Build Your Own VPN with Headscale & Tailscale

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody welcome back to Jim's Garage in this video we're going to be revisiting head scale that's the open source self-hosted variant of tail scale the good news is you can use all of the Native tail scale apps to connect to your own head scale instance the reason I'm doing this is because in the next video I'm going to be showing you how to create a remote Cloud Naz what's that well effectively I have some nazas that were sent to me by ugreen but this is applicable to any old Hardware you have lying around or even new hardware if you want and you want to escape things like a cloud service fee or you want to keep things owned by yourself so I'll be using head scale to create a remote connection to my Naz that I could have anywhere a friend's house a relative or even a Colo collocation that would enable me to have secure connection to that device and now because I've got fast internet I could treat that as though it's basically on My Lan so before before we do that we're going to go down the head scale route now I've done this before in a previous video so I'm going to quickly go over some of the theory but if you want to hear more about that theory and how it works and how it's a mesh VPN all those sorts of things go and check out that video and also check out the documentation cuz a few things have changed since I've done that that was about 9 months ago in this video I'm going to show you the UI though in the last video I was more into the command line interface which I do recommend you go and learn because you should know how this thing works now the UI is not perfect I'll be showing you two different uis for this video one which is called heads scale UI good name one which is called heads scale admin now the admin has more features but the features are broken hopefully that will be fixed soon the head scale UI has fewer features but it does work hopefully that will be expanded in the future Anyway by the end of this video you'll have head scale up and running I'll show you how to connect things like an Android device and another Linux box we'll have a quick look at Roots so we can make sure that we can root traffic between our different nodes and we'll also have a look at setting the exit nodes so yeah that's right we could treat each of our devices as an exit node a bit like a traditional VPN so for example if you did put this at a different region even a different country or even in somewhere like a collocation you could root different traffic from different nodes and use that one as an exit node really powerful tool for this demonstration we're going to be deploying this in docker but there's no reason you couldn't deploy this on an lxc a VM or even bare metal if you wanted to so let's now hop into vs code let's have a look at the docker compos file and then we'll get into deploying it and configuring it now to get this up and running it's pretty straightforward but there are a few things you need to be comfortable with depending on how you set this up so off the bat all we really need to do is set up the docker compos file which you can see on screen here and there's also a configur ation file config yaml that we also need to set up so let's run through the composed file first and then we'll have a look at the config do yaml so in this deployment I have two containers I actually have three but two of those are just different uis so you can pick and choose which one you want or remove the UI if you simply want to go down the CLI route so I'm using version 0.23 alpha2 now that's because there hasn't been a major release of heads scale for about a year now but between that last major release and now there's been 12 Alphas now from reading the GitHub it looks like a new major release or at least a major beta will be coming out soon so that's really good to see but from my testing and usability the fact that it's been an alpha version I haven't noticed any issues the only issues I have noticed are through the UI that's probably because the alphas keep changing things like the apis which the uis resolve on so the container name heads scale pretty straightforward restart unless stopped and I've set the time zone to be Europe London now this requires two volumes now for this instance I've just used the/ comp which means it's going to create this folder in this folder here so don't worry about why I've called it head scale and head scale 2 that's just for my old video my original head scale I've just called this one head scale too so in there it's just got the comp file obviously if you don't want it in this location you can put it somewhere else and it also uses a Docker volume head scale Das data which you'll create again if you don't want to use a dock of volume you can obviously use a bind Mount and just specify a folder location that you want on your machine now the entry point is it's going to do head scale serve so it's going to basically spin this up and serve as a tail scale implementation and it's going to be on my network of proxy that's because I want to run this through a reverse proxy you don't have to do that but I recommend you do so that you get nice certificates so then we get on to your standard traffic labels more or less having a look down you'll see that we put it on the proxy Network which is the name of the network I have my traffic reverse proxy on it's served on Port 880 it's got a URL which I use here it redirects to https I've specified the CT resolver and I've created the service head scale I'm deliberately going over these quickly because I've covered these many times before but do check out my traffic video if you're struggling for some of these Concepts now the bit that's really important here especially if you're going to be running both the tail scale or head scale in this instance and the UI on different subdomains you need to be aware of cause that's for cross origin if you don't set this up properly you'll get an error with the UI because tail scale or head scale sorry it's getting a bit confusing it's just just because I call this implementation tail scale and I use the other one head scale down here if you don't do that it's going to head scale is going to say no you're not coming from the right subdomain and this is a security feature to stop redirects an unknown origin traffic so the only bit really here you need to make sure is if we have a look on the right hand side the allow Origins list here so you need to put in here this needs to be the URL of what ever you put down below in the UI section so scrolling down on here you can see that I've set up here's here's the first UI which I'm not going to use here's the second UI you can see that for the head scale UI here this this container here you can see that the URL it's going to be on in traffic is head scale so whatever that is you simply need to put it into this cross origin just here unless you're going to be using the same subdomain for both I didn't want to do that I wanted to break these things up that's how you need to do it after that we just set up the load balance support so this is going to be set up for UDP traffic for derp 41641 and 3478 that's it that should be enough to get you up and running with head scale so as I mentioned here there are two uis this is head scale admin which is a separate project that's been spawn up and if you uncomment all of this here this will work and you'll be able to to access that like I said in my introduction this one doesn't seem to be working as well with the new API which is what I suspect is happening here but for actual features and what's available on the website this actually has more features so on this you can do things like adding roots and entry points and all those sorts of things on the heads scale UI you can't do that and you need to dive back into the CLI so hopefully this will get fixed in the future and hopefully it will reint ruce all of that functionality again now the one that is more stable and works for all the features it says it does is the head scale UI now this again is pulling the latest image it's going to sit on that proxy Network and then it's going to sit on heads scale. Jims garage and that's all we need to do to get this to work down here we specified that the proxy is external because it was created elsewhere it was created when I set up my traffic and there's that volume for that head scale data again you don't need that if you're going to use a bind Mount once you've got that all set up and configured you need to get onto the config do yaml so the config do yaml this is just the default one taken from their website I'm not going to go through this exhaustively I've done that before but effectively you want to set your server URL to the URL that you specified in your Docker compos for the head scale server I've just called this one tail scale the listen address it tells you here for production you B basically want it to listen to any address that's incoming same for the metrics and then for the G RPC this is for remote controlling it I've also said that to any I've said that it can't be insecure because you wouldn't want that to be insecure because it's going to control your uh instance and then all of the rest of the things in here I've just left as they are I do recommend checking out my previous video and I do recommend highly that you read through the documentation for any additional options that you want there are things in here that if you change from the default could introduce some security risks but there might be reasons or there might be times when you do actually want to change some stuff in here you know what you're doing you have different layers of security in place that might make you okay to change some of this stuff by default this is going to use a SQL light database now as I've mentioned in other videos before SQL light is fine at small scale but it becomes problemsome it's not perform doesn't scale well when you have lots of data lots of users entry points Etc now as I'm only going to have a handful of people ever on my head scale this should be fine for me and I've not had any problems in the past but if you're going to be doing this at scale you probably want to introduce a different type of database you can also do TLS setup within the configuration file I don't have to do this because I'm letting my proxy take care of all this and I recommend you do something similar but if you were going to do this and you weren't going to put it behind a reverse proxy you would need to get some certificates and thankfully there is built-in let and cryp support within this and you could set this up similar to how I've done it with um traffic in the past you can set some DNS here if you just want to use DNS by default but you can also override DNS when you actually go into the respective tail scale apps outside of that there are a ton more options but I don't think they're going to be relevant for most people's configurations orbe I do recommend you go and have a look through all of this and understand exactly what is available to you so now that we have all of the configuration files understood let's get into the deployment like I said I'll be deploying both of these uis so that I can show you the difference between the two and then we'll get on to configuring tail scale and getting some clients on there sorry I keep saying tail scale I mean head scale okay so heading over into the terminal let's get this thing up running so I'm going to navigate to that folder and I'm then going to do a super dock compose of- D and it's going to pull those containers like I say this is actually going to pull both of those uis um you only need to use one but this is just for demonstration purposes should be pretty quick cuz it's actually quite lightweight now those have all pulled and those have all started that's excellent and we can also see that on here you can also manage Docker um through vs code which is pretty awesome but I'm going to hop over now into paina just cuz I love their friendly interface okay so over in Pena you can see that I've got head scale here and then I've got head scale admin and head scale UI the two respective different uis if we have a look in the logs for head scale everything seems to be fine it's saying that a version a new version of head scale has been found um Alpha 9 versus Alpha 12 that's obviously an error 12 is later than 9 and it has created a new private key for the noise because we didn't specify one in the config file you can obviously create your own if you wanted to it's using the sqlite database and then it's listening on all of the ports and the interfaces that we specified which is awesome in the head scale admin log you can see here that everything's created it's only listening on HTTP that's fine because we're using it behind traffic with SSL and there were no errors when creating this container if we have a look in the UI that's a similar story may be vulnerable to abuse CU TLS is enabled but no protections are in place but we've got this again behind our reverse proxy everything looks fine here so fingers crossed we're in a position to access these URLs and access the uis now obviously you're going to need to add those URLs to your DNS server so I've added those to my pie hole whatever you're using just make sure you add those DNS entries so now I fired up a browser and Incognito just because I've done a lot of testing and sometimes the caching in Chrome it doesn't clear it very well but if we go to head scale now hopefully we're going to reach those URLs and so here you can see head scale and head scale 2 I just gave these different URLs this one is the admin one and this one is the head scale UI obviously you can choose which one you want the first thing you're going to need to do before any of this will work is to generate some API Keys as you see API didn't succeed and that's the same message in here but it just defaults to put in this details in so on this one we want to go to settings and put in your key and the same on here now how do we get our key well we need to hop into the CLI to do that so let's go and do that right now so to do that we need to run the following command so in my instance pseudo depends of whether you've got the your user in the pseudo Docker group or not we need to execute and then this here needs to be the name of your container in my instance this is head scale now you can't actually console into this container because it's a very minimalist image for security and footprint reasons so we actually have to run and pipe the commands into it so this is basically connecting into the container and then this second part here is the command it's going to run inside that container so we connect to it and then we're going to run head scale API Keys create so let's hit return and you can see here that we've got the API key that we require so we need to select that and we need to copy it and now we can head back into our browser and we can paste this value in so on the first machine Let's paste that in and we can see that that's right there and in here we need to put the address that our server is running on so for me that was https colon slash and it was tail scale. Jims garage. co. UK now hopefully when I click save I get a green tick Bingo yes I do so we can also roll over that API key if we wanted to and clear those and test a different server whatever I'm not going to do that that's all up and running so now I can go on users and device views and that actually works cuz it's querying the server using those API credentials so over on the other server let's do the same thing let's paste that in there and then again I'll put in my tailscale URL on this one I'm going to click save and yeah that's connected expiration is 3 months from now perfect so a quick overview of the two different uis you can see in this one all you get control of is the users and the devices on the other one but unfortunately this one isn't working at the moment I guess due to API changes this one allows you to do users nodes deployments and set the roots now unfortunately even when I create the roots later in this video through the CLI those don't get reflected here again because those API calls are likely broken we're on an alpha version and I suspect that the Alpha version is moving too quickly ahead of this UI I imagine this will catch up soon and you can obviously contribute to yourself if you want to to help out this project so from now on we're going to stick to using this UI but when we get onto things like the roots we're going to have to go back into the CLI so back into vs code execute into the container and then run the commands that we need to connect to our various devices so for starters though we can use the user view here so I can click a new user so I'll do something like pixel for my phone and I'll click tick now this is exactly the same as using the CLI it's simply making those calls in the background using the API and so to prove that if I go back now into my terminal and I run the command pseudo do exec back into heads scale and I then do heads scale users create auntu if I run this I'm not going to press return just yet if we have a look back in here we've only got this one user here if I now run this command that's created user created now if we go back into the UI if I just click off and then come back in we now see a buntu so that's exactly the same thing using this UI as it is in the uh command line interface similarly in here we have