Tailscale

• Tailscale Website
• GitHub
• CLient open source, original control server component not, although there's
  • Headscale
  • ionscale

Docs

• How Tailscale works
• Configuring Linux DNS
• Manage your Tailscale resources with Terraform
  • tailscale terraform provider
• Network access controls (ACLs)
• Tailscale on Kubernetes

Install

• Client in Golang, packages in a PPA
• Repology.org
• tailscale snap is outdated
• Download tailscale

Arch:

sudo pacman -S tailscale

Raspberry Pi

Install Tailscale on Rasperry Pi

sudo apt-get install apt-transport-https
curl -fsSL https://pkgs.tailscale.com/stable/raspbian/$(lsb_release  -cs).noarmor.gpg \
  | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null
curl -fsSL https://pkgs.tailscale.com/stable/raspbian/$(lsb_release  -cs).tailscale-keyring.list \
  | sudo tee /etc/apt/sources.list.d/tailscale.list
sudo apt-get update
sudo apt-get install tailscale

DNS

• Tailscale overrides /etc/resolv.conf, when the tunnel is up local name resolving doesn't work anymore.
  • Why is resolv.conf being overwritten?
  • Configuring Linux DNS
  • Interface-specific DNS not set if not overriding local nameserver
• Private DNS with MagicDNS

Config

• State file: /var/lib/tailscale/tailscaled.state

Show basic infos:

sudo jq -r ._profiles /var/lib/tailscale/tailscaled.state  | base64 -d | jq

Show details incl. advertised routes etc.:

current_profile=$(jq -r '."_current-profile"' /var/lib/tailscale/tailscaled.state | base64 -d)
sudo jq -r ".\"$current_profile\"" /var/lib/tailscale/tailscaled.state | base64 -d | jq

Advertise routes:

tailscale set --advertise-routes=192.168.223.20/32,192.168.223.21/32,192.168.223.28/32

Clients need to accept advertised routes:

sudo tailscale set --accept-routes

Further usage

tailscale status
tailscale ip casita

Issues

Captive portals

• Captive Wi-fi portal login didn't show up
  • Better support captive portals in Hotels, Airports, etc
• FR: Flag health errors for self-signed or otherwise invalid certificates
  • MR: control/controlclient: cache control key
• Firefox Docs: Captive portal detection

How to fix Tailscale with captive portals

• Problem: No DNS resolution works because Tailscale is the default resolver (configured for DNS Domains: ~.)
• Solution: Add ~. to the Additional search domains of the configured Wifi connection in the Network Manager UI. This will route all DNS queries directly over the wifi interface, circumventing the catch-all DNS resolution of Tailscale. Beware: This might have other side-effects !

Ansible role

see headscale.md

Tailscale on Kubernetes

• Tailscale on Kubernetes
• Helm Charts repository
  • Contains currently only the helm chart for Tailscale K8s operator
• K3s Tailscale integration

nftables

• Suppor nftables is still WIP
  • nftables support just got merged

This commit adds nftable rule injection for tailscaled. If tailscaled is started with envknob TS_DEBUG_USE_NETLINK_NFTABLES = true, the router will use nftables to manage firewall rules.

Subnet router

• Docs: Subnet routers
  • Quick guide: Configure a subnet router Setup:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf