this will save you money!

Comments

  1. Would you be open to sharing some explanation in lamen terms for what in the world you’re using Tailscale to do, why it’s an improvement, etc. You sound excited by it but I don’t really get the original problem you had or solution this addresses. Who is this good for and why? I did get that it’s a ton of steps to install and reconfigure stuff so it would be cool to know why I’d want all those headaches. Thanks!

    1. Ok so this has helped me on so many levels… i’ll list the main ways it’s helped me:

      1) I can now access my local home-assistant installation remotely wherever i am using a simple ip address provided by tailscale (no need to pay for nabu casa, don’t need to manually connect to a vpn).

      2) I am behind CG NAT – that is carrier grade NAT. My public IP address is shared, so I couldn’t use Openvpn (for example) to reverse into my LAN. Now I can access it remotely.

      3) I can browse the remote subnet (different country) as if it were my own. Locally am 192.168.2.0/24, remote am 192.168.1.0/24. I can browse any docker container, device, router etc withouth any additional steps. Even something like a smartplug which is relatively dumb, I can turn on remotely if I want to.

      4) I have an unraid server which I use for back up on the remote lan. As the subnets are fully browsable, I can just map the share to my main workstation as if it were on my lan. No need for a manual VPN connection or portforwarding, no need to use filezilla for example and having to connect. I can literally just use windows explorer.

      5) I can set up pi-hole once, and use it for every single device on either network. My phones/tablets/laptops are permanently connected to tailscale (it’s super lightweight/low latency) and so I have ad and malware blocking no matter where i am in the world, on 4g or wifi it doesn’t matter.

      6) I can run a second home-assistant app on android and link it to the remote instance in the other country. I now have remote monitoring and control without any additional grief. I can just enter the 192.168.1.0/24 address and login to the 2nd app.

      All of the above was configured in under an hour with no portforwarding, no funky ip tables or messing with masquerade.

      As far as it taking time and lots of install steps it’s really not.
      1) phones and tablets you download from the store, and login with github – < 1 minute each 2) windows machines - download using choco, login using github - 1-2mins each 3) Linux machines - run 4-5 lines of code and login using github, run one last line of code - <2mins 4) Unraid probably the hardest because you needed to run some cmd line codes, so let's say thats 20minutes. And it's quick... I don't notice it's on.

  2. interesting article. i have gone through a similar curve with VPNs, zerotier and now am running tailscale in a very similar setting with home assistant and other services. i would also suggest to use duckdns for your tailscale IPs (at least on HASS) just in case you need to request new end-point IP. thanks for the great writeup.

    1. Thanks for the kind words. Can I ask how exactly you’re using DuckDNS for the IPs? I assume you mean incase tailscale changes the IP’s down the line you won’t need to amend your configurations? If I understood that correctly, but how are you keeping the domain name and the tailscale IP in sync?

Leave a Reply to jack crockerCancel reply