some additional options we can generate some pre-authorization keys now this is handy because we can create this user and create a key assigned with it and then on any device in the future we can use the connect command so we can connect to the server and we can specify that pre-authorization key and then it will automatically log that device in as this user we've created which makes the whole process more seamless you can also delete a user as well in UI and again that's calling the same sorts of things as that head scale delete user Etc so now that we've got two user setup I'm going to show you now how to connect a mobile device and also how to connect a a buntu machine you can also connect things like iOS devices I don't have one and things like Windows 11 so to get this working on Android you simply need to download the tail scale official app from the play store or iOS once you've loaded the app you want to hit get started it's then going to give you a warning saying that this can then control VPN access on your device which is what you want so hit okay now when you do click okay it's going to try and default log in using the tail scale domain now we don't want to do that so how do we fix that well on this Android instance we want to hit the X in the top right which will take us back to the app now in the top right we want to hit the Cog and then we we want to go to the accounts and in the top right we want to hit the dots and we want to use an alternate server now this alternate server you guessed it you're going to put in here your tail scale server so once you have that entered you want to click add account now when you do that you can see it's automatically opened up a browser and if I zoom in it says you need to run the following command head scale nodes register username and then it gives you a key so this key is what you now need to add within your head scale server so I'm going to hop now back onto my machine and we're going to get this added so as I said that gave us a URL to register with now I've gone into the logs now on my head scale container and thankfully you can see the exact same thing that we just saw on that device so here you can see the this m key here let me just stop the logs a second you can see this m key so that is the key that this device is sending to register now that by itself isn't a security risk because only the person who has access to this server ieu and that head scale where you EXA into the Container only you have access to that so don't worry too much about that let's make sure we've grabbed this code here and and we now need to get on to adding this so because we've got the UI we can actually go into the UI and we can actually do this through that so for example if we go on to here we can click on the device View and we can add a new device so I've clicked on that I can now paste in that device key which is there and I'll say that this is my pixel user and then I can click tick so now that you user has been added now it's called it Local Host that's just unfortunately I think a bug in the head scale deployment at the moment there's an issue on GitHub for that but you can rename that as well but if we have a look on there you can see that the IP address of my mobile phone when it joined Etc on all of those things now we don't have any rout set up so nothing much can happen at the moment but we'll sort that soon let's dive Now quickly back onto the mobile app and let's check what's happened now now that we've added the device to our head scale server I.E it's now a registered device so now you'll see that we've got a notification that's come up and this is just to help you manage this connection so you'll get notifications when it joins when it disconnects Etc so I'm going to hit continue and now you want to allow or not allow obviously allow and here you can see that this device is now connected so in the top left connected I've also o got the little key symbol on my notification bar in Android you can see that this is pixel and it's just at example.com and you can see I've got the IP address of this device now you can do some options like you see this drop- down bar you can click on exit node and then you can tell this machine to be an exit node this mobile phone now what that will do is allow other nodes on this network this mesh Network to be able to use this as a Gateway Dev device a bit like your home firewall router or a VPN service so you can get this onto your mobile network and then you could rout local traffic out through this and obviously you can extrapolate that across all your devices if you had a friend in a different country in part of your mesh Network or you had a VPS in a data center somewhere you could use that device as an exit node which could be really handy for getting round Geo blocking and all of those sorts of things so now that we have this running I'm going to set this up now in a different machine and then we should be able to see all three devices on our mesh Network and then we should be able to create some Roots so that we can get this working so on the screen now you can see a new virtual machine I've just called this one tail scale demo at the top and I'm going to connect this one now to our head scale Network and conveniently I've called this user a buntu so now that we have this up and running we can make use of the pre-authorization key so in the background we can click on this user here we can click a pre-or key um let's keep this one as always existing it's going to expire on the 8th so it's going to give us a day on this one you can make it eable or usable if you want to so let's create that key so that's been created I'm going to select this and copy it and now we need to run the following command on our machine our virtual machine that I've just showed you to get this up and running we will obviously need