#tailnet — Public Fediverse posts

Pretty pleased with myself over the last few days:

⁃ Intel #MacMini (IMM) brought back from retirement
⁃ IMM Repurposed as the main #Plex server
⁃ IMM #Docker installed and a custom #PiHole container installed
⁃ IMM PiHole now used to provide #DNS for my #Tailscale #Tailnet **
⁃ So I’m fully DNS’ed and de-advertised on all my Tailnet devices

The #Synology NAS has never had CPU and Memory loads so low, with taking Plex it.

The only issue I have is that only one client address shows in PiHole but I think that is a side effct on using Tailcale.

** - Means my good lady who doesn’t trust the technology (no Tailscale) can use her devices how she wishers

Pretty darned chuffed!

Once I'm comfortable with the basics of using tailscale. I'll probably try the netbird thing maybe in future.
Next thing I'm gonna try the serve, funnel features. So maybe at the end, I want a funnel connection to caddy (using podman) in my PC and act as a reverse proxy to a simple hello world program running in multiple nodes in my tailnet😄
Let's see how it goes.

Thanks to wireguard ❤️

Feel free to guide me

#tailscale #tailnet #funnel #server #caddy #reverseproxy #network #wireguard

Once I'm comfortable with the basics of using tailscale. I'll probably try the netbird thing maybe in future.
Next thing I'm gonna try the serve, funnel features. So maybe at the end, I want a funnel connection to caddy (using podman) in my PC and act as a reverse proxy to a simple hello world program running in multiple nodes in my tailnet😄
Let's see how it goes.

Thanks to wireguard ❤️

Feel free to guide me

#tailscale #tailnet #funnel #server #caddy #reverseproxy #network #wireguard

Once I'm comfortable with the basics of using tailscale. I'll probably try the netbird thing maybe in future.
Next thing I'm gonna try the serve, funnel features. So maybe at the end, I want a funnel connection to caddy (using podman) in my PC and act as a reverse proxy to a simple hello world program running in multiple nodes in my tailnet😄
Let's see how it goes.

Thanks to wireguard ❤️

Feel free to guide me

#tailscale #tailnet #funnel #server #caddy #reverseproxy #network #wireguard

Once I'm comfortable with the basics of using tailscale. I'll probably try the netbird thing maybe in future.
Next thing I'm gonna try the serve, funnel features. So maybe at the end, I want a funnel connection to caddy (using podman) in my PC and act as a reverse proxy to a simple hello world program running in multiple nodes in my tailnet😄
Let's see how it goes.

Thanks to wireguard ❤️

Feel free to guide me

#tailscale #tailnet #funnel #server #caddy #reverseproxy #network #wireguard

Tailscale is way too easy to setup. I'm not a network expert, so this really helps me a lot in setting up a secure connection between my devices. Love the free tier - 100 devices and 3 users (really great). Connection between my devices is really seamless. Had to fiddle some tailscale options in nixos to avoid doing sudo, pretty simple too. Joined other tailnet(also mine) and shared the machines to my network. Super easy and fun.

#tailscale #networking #nixos #tailnet

#HomeLab. The moment of enlightenment.

Every #docker container on the Tailnet member has access to your Tailnet.

For example, Uptime Kuma can send requests to any of your #Tailscale devices. Any service with server-side processing is a potential hole to your #Tailnet when it is public or someone has access there except you.

Be careful. ACL rules is a must in such cases.

#SelfHosted #SelfHost #SelfHosting #networking #security

Going in all directions today 😅🤪

How are you guys feeling with using #tailscale versus sticking to "plain vanilla" #wireguard for your #VPN between domestic systems (phone, tablet, home PC, #VPS, ...)?

I do see the value of #tailscale to avoid manually generating many keys when a new device joins the network, central view of your #tailnet ,...

But it's not #foss (at least not the coordination server), and its impact on battery (at least on iPhone) is quite significant.

