Self Host Tailscale with Headscale - How To Setup

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys and welcome back today we're talking about head scale but before we get into that I'm going to talk to you about its bigger brother tailscale I'm going to tell you about how the two are intrinsically linked I'm going to tell you how it includes wireguard which we've touched on in previous videos we're going to talk a little bit about what's actually going on with head scale and why you might want to use it and then I'm going to get into the config and we're going to go ahead and deploy this on our own home lab so you're all probably familiar with tail scale now tailscale allows you to set up a VPN and create a mesh VPN network now this is different to your traditional Hub and spoke model like we did in my previous wireguard video where we set up a wireguard server on our home lab and that allowed us to connect individual clients to that server and have access locally now head scale and tail scale and I'll get onto that link in a moment they allow you to effectively create multiple VPN breakout points on your network so every device you add into the head scale mesh can actually also be a breakout so let's say you have two people a friend in their house if you want to share their Network and your network together you can do that in head scale they may have services that they want you to have access to and vice versa that will allow them to access your services and that'll all be rooted through wireguard over a VPN so just rewinding what's head scale what's tail scale well head scale is simply an open source implementation of tailscale now tailscale is great lots of people use it but there's one fundamental issue potentially with being able to fully trust it and that is that the traffic is routed through tailscales Network now heads scale fixes that by actually deploying the server I.E the bit that is hosted by tailscale on your own infrastructure so you don't have any dependency on tailscale they are not seeing any of the traffic that's routed to your network and the great thing is because it's using the same protocol we can actually use the tailscale app that's on many different distributions of operating systems and mobile phones and we can access our home server using it this makes it not only secure and private but also familiar to use with readily available tooling now this video has taken a while to set up because some of the documentation is a bit lacking in areas but I've persevered and I've got the config files for you and hopefully this will work on your end as well so in a high level overview without getting into too many of the technicalities and trying to use some analogies that make it simple to understand there's a few key processes that we need to do in order to set up and get working with head scale the first is we need that server so that's the bit that traditionally would be hosted on tailscale's end and that's what we're looking to deploy here so we can remove that dependency on a third party now we're going to be deploying this in Docker but there are binaries available for both windows and Linux so you can choose an operating system that suits your needs now this server is basically the brains of the operation and it's where all of your clients again those can be a mobile device those can be a laptop a computer whatever you want those connect to this server and are then registered on the server so what you need to do is configure the server and it will be rooted over https you can then connect to that server with a client and it's going to give you a registration number now you need to have access to your server to be able to register that device now that's Obviously good because you only want to give access to people that need it once you've registered the device it's then recognized by the server and you can complete this process for all of your devices or all of the people that you want to give access to Once those are established there's a further step so you can add these two namespaces which groups those devices into handy groups and so you can set explicit rules based upon groups and as I've just alluded to you then set up routes within head scale so you can specify which routes you want active I.E which of the nodes and as I mentioned earlier each of the nodes within this mesh can be used as an exit point so some of those devices you might want to allow other devices to have access to their local networks or you might not want to do that maybe it's a device on a secure network and you don't want to share that access oh and whilst we're going to be doing all of this through the command line interface there is also a handy UI that's been developed and you might want to start off going down that route so I'm going to include those configs as well so for this video I'm going to show you how to set up the headscale server I'm going to show you how to connect a mobile Android client it should be the same for iOS and finally I'm going to show you how to deploy another client within Docker and that will give us access between both the external mobile phone and the internal Docker client and both of those should be able to access their respective networks so if we head over to my GitHub page I've included the configs that you're going to need to spin this up and these are tailored to some of the setups that I've been doing in my video series but it should only require some minor tweaks to get it up on your system plus I'm going to reference the official documentation down in the description below so looking on GitHub we've got the tailscale client we're going to need that later on when we try and connect one of our Linux machines to our server we've got the docker compose file that sits behind a reverse proxy so that you can use https with a valid certificate and I've got the docker compose file here just for sort of a debug setup where we're going to make sure that we have everything deployed but it won't be using a valid certificate so jumping into the basic one first we can see that it's quite straightforward to set up we need to give it a couple of volumes the first one is where we're going to store the config file and the config file we'll be obtaining from the official GitHub repo the second one is where it's going to store the keys but also its own database and we'll create that database in a moment now before you get too scared it's easy we're just creating a sqlite file which is a single command we don't need to deploy any more containers we're going to specify some ports so 8080 is the default Port that it's going to listen on and 1990 is used for metrics now make sure you change those in case you've got any port conflicts the other important part here is the command now this needs to be here to make sure that the head scale container is set up to serve as a server the final container here is the web UI now I'm not going to go into detail on that in this video but it should be pretty straightforward to get that up and running and I've included the details in the description below so go ahead and look at that as I said this video we're going to focus purely on the command line interface because it's important to understand exactly what the commands are and how this works because after all this is a hole into your network if we quickly look at the traffic configuration that's basically the same just with those traffic labels now when you're setting this up one of the key things to bear in mind is that you may get cause issues now these are cross origin issues so when you're trying to access one domain from another domain it throws a security message so when you deploy this you want to make sure that both are using the same subdomain otherwise you're going to have to put some course headers in your traffic file I don't have time to get into that in this video but I'll leave a link in the description below so let's go and jump into deployment now okay so I've gone and created my Docker compose folders I put the respective compose files into those folders and now we need to create a few folders where we're going to mount this container before we deploy it so to do that let's have a quick look at the official instructions and see what we need to do first so we need to create a couple of folders and we also need to create a blank database file so let's go ahead and do that following the structure that's outlined on the instructions so I've now created the two folders that we need you can do that through the command line or just use winscp next we need to create our blank database file now as I said that's really straightforward we simply need to type touch space DB dot SQL Lite and that will create a blank file with that name so we can run that command and then validate it within winscp and we can see that the file is there the last thing we need to do before we can run this is to actually clone the config file and tweak it for our setup now I simply headed over to the GitHub page copy and paste of these but you can run a w get command if you want thankfully within the config file there isn't too much that we need to change because as I'm doing I put this behind a reverse proxy so all of the TLs settings I can just leave blank which is the default if you're wanting to expose this directly there are separate instructions for how to create certificates within this application itself you can find those in the official documentation but it's pretty straightforward especially if you've seen my traffic video before so for my setup I simply need to change the server URL and the listen address so I've just changed my server URL address to be my domain with a head scale subdomain now it doesn't need a port it's going to run on 443 which is great and the other change I've made is that the listen address I've changed it to zero zero zero zero that means because it's in a Docker container it's going to listen to All interfaces and that should be all you need to change to run this behind an external proxy so to fire this up we're simply going to deploy it as we have all of our other containers let's navigate to where the docker Bose file is and do a pseudo Docker compose up Dash D so now that that's deployed we can go and validate that using portena or just executing the logs whichever you find easier I like portena it makes life simple so looking in portena the containers are up and running that's good news let's hop into the logs to see what's happening in head scale you can see that the first time I've run this there weren't any private keys so it's gone and generated them and those are the keys that it will use to encrypt that traffic on your head scale mesh Network you can see that it's listening on the ports that I specified and there aren't any error messages other than the TLs message but we don't need to worry about that because my proxy is going to be terminating those SSL connections so if everything's working we should be able to hit the URL you specified for head scale and slash windows at the end now if you just hit the default URL I.E headscale.jimsgarage.co.uk it won't display anything and that's expected Behavior it's not designed to show anything on that page it's just designed to be reachable if you actually go to your url slash windows it's going to give you some instructions to show you how to connect a Windows client now that might not be useful but at least it shows that it's up and running so if I go to the URL that I specified in the config file and do the slash windows and hit return you can see that we're granted with that page that I mentioned which gives you all the instructions you need to then go and connect a client you can also see that I've set up the head scale UI and we could go in there and configure head scale through here if we wanted I'm not going to do that I'm going back into the CLI so if we jump into the command line on the head scale container let's just check a few things what we're going to check is what routes are available and what nodes are available so they should be zero because we haven't configured any now that's as simple as doing head scale nodes list there aren't any nodes and we can do head scale Roots list and again that should be blank because we don't have any nodes therefore we don't have any roots so let's go and solve that the first thing we're going to do is deploy this on our mobile phone because I imagine most of you want to do that but the same process applies for desktops laptops VMS whatever you're running so head on over to the Android app store or iOS and download the tailscale client now when you fire up the app you're going to make a few changes so typically it's going to ask you to sign in with Google or another now we don't need to do that obviously because we're not using tail scales infrastructure instead you need to tap the three dots three times and when you do that on the fourth tap it's going to ask you to change server now this is the bit where you can specify the URL that you put in your config file so for me it's https colon slash slash head scale dot Jim's Garage dot Co dot UK now if this goes well it should come up with a message and a code and once you've hit sign in with other you're going to be presented with a machine registration page now we need to get this code and register it within our machine to take a copy of this and head on back over to your Docker container so one thing you want to do first is to create a user so this is the user for my phone so I've just called that Android I've gone ahead and created it now we can paste in the key in the command that was given to us in the tailscale Android app so here you can see I've specified the user as being Android and I've pasted that key so let's go and hit return now it's saying machine pixel 6 pro has been registered excellent let's hop back to the phone and just validate that so now back on my phone we should be able to exit out of this page and then we can see in the app we now have my pixel 6 Pro and it's saying that it's active so that's great it's showing that it's working so if we actually touch the three dots we can run this as an exit node so that means that other