How To VPN Without Port Forwarding Using Headscale & Tailscale - Complete Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everybody welcome back today I've got an awesome video I'm going to show you how to access your network without the need to port forward that's right we don't need to be able to expose it and this will be great for all of you guys who do not have access to a router or are behind something like CG nap carrier grade Nat where you don't have a public IP address to do all of this we're going to be using head scale that's the open source implementation of tailscale so you get to self-host tailscale maintain your privacy and have pretty much all of the functionality that natively is given to you by tailscale so how is this useful and why might you need to use it well in my previous video where we deployed head scale and our own infrastructure which is a great option because it means everything is self-hosted however some unfortunate folk don't have that luxury either your ISP doesn't allow you to port forward or maybe you're in a multi-tenancy setup and you don't have access to the router itself so what can you do well in that last video we hosted the controller on our infrastructure which means to access that you're going to have to port forward now as I said some people can't port forward so what do we do well we simply mix up that infrastructure and we accomplish a VPN by deploying the controller on a VPS a virtual private server so this is just a computer in the cloud somewhere else in this video I'm going to show you how to do that using oracle's free tier but you could use any cloud provider you wish and it doesn't have to be a free tier you could already have a VPS and you could add this to it it's really up to you by the end of this video you'll be able to remote into your network and you'll also be able to remote out of your network yeah that's right you can basically use this as your own VPS server so you could spin up clients anywhere around the world using any Cloud region and you could root out of that node to get around geoblocking this really is a powerful tool so without further Ado let's get into setting this up I'm going to show you how to set up a VPS within Oracle Cloud but as I said you can use any cloud provider that you want we'll then look to install head scale and in this video I'm not going to be using Docker I'm going to be using the bare metal for three reasons one because we did Docker last time so let's try something different 2 because Docker is going to use more resources and three because we're using a VPS and in this case it's only got one core and one gig of RAM so I need to keep this lean once we have this setup and configured I'll show you then how to set up the routes and how you can actually then connect to each device and exit from each device it's quite complicated to work all this stuff out so I'm going to put this as simply as possible for you guys let's get into it okay so the first thing that I'm going to do is sign up to the Oracle free tip to do that we just need to head over to their website and create an account it's pretty straightforward you will need to have a credit card available to do this so just bear in mind there may be other providers that don't need that and as I said you don't have to use Oracle you could use whoever you want Amazon also do a free tip once you've made your account you're going to be presented with the dashboard and the first thing we're going to want to do is to create a new instance so to do that we can click on the instances compute if this isn't here and pinned I've used this previously just have a look in the services at the top and you can search for it there clicking on instances we want to create a new one and this is the free tier so we want to make sure that we create a free VPS now to do that we click create an instance and you can give it whatever name you want I'm just going to leave it as the default here the bit that's really important is that you click and edit the shape now the shape is the bit that determines the image that is given in this case it's using oracle's own version of Linux but you could change this to something like Ubuntu if you wanted to you do that just by clicking change image and then choosing what you want just make sure that it's always free eligible and when you click on one of these it's going to come up with a suggested machine type so if I click on this and then I click select the image we want to then go down to the shape so the shape is the size of the machine so we've specified the image and this is a bit like proxmox now we want to specify basically what the virtual machine is so this is an always free tier again it's using an older AMD epic CPU now it's only got one core and one gig of RAM it's pretty anemic but it's more than good enough for what we're going to need it for and I've tested six clients on this and it's been absolutely fine but if you did want to change the shape it's as simple as clicking the button and then choosing which chip you want to use and how big you want it to be I.E things like core count Ram count so I'm going to leave it on this one which is the free one and it's going to be an AMD single call with one gig of RAM let's have a look down here we haven't created a v-neck yet a virtual network interface card we can do that in a moment and we probably want to do this at the same time which is to save the SSH Keys now this is what's obviously going to allow you to log in with your client if you don't have this then you're either going to need to use no SSH keys and fall back to a password which is never a good idea or generate them later so let's click save Private key and that will download it now in the background so before we can deploy this we need to go and set up the virtual Nic so let's do that so I can either select the existing one that I've been using already or I can create a new one so for this video let me create a new one so I'll create a new virtual Cloud Network I've already created this compartment because I've been using this for a while but just create your compartment I've just used Jim's Garage as my route the subnet I've just left is default but obviously you can change this if you want to and I've selected that I want this to have an ipv4 address and a public ipv4 address because we want to be able to access this otherwise you're going to be in the same position that you were and why you're watching this video you won't be able to root to it so once you've done that you should be able to create now so let's hit create in the background this is going to be spinning up that new virtual machine and it should Now take us back to the dashboard where it's creating it so as you can see here it's provisioning that new machine and shortly this will be up and running and over here on the right hand side yep we've now got an IP address so with the IP address and the SSH Keys we downloaded we should now be able to connect to this through something like putty let's go ahead and do it unfortunately you're going to actually need to migrate this key first before you can use it in putty so to do that you need to fire up puttygen so if you've installed putty this comes shipped with it so for fire up puttygen I can load the file we just downloaded select the file we just downloaded which is the SSH key here click open and as you can see it's successfully imported the key and it's in an old format so to use this with putty simply click OK and then we want to save the private key so I recommend you add a key phrase here so this is a key to encrypt your key I'm not going to do that for this video just because I want to make my life easier but I do recommend you go and encrypt this key so click yes and I need to give it a name so I'm going to call this one Oracle 2 just because I already have an oracle key anyway for my existing server hit save we can close down puttygen now and then back in putty we click browse I'm going to use Oracle 2 and I'm going to go back to the session I'm going to give this a name I'm going to call it Oracle 2 and I'm going to save that just so this stays within putty and I don't have to put these details in every time now when I click Oracle 2 I click load and then I can click open and it's going to come up and say this is the first time that it's seen this do you want to trust this key I'm going to click accept because I know I've just created it when I click that I'm then presented with the login so on this one I'm going to type in Ubuntu which you can see in the background here so Ubuntu and voila I'm in to that VPS we just created that was pretty simple right so now we've got the VPS set up and we're logged in we're ready to begin deploying head scale so let's head over to the documentation and start that process now to deploy head scale it's pretty straightforward we do a wget a web get to get the file that we want to install we then install it we then enable it within the system we edit the config and then we actually start the head scale server so let's pick the version that we want I'm going to use the latest version and because I'm running Ubuntu I'm going to choose the Debian one and I'm going to choose the AMD 64 because that's the instruction set so I'm going to right click and copy that and we'll amend this comment here with the link that we just copied so now when we run this it's going to go away and it's going to download that file as we can see download really quick 61.3 Megs per second so you can see the throughput you're going to be able to get on this I think it states it's 0.5 gigabit per second on the website next we're going to want to actually install it now we've downloaded that file so let's copy this command that's going to go ahead and install in the background as you can see really quick so we want to enable head scale now so let's copy the following command now that it's enabled we need to go ahead and configure head scale so let's jump into the config file and I'll walk you through a couple of the steps that you need to change so do a nano into Etc headscale config.yaml and if you get the message on here that I got is because I'm using a minimal Ubuntu image so it doesn't come shipped with Nano so let's get Nano for you quickly we need to run an update so it's going to go through and check all the libraries within Ubuntu once it's done all of that it should find Nano and we should now be able to install it so now when we run this again it's just going to install Nano so hopefully we should be able to press up to our previous command and we should be able to edit the config file and make sure that this is using sudo because it's owned by root currently so now we're into the config file and if you cast your memory back to my previous video it's basically the server URL and the listen address that we need to change the rest of it for this video I'm not going to tweak do go and check the documentation though because there's a number of things that you might wish to add to this for instance I'm not going to be putting a reverse proxy in front of this because there's not really any need to protect that web page and besides it's only doing SSL encryption there's nothing important on there that we need to encrypt so for the server URL I'm going to change it to the IP address of my VPS which we can get here so I'm going to copy that I'm going to go back to the config and I'm going to paste it in on this part here with the IP address now pasted let's focus our attention down below and it says for production we want to listen to All interfaces so I'm going to uncomment the one it recommends and comment the one it was currently using and once you've done that you want to control o to save it so now that's written and we're ready to go on to the next step the next step now that we've configured it is to start the service so pseudo systemctl starter head scale that's done and then the next one is to check that it's actually running so with any luck we should get some green text saying this is running yep active running excellent so Ctrl c will quit out of that and now we're pretty much ready to go but with Oracle there's a few quirks so one of the first things we need to do is actually open up the firewall and that's not just the firewall IP tables in this case on the Ubuntu Server this is actually the firewall that's on at the VPC level the virtual private Cloud within which our virtual private server sits that might be complex let me walk you through it head back over to Oracle and we want to go back to Oracle cloud and we want to click on Virtual Cloud networks in Virtual Cloud networks I'm going to click the top one here ignore the bottom one that's the one I've created previously for testing so click on this one and the key bit here is to go down to the network security groups and we want to create a network security group now the network security group is basically a software defined firewall I'm just going to give this the name as default I'm going to hit next and this is where you probably see the more familiar firewall rules so we can specify both Ingress and egress so that's inbound and outbound traffic now for us the crucial part here is the Ingress we need this to be publicly available on the ports that head scale is running on so in this case it's poor 8080. so for the source type I'm going to use a cider rule so that's classless inter-domain routing and the source cider I'm going to say anything so 0.0.0.0 that means any so anyone in the world can query this on poor 8080 if for instance you want to restrict that you could obviously geo-restrict it to your territory so for the destination Port we need to set 8080 and you can only do that if you select off all and you want to specify something in this case it uses TCP so I'm going to select TCP I'm going to put in 8080 when I've done that I'll click create and now that means that basically anyone in the world can reach my server on Port 8080. so with that completed we're now allowing port 8080 through the Oracle VPC which means when you try and reach this Oracle is going to allow it through and it's going to pass it to the VPS so a bit like your firewall sending the traffic through to your proxy so now that we've enabled port 8080 in our VPC I've tried to connect to this machine in the background because as we know from the last video you can connect and do the slash windows and it'll give you the instructions for how to connect to the server so I've pasted in my IP I've told you I want port 8080 and I've done the slash windows but it hasn't connected now that's because Ubuntu is blocking us so the traffic's being passed through Oracle VPC it's being routed to our virtual machine but the virtual machine is not listening because it's firewall rules are blocking it so we can test that by looking into the VM itself we can run the following command and here we can see we've confirmed that it doesn't accept traffic from Port 8080. so let's go and fix that now and we can do that quite simply by editing the IP tables so that's sudo and then our good old friend Nano again into the following file at C iptables and then the rules when we hit return we should see all of the rules above in there and we do so we need to add a new rule in here and you can probably tell what it's going to look like because we already have a rule in there for Port 22 which is allowing me to SSH into it so we basically need to copy and paste this rule here and just add 8080 instead of 22. so let's copy this and we'll navigate down we'll put return for a new line we'll right click and paste and we'll just change this to 8080. we'll save that with a control o we'll exit with a control X and now we need to make sure that this is updated so to do that we run the following command we want to do iptables restore and then write the new rules to it now that we've added that rule just make sure you go back to your instance on Oracle and ensure that you have a network security group added to your VPS if you don't the rules won't apply but fingers crossed everything is up and running now we've added the rule within the VPC and we've added the rule to Ubuntu so this looks promising we can now see that the Windows page is available so that means that traffic is getting to head scale on port 8080 excellent we're now at the stage where we can create our users and start connecting people so now that we have the instructions on screen for how to connect a Windows machine why don't we go and connect a Windows machine to start with so that's dead straightforward we simply need to download the tailscale client now you'll see tailscale login here and that's because we need to use the tailscale client to log into our head scale remember that these two are basically the same thing head scale is just an open source implementation of the tailscale server so head over to the tailscale website download the windows client or whichever operating system