Staying a "purist" or accepting the facility of a service running on top of a great protocol? 😅

#llm #ollama #Llama3 #nixos #proxmox #openwebui #nvidia #Nvidia #a4000 #GPU #tailnet #tailscale #pciepassthrough #HomeLab #SelfHost #SelfHosting #AI #vm #NixOS
https://youtu.be/9hni6rLfMTg

#llm #ollama #Llama3 #nixos #proxmox #openwebui #nvidia #Nvidia #a4000 #GPU #tailnet #tailscale #pciepassthrough #HomeLab #SelfHost #SelfHosting #AI #vm #NixOS
https://youtu.be/9hni6rLfMTg

#llm #ollama #Llama3 #nixos #proxmox #openwebui #nvidia #Nvidia #a4000 #GPU #tailnet #tailscale #pciepassthrough #HomeLab #SelfHost #SelfHosting #AI #vm #NixOS
https://youtu.be/9hni6rLfMTg

#llm #ollama #Llama3 #nixos #proxmox #openwebui #nvidia #Nvidia #a4000 #GPU #tailnet #tailscale #pciepassthrough #HomeLab #SelfHost #SelfHosting #AI #vm #NixOS
https://youtu.be/9hni6rLfMTg

#llm #ollama #Llama3 #nixos #proxmox #openwebui #nvidia #Nvidia #a4000 #GPU #tailnet #tailscale #pciepassthrough #HomeLab #SelfHost #SelfHosting #AI #vm #NixOS
https://youtu.be/9hni6rLfMTg

I did a thing - a simple docker container for getting a quick shell within your #tailscale #tailnet.

https://github.com/markallanson/tailnet-shell

Low effort, high impact (at least for me, being able to get a shell running inside my tailnet from anywhere with very little work)

After a few nights and weekends of mashing keys, I have figured the right order to bring up a #nixos instance built for #proxmox, provision it with #colmena, shove secrets on it with #sops, bring up a docker container, and get it on my @tailscale #tailnet. I don’t know how many times I nearly gave up, but it paid off, and I’m thrilled.

Now to do it again.

After a few nights and weekends of mashing keys, I have figured the right order to bring up a #nixos instance built for #proxmox, provision it with #colmena, shove secrets on it with #sops, bring up a docker container, and get it on my @tailscale #tailnet. I don’t know how many times I nearly gave up, but it paid off, and I’m thrilled.

Now to do it again.

After a few nights and weekends of mashing keys, I have figured the right order to bring up a #nixos instance built for #proxmox, provision it with #colmena, shove secrets on it with #sops, bring up a docker container, and get it on my @tailscale #tailnet. I don’t know how many times I nearly gave up, but it paid off, and I’m thrilled.

Now to do it again.

After a few nights and weekends of mashing keys, I have figured the right order to bring up a #nixos instance built for #proxmox, provision it with #colmena, shove secrets on it with #sops, bring up a docker container, and get it on my @tailscale #tailnet. I don’t know how many times I nearly gave up, but it paid off, and I’m thrilled.

Now to do it again.

After a few nights and weekends of mashing keys, I have figured the right order to bring up a #nixos instance built for #proxmox, provision it with #colmena, shove secrets on it with #sops, bring up a docker container, and get it on my @tailscale #tailnet. I don’t know how many times I nearly gave up, but it paid off, and I’m thrilled.

Now to do it again.

Seamlessly access local services on LAN and Tailnet

As I am passionate about self-hosting, I have been setting up various services in my homelab, in addition to those on my cloud servers. I have also been using Tailscale to access my devices and services while not at home. So I have wanted to have a seamless way to access the services, irrespective of whether I am on my home local area network (LAN) or connected to it via Tailscale. Below are my requirements for such a setup.

• All the devices/services should be accessible using a fully-qualified domain name (FQDN), under a domain that I own and control. This rules out the auto-generated Tailscale subdomains.
• I have a LinuxServer.io SWAG reverse proxy in front of all the services in my homelab, and it provides TLS termination. So I would like to access the existing services using TLS at all times.
• While I could set up a Tailscale subnet router that allows access to my LAN, I do not want to allow the devices on my Tailnet full access to my LAN. And I do not want to redo my home LAN setup to isolate things to be able to do this.
• The FQDNs of the exposed services should resolve to a LAN IP address when I am in my home LAN and to a Tailnet-specific address when I am not at home and connected to my Tailnet.
• It should be possible to expose more services using this setup in the future, even if they are not behind the SWAG reverse proxy.
• The base domain that I want to use for this should not have any publicly accessible DNS records pointing to private IP addresses for this setup to work.
• The resulting setup should integrate into my existing docker-compose configuration.