devices on the network can access this machine and can actually exit and connect to things on this network now as this is a mobile phone that's not really going to work but if it was another machine for example on a different network it would give you access to all of those services around that computer so let's go ahead now and deploy the tailscale docker container which will allow us to add another node to our Network this will then allow our pixel 6 Pro to connect to that machine and because that's in my home lab I can then access services on my network like my pie hole for example and it's going to behave exactly like the wireguard VPN we set up in a previous video so to begin to deploy our Docker container running tailscale and add this as another client we need to add the user first I've just called this one docker now we've got that user created we can generate an authorization key and we'll pass this authorization key to our Docker compose file and when that spins up it will do the automatic registration much like we just did with the Android app although it's going to be automated so this command here is going to create a pre-authorization key for my user Docker we've just created and it's going to set an expiration for one hour that means you've got an hour to spin up your container so there's the key we want to take this key copy it and then we're going to put this inside our Docker compose file for our tail scale I showed this earlier so in this part here just paste that key we'll just have a quick look at what this is actually doing first because there's some extra arguments in there that are important but they're pretty straightforwards we want to specify the server again this is the same one that we just used for our Android app we want to advertise this as an exit node so that means other devices on the mesh Network can exit and access items access networks within that Network we want to advertise this route so I.E yes it can use this as an exit node but it can only use these IP addresses now that's most of my home network or at least the critical Services I run and is going to accept DNS so let's go ahead and run this so great that container started let's hop back into portena and just double check what's going on in there and in the tail scale logs that looks good let's head over to the Head scale ones ignore those failed authentication I made a typo before I made this video but as you can see here now client sent endpoint update were okay let's go and validate that now in the command line interface so now we can see that we've got two nodes we've got my mobile phone and we've got the docker machine we've just registered brilliant we can also now see the roots so we can see that both of those have Roots available but none of them are enabled yet so that means whilst he can see it it can't send traffic over it so let's go ahead and enable that with the following command so now if we check again we can see that on my mobile phone those routes are enabled so other devices can now reach and go out through my mobile phone let's do the same for the docker container and if we head back to my mobile phone we can see the container that we just added it's docker.docker example.com on here but you can call it whatever you want now the key thing is we can click on that you can copy its address Etc we can also hit the menu on the phone and we can say where we want to exit from so we could say we want to allow Lan access we could say non or I could choose to now root out from that Docker container which is great if I want to change my IP address I.E my internet IP address so I could root out from my home network and have the protection of my firewall and all the other features that I've got on there as well as using all my services like pie hole like Plex things like that so I've gone ahead and selected to use the docker as my exit node this should now let me use my internal services so let's go and validate that so if I open up a new tab and I go to pie hole and there we go I have access to my pie hole which which isn't available externally to the Internet so we know that it's working that's great and there we go it's working as intended we now have head scale set up and configured with multiple clients we're able to define specific rules we're able to specify which exit node we want and so you can go and add as many clients as you want share these with your friends family Etc or if you're in the Enterprise space then it's pretty clear how cool this technology is if you had multiple sites you could use this to root those sites Define what access controls you want them to have as well as lots of other possibilities so now instead of just having your single Hub and spoke model like we did in the previous wire guard you now are able to set up groups root traffic where you want and arguably you're able to share this more easily I know for a fact I'm probably going to be using this for remote it support with my family I'll probably get a Raspberry Pi or something like that stick it in their Network and it's going to give me access to their machines pretty easily so thanks for watching this video took a long time to figure out thanks to some of the documentation hope you enjoyed it please like subscribe and put a comment down below take care [Music] foreign
Info
Channel: Jim's Garage
Views: 23,641
Rating: undefined out of 5
Keywords: tailscale, tailscale setup, tailscale how to, headscale, headscale set up, guide, linux, wireguard, proxmox, docker, android, vpn, vpn how to, vpn guide, how to setup a vpn, create a vpn, what is a vpn
Id: OECp6Pj2ihg
Channel Id: undefined
Length: 21min 50sec (1310 seconds)
Published: Sun Jul 16 2023
Related Videos
Don't Be Another Data Breach Victim! Self-Host Your Own Password Manager with Vaultwarden
Jim's Garage
5.3K
Headscale - Open Source, Self Hosted Wireguard Control Server for your Tailscale Network!
Awesome Open Source
28K
How to get started with Tailscale in under 10 minutes
Tailscale
12K
How To VPN Without Port Forwarding Using Headscale & Tailscale - Complete Tutorial
Jim's Garage
10K
Self-hosted Single Sign-on Authentication with Authelia and lldap
Easy Self Host
4.2K
Protect Your Privacy! Use Matrix: A Self-Hosted, E2E Encrypted, Alternative to WhatsApp and Signal
Jim's Garage
9.1K
How Tailscale Makes Managing Wireguard Easy
Lawrence Systems
71K
Authentik - open source, self hosted authentication system with OIDC, SAML, and more...
Awesome Open Source
29K
Tutorial: Using Tailscale Overlay Network VPN with the Self Hosted Headscale Controller
Lawrence Systems
47K
Tailscale VS Zerotier
Lawrence Systems
108K
Kubernetes At Home: What Is Kubernetes? - Part 1
Jim's Garage
12K
Ask a Tailscale Engineer: What is Tailscale Funnel?
Tailscale
3.9K
Git For Beginners 2023
Telusko
82K
Use Tailscale on your Apple TV!
Tailscale
8K
How to install Immich on a Synology NAS using Container Manager / Docker Compose
VolumeData21
990
how did I NOT know about this?
NetworkChuck
685K
This web UI for Ansible is so damn useful!
Christian Lempa
350K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.