you're on go through the installation process and then we're good to go so I've downloaded the windows client and I'm going to show you now how to connect your Windows machine to your headscale server so you want to fire up the command prompt and run as administrator when that opens up you'll see that we've got the actual command we need here so let's copy and paste this command it's saying tailscale login and then we're providing the IP address of the server that we've just configured so when we paste this into our command line we should get a token yeah and it says to authenticate we need to visit this website which has just opened up in the background and we need to copy this into our server so this is a command that we need to run on our VPS so if we go back to putty now you'll see here that it says username now we haven't actually created a username so let's go and create a username first so we need to do sudo head scale user create and I'm going to call this one desktop so we'll see now that the user's been created and now we can get this command here we can copy it go back to our terminal and stick a pseudo in front and paste now don't hit return press the back key until you get to the username we want to delete the username and we want to put desktop now when we run this machine home PC has been registered that's the name of my PC even though we created a username of desktop the actual PC is called home PC and you simply want to repeat this process for basically anything that uses the tailscale client and is able to access the web GUI another way to do this is to create what's called a pre-auth key now you would typically use this for something like a Linux deployment on a server so let's go and do that now and the reason I'm doing this is because think about what we've just done we've created the control plane the controller the head scale controller and it's hosted on a VPS now I've just added my local machine that is on my local network and it's now able to connect out to our headscale server but the head scale server just controls the connections and the users and the keys Etc it doesn't actually function as an exit node so what does that mean it means that we can't connect from the machine we just registered the desktop machine and root out because there isn't a client installed all we've installed is the server so what I'm now going to do is to show you how to register a Linux client and I'm actually going to register the server itself as an exit node as a client so once I've done that I'll show you both nodes are up and running and we can then start to root traffic through one another so heading back to our VPS we obviously need to download the tailscale client so let's go and download that for Linux we're going to head back to the tailscale website and this time we're going to click Linux and we're going to copy this script here so this will be a script installation back into your command line we want to paste this and hit return now that that's completed we can do the same login process as before and as is detailed in the documentation but I'm going to show you how to do it using a pre-authenticated key just in case you need to do that so we're going to register a user so let's head back to our VPS and we're going to do a sudo head scale users create and then I'm going to say Linux and this time we're going to create an auth key for that user so it's head scale dash dash user and we called it Linux we want to do pre-auth keys create and I'm going to not use reusable because I want this to be single use for security and I'm going to specify an expiration of 60 minutes so I've got one hour to use this key otherwise it expires this might be quite handy if you're setting something up remotely or sharing it with somebody so now you can see that I've got this long code here so let's copy this and you'll see at the bottom we can now log in using this auth key so because we've just installed tailscale make sure you do the tail scale command and not head scale so sudo tail scale up and then the login server is going to be the IP address of This Server if we go back to our instances tab we can copy the IP address I think we need to put HTTP colon slash and specify port 8080 and then we need to do dash dash auth key and then we'll copy this authorization key that we created a moment ago so that's here now if we paste that and hit return that looks successful so why don't we validate what's happened here let me just clear everything so if we now do a pseudo head scale nodes list now a node is everything that we just added so the two clients what do we get we've got number one which is my home PC which I added that's my Windows machine and we've got number two which is our Linux machine which just happens to be the same as our controller so the VPS now that we've got those we probably want to add one more and in this example I'm going to add my mobile phone to this as well so I'll walk you through that process now so head on over to the App Store and download tailscale once that's downloaded you're going to want to click open allow notifications just so you can keep you up to date with what's going on and the trick here once you're presented with the opening screen is to tap the three dots in the top right three times when you do that the change server becomes available now you simply want to enter your IP address similar to what we've done in the previous setup remember to put the port 8080 on the end and then you'll be presented with the login page which you want to click sign in with other and that's going to give you the same page as we've seen before where we need to copy this