The Tailscale docker documentation illustrates a way to expose LAN services on a Tailnet, but the example on that page causes the service(s) to be accessibly only over the Tailnet. So it doesn’t work for me.

To start, I added a Tailscale docker container to my compose.yaml file using a configuration like

  tailscale:    image: tailscale/tailscale    container_name: tailscale    hostname: <tailnet device name>    environment:      - TS_ACCEPT_DNS=true      - TS_AUTHKEY=<authkey or OAuth2 client secret>      - TS_EXTRA_ARGS=--advertise-tags=tag:docker      - TS_ROUTES=172.21.0.0/24    volumes:      - ./config/tailscale/state:/var/lib/tailscale      - /dev/net/tun:/dev/net/tun    cap_add:      - net_admin      - sys_module    networks:      tailnet-subnet:        ipv4_address: 172.21.0.11    restart: unless-stoppednetworks:  tailnet-subnet:    ipam:      config:        - subnet: 172.21.0.0/24

For this to work, I had to define a tag named docker and add it to my Tailscale ACLs. I also added an ACL to auto-approve the routes advertised by this container.

{    // other configuration"tagOwners": {"tag:docker": ["autogroup:admin"],},    "autoApprovers": {"routes": {"172.21.0.0/24": ["tag:docker"],},},    // other configuration}

With this, all the containers that get added to the tailnet-subnet network and have an IP address in the 172.21.0.0/24 subnet will be accessible over my Tailnet. So I updated the configuration of the swag container to add it to the tailnet-subnet network.

  swag:    image: lscr.io/linuxserver/swag    container_name: swag    cap_add:      - NET_ADMIN    environment:      - var1=value1      - var2=value2    volumes:      - ./config/swag:/config    ports:      - 443:443      - 80:80    networks:      tailnet-subnet:        ipv4_address: 172.21.0.12      default:    restart: unless-stopped

In the above snippet, I added the tailnet-subnet network to the networks key and assigned it a static IP address in its subnet, 172.21.0.12. Since the default network was implicitly included before and adding a different network will remove the implicit inclusion, I have also explicitly added the default network.

With these configuration changes, the swag container was accessible at the 172.21.0.12 IP address over my Tailnet. But I still needed to set up DNS to access the services by domain name.

Tailscale provides a way to add a restricted nameserver for a specific domain using split DNS. So I needed a DNS server that resolved the domains of the services hosted on the swag container to its Tailnet subnet IP address, 172.21.0.12.

For this, I took inspiration from jpillora/dnsmasq and created a custom Dockerfile that set up a dnsmasq resolver.

FROM alpine:latestLABEL maintainer="[email protected]"RUN apk update \    && apk --no-cache add dnsmasqRUN mkdir -p /etc/default \    && echo -e "ENABLED=1\nIGNORE_RESOLVCONF=yes" > /etc/default/dnsmasqCOPY dnsmasq.conf /etc/dnsmasq.confEXPOSE 53/udpENTRYPOINT ["dnsmasq", "--no-daemon"]

Then I created a dnsmasq.conf configuration file that looks like the following snippet.

log-queriesno-resolvaddress=/domain1.fqdn/172.21.0.12address=/domain2.fqdn/172.21.0.12

Then I added the following snippet to my compose.yaml file to add the dnsmasq container.

  dnsmasq:    build: "./build/dnsmasq"    container_name: dnsmasq    restart: unless-stopped    volumes:      - ./config/dnsmasq/dnsmasq.conf:/etc/dnsmasq.conf    networks:      tailnet-subnet:        ipv4_address: 172.21.0.3

Then I ran docker compose build to build the container, and docker compose up -d dnsmasq to start it. With that, I had a DNS resolver to resolve my domain names in the Tailnet.