to install tail scale first so this is the command to install it just Tak them from their official website that will now go off pull that and install it once that's completed we should be able to now run the command now now that's installed we can do the pseudo tail scale up so that's going to spin this up we specify -- login server and we set that to the URL of our heads scale server we then use the or key which is this one in the background so hopefully when we hit return that will now have connected and if we go back in here now yeah we've got device view we've got tail scale demo which is that machine I just created so excellent lastly we can set this up in Windows if we want so let's create a user let's create a new one we're going to call this one Windows let's hit the tick so over on my windows VM let's go to the tail scale website go to download let's download it for Windows now that that's downloaded it should just be a simple case of going through the installation wizard so let's in install that yep by default again it's going to make us want to connect to the official site so to click down here it needs to log in but we're not going to be able to do that now to get this running in Windows we can't use the default login here but if we visit tailscale Jims garage. / Windows it gives us the instructions for how we can get this working because we're running the recent version of tail scale version 1.34 and higher we can actually run this command here otherwise we have to do some funky stuff with the registry um which is a little bit old and clunky so let's copy this command so if we now hop into Powershell and if we paste this command in let's hit return you can see that tail scale authentication is needed click the tail scale icon to log in so if we click the icon down here it actually says here that we need to click on this link to authenticate visit here so if we actually click on this link control and click in Powershell run the command Below in the head scale server to add this machine to your network so we can copy and paste this machine here this command and now if we head back over to our vs code we can now do the pseudo Docker exac and then head scale and then we can run head scale nodes register user we can give it a usern name and then we paste in that key so hopefully I can change this to be something useful I think I used windows so let's hit return and node win 11 is now registered so if we go back to head scale and if we go back to users we've got Windows here and we've now got this device here win 11 and there we've got the signed user and the device name windows so now we have all three devices that are being shown if we go into the other one as well you can actually see all three of those are here as well and unfortunately the nodes and the deploys and the roots don't work at the moment or at least there's something that I'm not doing this right so now if we hop over onto our vs code let's do some interesting commands to get this working so if we do pseudo doer exac head scale head scale and then if we do a Roots list this should be blank because we don't actually have any Roots so if I now head over to my mobile device and I say run this as an exit node I can now rerun that command and there you go remember my phone is still called Local Host confusingly I should change that to make it more obvious but now you can see that I've got a route available here now if I go back into my virtual machine I can now rightclick and you can see down here sorry is quite small that I'm now windows on here and you can see that the other network devices are there so I've got the pixel and auntu now I can also say that I want to run this as an exit node are you sure running an exit mode means other devices in your tail knot can send their traffic to this computer you don't have to do this remember tail scale is completely flexible and you can choose how you want traffic to be rooted you might not want certain devices to have access to others and you might not want certain devices to be able to squirrel out through you as an exit node now if we go back into VSS code and now we run that we should now have the windows 11 exit node and now what's cool is if I go into the bottom right here and let's have a look at some of those network devices so here's my phone and that auntu machine if I click on here it's going to copy that IP address and so we should in theory be a able to Ping this device yep there we go so this virtual machine is now pinging my mobile phone these are actually on different subnets within my home network that are actually blocked by the firewall but because they're now on this heads scale Network they're effectively on that mesh VPN which my firewall doesn't see so it's not blocking so this is a separate Network abstraction from that and just a double check why don't we have a look at the other device so that will bunto machine we can do a similar activity there and we can ping that and again we've got access to that device so the final piece of the puzzle let's get my abtu machine so we can do a pseudo tail scale set advertising exit node that's now being done and then in the background hopefully if I run the roots list again yeah we've now got all three of those the critical thing here is that it's not enabled so all these roots exist but they haven't been configured to be usable and again this is really cool because this is where you get complete configuration granularity over your rules so you could only enable some of these roots on certain devices or you could enable them on at all I'm going to enable them on all just for this demonstration but obviously tailor this to your requirements so Syntax for that is again we exec into the container and then we run head scale Roots enable dasr for the root and then we specify one of the IDS that are over here so R1 should