Tailscale Part 3 - How I run my Home Network
I've written quite a bit about Tailscale and its features. In this post, I'll be covering how I've utilised the technology in my Home Setup to provide me with a simple config with a minimum of access from the internet.
What was I trying to achieve?
When working on this solution for my home network there were a few things I was looking to make happen, however, the primary driver was simplicity.
Simple things are easier to troubleshoot and break less often
However I was also looking to make sure there were a few other things in place as well
Able to access all my home services from the Internet while travelling.
Keep the number of additional routers, network and routing to a minimum
Be able to access services on the internet through my own home network
Be able to print at home
It was important to me that while in the car on 4G, or in an AirBNB I had complete ability to connect to any of the above servers, interfaces of anything on my network quickly and simply.
What does Tailscale do in my setup?
I have 2 locations with services I might want to access services on, my home and Digitialocean (DO). This could be accessing a web interface, ssh or something on a TCP port.
If I wanted to take a traditional route to join these two networks I'd be looking at creating some static routing (probably on pfSense) or a VPN Tunnel between the two sites rather than accessing things like SSH over the public IP address of the DO server.
This can become quite complex and there are plenty of forums full of people using or trying to use different ways of doing the above.
When I create a Tailscale account I create a tailnet which is effectively a virtual network to which I can connect devices to.
I connect devices to my tailnet by installing the Tailscale client.
By installing the tailscale client on the servers at home and the servers at DO, I have connected all the devices to the same network (the same bit of string) and by doing so I've negated the need for any additional equipment needed.
Every device on the tailnet can talk to every other device on the tailnet as well.
The "virtual" network which has been setup provides each device running the tailscale client with an IP on the 188.8.131.52/8 subnet. These are DHCP addresses with very long leases.
Each IP Address you are provided on the 184.108.40.206 network by tailscale is locked to your tailnet, so you can't communicate with other tailscale members. They are however provided in a random nature rather than a block.
Part of the reason the IP Address can't talk to clients off the tailnet is each tailscale client also has PKI setup on it. A Public and private keypair linked to my tailnet. Any communication attempted with other IP's would fail based on Tailscales routing and the PKI security on the endpoints.
There is another system which makes use of public and private keys, SSH, and in a more traditional solution, I'd need to set up a keypair and distribute them across all my servers to provide access to my servers.
Tailscale using the command
tailscale up --ssh
sets up ssh using the existing Tailscale SSL keys on all the devices with the Tailscale client installed on them.
I can also centrally control SSH access using the Tailscale Admin portal within the SSH section and determine which machines must, for example, always authenticate their login and which can operate with passwordless access for certain local accounts.
This is useful for ssh admin access with higher privileges and ssh ansible access for example.
In the diagram above the server named dev.net is also configured as a subnet router.
What does this do for the setup?
Let's take a scenario where I'm travelling in the US and I'm connected to a hotel network
With Tailscale enabled on my laptop, I'm able to connect to the tailnet and connect via ssh to the 3 servers running Tailscale in the UK.
I also connect to the hotel internet in the US with a public US Geolocated IP Address.
While Tailscale's client joins the servers it's installed on to the tailnet, there will always be devices on a network which I can't install tailscale on.
NAS boxes, Routers, strange black boxes which do random things..
Setting up a node on the home network which runs Tailscale and is also a subnet router means that node can speak to BOTH the tailnet AND my home network. so it's able to see traffic on the local hotel network in the US and the US internet and 192.168.20.0/24 on the UK network.
This node will also let all the other nodes on the tailnet know if they need to speak to the 192.168.20.0 network to send that traffic to them and they will deal with it.
From a usability point of view, this means again, every machine has the ability to speak to my home network, even from the DO network (remember the tailnet is a flat network)
In this example, I could via Tailscale open https://192.168.20.1:8443 which could be the web frontend of my router or print to my printer on 192.168.20.222.
Following this example, Im sat in my hotel room, and to borrow the darling advertiser example of the Youtube people I'm looking to carry on watching a show I want on Netflix, or I need to transfer some money from my bank.