command and use it on our VPS so get the code that was presented on your phone and head back into your VPS and we're going to create a user so sudo head scale users create and I'm going to call this one pixel 6 Pro so that's created and now I can copy in the command which was node register and again change that username I'm going to change this again to pixel 6 Pro and when I hit return it's going to add this user and so now when I do sudo head scale nodes list we can see that I've got all three devices now it's saying it's offline that's just because I haven't activated it on the mobile app in the mobile app there's a slider in the top left corner or at least there is an Android and you need to activate this so I'll go and activate that now on my phone and now let me refresh now that I've done that now everything's online so I've got all three nodes online and now you might be thinking great we're off to the racers we're all up and running no and that's for good reason because you wouldn't just want to be able to add things and then connect to them you'd like to be able to control what you can do I.E what routing is available so let's have a look at what routes are available so we'd run sudo head scale Roots list and there aren't any routes available so how do we fix that well for each of these clients we basically need to advertise it what does that mean well it says to all of the other clients on there hey I'm available and you can root traffic through me and or you can view some of my local resources so I'm probably seeing some happy faces right now because yeah you can access services that are local to that client so let's think of an example here so if you're currently unable to port forward directly into your network what you can now start to do and I'll use the example on screen I could be on my mobile phone and my local PC is also connected to This headscale Server so because both devices are connected the home PC is tunneling out and the pixel 6 Pro is connected to the same server where this is also connected we can see some IP addresses here so rather than using the IP address that would normally be on its local network once we set up these routes we'll get on to that in a minute we can just use this IP address here and access that machine and if on this machine we configure it such that local resources are available I.E local routing we can basically connect to this machine through an RDP session and then we can access its network resources from that machine as though nothing was any different plus you could go further and set this as your exit node we'll get on to that in a minute so that all traffic from my phone is rooted through this device and it would be able to access services that are internal only so for example on my network my pie hole is internal only but if my pixel 6 Pro uses my desktop computer as its exit node it can resolve piehole.jimsgarage.co.uk and access it as though it was on the local network which is amazing you can access Services remote without having to port forward now there are two ways that you can do exit nodes you could either specify it as an exit node when we created the first login or if it's an existing client you can then set it to become an exit node so in our instance we're going to use this command here because we already have our client set up so the most important one first or at least the one that you might be interested in the most is the VPS so back into here let me clear this for you let's run this command so we're saying to set this client to be an exit node so that ran now if we go to the roots list you'll see that this machine and it's not very friendly name but it's the name of this VPS we can see that these routes are now available but they're not enabled yet so I'm going to go back onto my mobile phone now I'm going to hit three dots I'm going to say run as an exit node which is the same thing as here and hopefully if we refresh this we should see my mobile phone and voila we do pixel 6 Pro now back on my Windows machine I'm going to go to the system tray and you'll see that there's a tailscale app there in the drop so I'm going to right click that and I'm going to say exit node I'm going to say run an exit node it's going to give you a warning but you can just click yes and now if I re-run the same command you'll see that we have all three machines up and running and available but not yet enabled so you might not wish to have some of your clients routable as exit nodes for security reasons there may be ones that you just don't want to be able to root out of but just for this example I'm doing it for all of them so now what we need to do is change that false to a true so how do we do that well thankfully all of these nodes have an ID one to six so it's as simple as doing sudo head scale Roots enable Dash or for root and then the ID number so the first one I'm going to do is number one and that's going to allow me on my desktop machine and my mobile phone to use this VPS as an exit node so that's basically now become a VPN something like nordvpn where I can get my mobile phone or my desktop computer and I can root all traffic out of that node so let's have a look at the roots now we can see that this has changed to true so I'm going to do exactly the same thing for my mobile phone so in this case it's number three and then let's check that again we can see that now my mobile phone is and I don't want to do that normally for my PC because I don't want things rooting out this side but I'm going to do it anyway just for this demonstration so I change that to number five and now all of those routes should be enabled so what does