enable root one so now if we do the roots list you can see that this node one is now true so if I enable it for two well actually no that would be three won't it and then I also do it for five now if I rerun that command all of those should be enabled yeah great so every single one is enabled now what that allows me to do is if I hop back onto my virtual machine now in the bottom right and again sorry it's small now if I right click that and go to exit nodes you'll now see that I have these other ones here so for example I could now say the pixel my phone is the exit node so now all of my traffic is going to be rooted so we know that it can reach it from up here but now all of my traffic on this machine will be rooted out through my mobile phone which is pretty awesome and this is how it's going to work with when I set up that cocation for my Nas so now we have three devices that are all joined to the same head scale Network they're all using the tail stale client and all of this is hosted internally within our own network nothing else has visibility of our traffic also then we can R Traffic wherever we want within that Network which is especially great if you want to share this with other people you've got total control so hopefully now you've got everything you need to be able to set up head scale across all of your devices using the official tail Scale app this gives you a a great setup whereby you can create granular rules for all of your devices and also other people or other devices that you don't own this is going to form the backbone for what I'm setting up in the next video where I'm going to be creating a NZ which I'm going to be storing outside of my Lan so effectively this is my own private Cloud for my storage that could be basically located anywhere now there's obviously going to be some port forwarding that you'll need for this to work work I.E you'll need to expose the right ports on your firewall make sure that that URL is reachable I've shown before in previous videos about how to do port foring and it's going to depend on what your firewall is but basically the process is pretty straightforward and the same so once you do have that set up the beauty of this as well is that it's always going to be phoning home so basically I'll set up my Nas I'll get tail scale up and running first and then when I put it out in the field as long as I've got my port forward incorrect it should be able to then connect back into my network and I'll always have a constant VPN connection the beauty of that is it's kind of two-way if I set up my roots it will Connect into my network and I'll also be able to connect out to it which will be great for remote Administration and it also means that I don't need to set up port forwarding on wherever I decide to put this if you put it at your parents house for example you don't need to worry about Port foring this will all be taken care of a bit like how we've used tail scale to get around cgn before anyway I hope you like this demonstration and you saw a bit more this time about how to get the web UI up now I don't know whether I'm being a noob or whether it's just because of the different API versions that are constantly changing hopefully those apps will get updated and you'll be able to use the UI for all of it but again I've only just scratched the surface on tail scale there's a ton of documentation a ton of commands we didn't even look at but this should give you the basics to get it up and running and give you some basic rudimentary controls around where your traffic can be rooted let me know if this is something that you're going to be using and why and how I am also going to be touching on other competitors I know I've done things in the past but things like zero tier and netb bird those are things you're asking me to look at so I will be taking a look at that anyway thanks for watching guys if you found this useful hit the like hit the sub subscribe and I'll see you on the next one take care everybody [Music]
Info
Channel: Jim's Garage
Views: 14,376
Rating: undefined out of 5
Keywords: tailscale, tailscale setup, tailscale how to, headscale, headscale set up, guide, linux, wireguard, proxmox, docker, android, vpn, vpn how to, vpn guide, how to setup a vpn, create a vpn, what is a vpn, tailscale ios, tailscale windows, VPN, private vpn, personal vpn, how to use a vpn, connect to a vpn, android vpn
Id: ofVyohBLuPg
Channel Id: undefined
Length: 37min 6sec (2226 seconds)
Published: Mon Jul 08 2024
Related Videos
The Ultimate Mini Server Rack - Size doesn't matter...
Raid Owl
60K
OPNSense High Availability - 1 VM, 1 IP!
Jim's Garage
8.8K
A deep dive into using Tailscale with Docker
Tailscale
49K
5 reasons EVERYONE needs a home server
TechHut
323K
Self Host Tailscale with Headscale - How To Setup
Jim's Garage
59K
host ALL your AI locally
NetworkChuck
844K
Proxmox Automation with Proxmox Helper Scripts!
Techno Tim
65K
What's ACTUALLY running in my Homelab?
Hardware Haven
79K
malicious javascript injected into 100,000 websites
Low Level Learning
194K
Docker Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
1.5M
Highly Available Storage in Proxmox - Ceph Guide
Jim's Garage
17K
Massive Botnet Attacking Synology - how to protect your NAS
SpaceRex
95K
I Built A $100 Storage Server! (2024)
Tech By Matt
48K
pfSense Alternatives: Firewall Solutions for your Network
VirtualizationHowto
7.9K
This Man Launched a New Internet Service Provider from His Garage | Freethink DIY Science
Freethink
3.4M
Split DNS Magic with Tailscale - Access remote services from anywhere!
KTZ Systems
52K
Headscale - Open Source, Self Hosted Wireguard Control Server for your Tailscale Network!
Awesome Open Source
56K
PolyFill Vulnerability is WILD
ThePrimeTime
108K
What's on my Home Server?? MUST HAVE Services 2023!
TechHut
705K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.