Netflix doesn't have the show or my bank says for security reasons I can't access my account from a US IP Address.
This is where the exit node is added.
I can add exit node functionality to any of the systems on my tailnet, on my laptop in the US I let the tailscale client know I need to use an exit node
I select my exit node and at that point, my public IP is 220.127.116.11 in the UK
My netflix account is able to see that show as it thinks I'm accessing the internet from the UK and my bank is happy.
This is also useful if you're using the laptop on public wifi like a coffee shop.
💡 In my situation I have Tailscale enabled as an always on VPN on my phone, connected to an exit node at home. So all my internet traffic is routed via home while I'm on 4/5G. (More on that later)
Logically with Exit nodes its possible to have multiple exit nodes running across the tailnet in different global locations (or failover)
Tailscale setup recap
Setup Tailscale in multiples locations
Tailscale provides a separate virtual IP network which spans these locations
The traffic over the Tailnet is fully encrypted
Add a Subnet Router to gain access to devices on the Local lan which cannot run tailscale
Add an Exit node to push traffic out of a specific network for security or geolocation.
What else do I use Tailscale for?
There are a few other areas which having tailscale in place I can then utilise to make my life easier.
How does NextDNS help?
NextDNS is basically a SaaS version of a Pi Hole server (it's more, this is a high-level explanation) which integrates as a Global DNS server for the Tailnet.
When I connect to Tailscale, Tailscale will start using NextDNS as its DNS server, so within NextDNS I can setup local DNS entries (rewrites) for all of the servers/services I'm running across my tailnet (and subnets with subnet routers)
Coupled with the additional internet safeguards for spoofing etc This provides another level of security while I'm attached to the Tailscale network.
No Public services
As I'm able to access the servers across my multi location tailnet, and I've got my DNS setup pointing DNS names to the tailscale IP's those services I might have wanted to access from the internet, I can forgo the need for a reverse proxy and have my method of access to the servers be via tailscale.
Connect to the tailscale network
I'm provided with tailscale access
Connect to the tailscale network
I'm provided with tailscale access
As I have Always on VPN enabled on my phone and ChromeOS devices these services feel like I'm accessing them over the internet, however, only people with access to my Tailscale network can see them.
Also, services running on docker containers don't need Tailscale running in docker as I've used Subnet router access to connect to them.
Historically I've used Jumpcloud to provide SSH Access to my servers via service and user accounts. I have a central Ansible box running a whole bunch of jobs out of Gitlab pipelines.
Now I have an Ansible script which sets up a new server I spin up and I create a user called davidfield and a service called davidservice
💡 Not my real ssh logins
Within the Access control list for Tailscale, I have set up davidfield as a more general account to require Tailscale authentication when I ssh in and davidservice to not as it's a locked-down account.
Both of these accounts utilise the local tailscale PKI files to have passwordless access.
💡 I guess I could still use Jumpcloud to provide central management for the users.
Why the backup VPN?
You may have noticed the Wireguard VPN, which kind of acts as a break glass option and is also there because although my travel router supports Tailscale, i's not fully working at the time of writing, so I have a locked down Wireguard setup to allow access only to my Travel router so I can run my Chromecast devices in AirBnBs
Is this secure?
On its own, it's a layer of security, it's a consistent simple setup with few breakable moving parts. added as one of many layers (firewalls, user management etc) it all helps to improve your security.
I love three things about this product
I stumbled across it and have grown with it, early days I had people who worked there reach out and there is a great active Reddit community of people who actually want to help.
Compared to traditional networking especially across sites Tailscale is Low maintenance, it's simple to set up and keep running with no need to spin up and maintain any additional servers on an infrastructure.
Features are continually being added and tested to the product, including revisiting the licencing model to help home network enthusiasts to add more devices recently. Smart move as many of us work in tech too.
This has made travelling easier, and given me more options and I'm happy to be paying for it. It's one of the few products I find people actively asking how they can throw some money at Tailscale to keep the product alive.
I've put together a post building on this post, which explains how I'm now doing Certificate management within my Tailnet to provide https:// endpoints.