that mean so if I go down to the bottom right I right click and I choose an exit node you'll see that because we've enabled these I now have three options so I'm going to choose the exit node which is the VPS so let me click that that was easy and now if I go to Google and I type my IP let's see what happens however there's always a catch with Linux and we need to do one final thing to the routing before this will work and that's to allow forwarding otherwise it's going to get blocked and we're not going to be able to use it as an exit node so handily the commands are available on the tailscale website and you'll find them here in this block so I'm going to copy and paste these commands one by one into the terminal and once that's done we should be able to select this as an exit node from our Windows machine or our mobile phone and be rooted out through this VPS thus when we go to Google and say what's my IP it should show the IP of the VPS so now that's configured let's go back to tailscale and we'll choose a different exit node so this time let me use this VPS from my Windows machine as the exit node and then I'll look at what my IP is so that's now selected let's go to Google and type in my IP and let's see what it says well Bingo there we go 143 47 248 169 and if we go back to our Oracle instance Bingo we've got it it's right there so let's just test that everything's working now I've got the ability to root my internal traffic out through headscale on the VPS server and remember I could have multiple clients all over the world and I could root out over any of them let me just check that my mobile phone is working so remember we've now got an IP address of this which is shown here so if I want to change it to be my mobile phone now just remember when you're doing this on your mobile phone you need to hit Three Dots and you need to say use this as an exit node and do make sure you knock yourself off the Wi-Fi otherwise you're going to get your home network address and we just want to test that this is picking up different external IPS so I'm back onto 5G and now if I click pixel 6 Pro just going to tweak that and if I do a refresh we should see a new IP address and we do 171.8 so now you can see just how seamless and how powerful head scale is I can dynamically change to different clients provided we've got the routes in place and just connect to them so the last piece of the puzzle and the bit that you're probably all here for is how do I connect to my home PC from my mobile phone now traditionally you wouldn't be able to port forward so you wouldn't be able to wire guard in and connect or not that you should ever do this you can't RDP from the web to that machine but the answer has been staring you in the face if you look here on this nodes list you will see the IP address that's given to my machine it's 164.01 so given that all of these machines are on my head scale controller my pixel 6 Pro can simply fire up the remote desktop application on my phone or if this was your laptop you could simply open up remote desktop and just put in this IP address here and it would behave as though it was just on the normal local network so let me demonstrate that on my phone just so you can see that I'm connected to 5G I'm connected to the Head scale server and I'm rooting through headscale controller to my home PC and at no point has there been a port forward involved so opening up RDP on my Android phone you can see I've already connected on the top so there's the IP address that you just saw now if I click on that it's going to ask me to authenticate because this is the first time I've connected from this IP and those credentials aren't saved so put in your username and password like you normally would hit continue and hopefully this will work this looks positive so let's accept and connect and voila who's that ugly beast and there you have it you saw my lovely face waving at you which demonstrates that I was connected to my machine through RDP through head scale there was not a port forward in sight so thanks for staying with me on this video there was a ton of preparation to get through it so please do like comment and subscribe now obviously I've only just scratched the surface of what headscale can do and there's a ton more fancy routing Etc that you can do to implement more security more granular rules and create things like an access control list that will mean that you can prescriptively allow certain users to do certain things but hopefully with this video you'll be able to connect all the clients that you care about and you'll be able to quite simply use them as exit nodes or access others on your network as though they're on your Lan so hopefully now you've got no problems with accessing your local network whilst you're out and about and this is all open source self-hosted on your own VPS and it won't cost you a penny let me know how you get on thanks for watching I'll catch you on the next one take care everybody foreign
Info
Channel: Jim's Garage
Views: 24,176
Rating: undefined out of 5
Keywords: tailscale, tailscale setup, tailscale how to, headscale, headscale set up, guide, linux, wireguard, proxmox, docker, android, vpn, vpn how to, vpn guide, how to setup a vpn, create a vpn, what is a vpn, oracle VPS, oracle free VPS, VPN without port forwarding, port forward, CG NAT, NAT, oracle free tier, tailscale without port forward, RDP, remote desktop VPN, create VPN without port forward, headscale tutorial, headscale guide, tailscale guide
Id: u_6Zd7Bo6J4
Channel Id: undefined
Length: 37min 10sec (2230 seconds)
Published: Thu Sep 07 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.