You might notice error messages in the dnsmasq container’s logs that look like dnsmasq: config error is REFUSED (EDE: not ready). This happens because we have not defined any upstream servers that dnsmasq can use. But since we want this dnsmasq instance to resolve only our domain names, this is okay and the error can be ignored.

Then on my Tailscale admin dashboard, I added a custom nameserver for my domain name and configured 172.21.0.3, the IP address of the dnsmasq container, as the address of the server to use. Now, all the devices on my Tailnet could access the services on my swag container by domain name.

I have an existing DNS setup on my home LAN that resolves the same domain names to the LAN IP addresses. So now, with this setup for Tailscale, my devices can seamlessly access the private services on my LAN and Tailnet.

If I want to add a new service to this setup, it is as easy as adding the tailscale-subnet network to it, and adding the DNS records to dnsmasq docker container’s configuration file and the resolver in my home LAN.

#dnsmasq #Docker #dockerCompose #Tailnet #Tailscale

Couldn't sleep so I worked on my #ZITADEL deployment. I think I finally have it where I want it! Now I just need to create a new #tailnet using it as my custom OIDC 🤓

Currently, have my #devenv setup on their own #Tailscale network. It is nice how easy it is to separate these networks. The wint14-devsys is actually WSL2 running my container image. This way I don't have to share machines into my personal #tailnet, but I could. There is a mix of #gitpod and #csb used. #codespace is in my opinion a little too slow for my region.

Been experiencing some strange #tailscale behaviour recently. Both mine and my partners phones or iPads connected to 5G or an external (not home) network, just not able to connect to anything on our #Tailnet. Haven’t had any chance to troubleshoot yet, but I’m not sure if it’ll be the iOS end or my LXC that’s acting as a router 🤔

A simple problem of getting vault on one machine to talk to a mysql pod on another machine got me into researching #cilium's BGP support and making various weird setups over #tailnet.

Or, I could have just added my VM to the tailnet directly 🤔

Ok in 5mins with @tailscale I'm able to expose out services from my #kubernetes cluster to my tailnet with nice DNS names and all. All entirely private to my #tailnet

This is soooo nice 🙇

https://tailscale.com/kb/1236/kubernetes-operator/

I’ve been working on a tool called tailproxy for the last few weeks. It’s a small Go-based server that proxies any other server into your @tailscale #tailnet. It’s optimized for working in containers, so you can publish a containerized service on its own hostname instead of having to access it on a port. It’s also got support for Funnel if you dare expose your code to the public Internet, and optional TLS termination. Check it out here: https://github.com/j-f1/tailproxy

nice to see @tailscale on #Mastodon, I’ve a huge amount of respect for them as a Service, business and collective of people..

#business #vpn #networking #tailnet #security

Currently, have my #devenv setup on their own #Tailscale network. It is nice how easy it is to separate these networks. The wint14-devsys is actually WSL2 running my container image. This way I don't have to share machines into my personal #tailnet, but I could. There is a mix of #gitpod and #csb used. #codespace is in my opinion a little too slow for my region.

Currently, have my #devenv setup on their own #Tailscale network. It is nice how easy it is to separate these networks. The wint14-devsys is actually WSL2 running my container image. This way I don't have to share machines into my personal #tailnet, but I could. There is a mix of #gitpod and #csb used. #codespace is in my opinion a little too slow for my region.

Currently, have my #devenv setup on their own #Tailscale network. It is nice how easy it is to separate these networks. The wint14-devsys is actually WSL2 running my container image. This way I don't have to share machines into my personal #tailnet, but I could. There is a mix of #gitpod and #csb used. #codespace is in my opinion a little too slow for my region.

Currently, have my #devenv setup on their own #Tailscale network. It is nice how easy it is to separate these networks. The wint14-devsys is actually WSL2 running my container image. This way I don't have to share machines into my personal #tailnet, but I could. There is a mix of #gitpod and #csb used. #codespace is in my opinion a little too slow for my region.