It’s been a minute since I last had to travel for work, but that’s coming up again. This means for remote access purposes, I need a VPN to my home network. I last accomplished this simply using the L2TP functionality built right in to my Unifi Security Gateway, but since I got rid of that I simply never fixed this again. The obvious solution is Wireguard, but why configure that by hand when I can use Tailscale to do it for me?
Why indeed, and since I’ve heard good things about their offering I decided to take a look at it. First step, let’s run it in an LXD container, so I can blow it away if I need to without polluting the rest of my network. That was fairly painless:
~$ lxc launch ubuntu-minimal:focal tailscale Creating tailscale Starting tailscale fwaggle@ghast:~$ lxc shell tailscale root@tailscale:~# apt update -- SNIP -- 18 packages can be upgraded. Run 'apt list --upgradable' to see them. root@tailscale:~# apt upgrade -y -- SNIP -- root@tailscale:~# apt autoremove -- SNIP -- root@tailscale:~# curl -fsSL https://tailscale.com/install.sh | sh Installing Tailscale for ubuntu focal, using method apt -- SNIP -- Installation complete! Log in to start using Tailscale by running: tailscale up root@tailscale:~# tailscale up To authenticate, visit: -- SNIP -- Success. root@tailscale:~#
For a second device, I installed it on my phone, turned off Wifi, and whaddya know, I can ping something.
Restarting tailscale with
tailscale up --advertise-exit-node and flipping the exit node on on my phone meant I got my home IP despite not being on the home wifi networks, so I’m counting that as a success.
Less successful was accessing the other services, and it took a bit to figure out why that is. My first port of call was checking connectivity at the container, which I did so using ICMP. This didn’t work:
From _gateway.lxd (10.13.0.1): icmp_seq=1 Redirect Host(New nexthop: _gateway (10.255.0.1)) From _gateway (10.255.0.1) icmp_seq=1 Time to live exceeded
This is actually not unexpected, I suppose. Since this machine is actually three machines in a trench coat (NFS server, LXD server, and a K8s node), and runs two BGP peers on two different IPs, I figured it was something fucky with the routing: It was going up to my router, which tried to send it back down the same path, then the TTL expired.
But a service hosted on LXD should work, because LXD’s bridge network should route it sensibly. It did not, from my phone. More puzzling, actually, a
curl of a service hosted on Kubernetes worked from the container.
I soon realized I needed to convince Tailscale to advertise these routes, it seems it won’t expose RFC1918 addresses even if it’s declared as an exit node… which is actually a very sensible default, really. So I configured it to have access to my entire LAN via the
--advertise-routes= parameter to
tailscale up, approved it in the control panel, and it worked. I later retracted that, opting to only allow access to the services I want.
The final piece of the puzzle (after being greeted with a 403) was to allow the IP of the tailscale container in my
lan-only middleware in Traefik, and I’m away.
I’m as yet undecided on whether I want to allow access to the K8s control plane via this or not, but I can do most everything else, including accessing Home Assistant.