From 44920ae2e9b6b3bb33d2ccac78f8abfb8371d2a3 Mon Sep 17 00:00:00 2001 From: Andy Pack Date: Wed, 3 Jul 2024 09:04:18 +0100 Subject: [PATCH 1/3] adding template post --- content/posts/tailscale/index.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 content/posts/tailscale/index.md diff --git a/content/posts/tailscale/index.md b/content/posts/tailscale/index.md new file mode 100644 index 0000000..b6d253a --- /dev/null +++ b/content/posts/tailscale/index.md @@ -0,0 +1,19 @@ +--- +title: "Going all in on Tailscale" +date: 2024-07-02T08:26:40+00:00 +--- + +I've been fiddling with Tailscale for a while. It has always seemed like a really interesting piece of tech but there have been a few things that have held me back from going all in. + +For context, Tailscale is a VPN platform built on top of Wireguard that builds a flat, programmable network. It has some helpful features to help keep clients connected in ways that Wireguard wont, by default. This helps with clients that are behind complex NATs. + +I've been running my own Wireguard tunnels for home access since before Tailscale came out and was always pretty impressed with what Wireguard represents over the alternatives. I ran an OpenVPN tunnel a long time ago and, to be honest, it was comparatively crap. Wireguard being just a key pair is so simple and the performance is basically native. + +This meant that my remote access solution was heavily centered on my Pfsense router for both Wireguard tunnel hosting and all of the routing rules. + +# Sharing + +# Containers + +# CI/CD + From 223ac1acbf5e5ae5020f5f1cc7d6c261a0147ebd Mon Sep 17 00:00:00 2001 From: Andy Pack Date: Mon, 8 Jul 2024 22:30:03 +0100 Subject: [PATCH 2/3] first draft --- content/posts/tailscale/index.md | 64 ++++++++++++++++++++++++++++++-- 1 file changed, 61 insertions(+), 3 deletions(-) diff --git a/content/posts/tailscale/index.md b/content/posts/tailscale/index.md index b6d253a..ff4f0b3 100644 --- a/content/posts/tailscale/index.md +++ b/content/posts/tailscale/index.md @@ -3,17 +3,75 @@ title: "Going all in on Tailscale" date: 2024-07-02T08:26:40+00:00 --- -I've been fiddling with Tailscale for a while. It has always seemed like a really interesting piece of tech but there have been a few things that have held me back from going all in. +I've been fiddling with Tailscale for a while. It has always seemed like a really cool piece of tech but there have been a few things that have held me back from going all in. -For context, Tailscale is a VPN platform built on top of Wireguard that builds a flat, programmable network. It has some helpful features to help keep clients connected in ways that Wireguard wont, by default. This helps with clients that are behind complex NATs. +For context, Tailscale is a VPN platform built on top of Wireguard that builds a flat, programmable network. It has some helpful features to help keep clients connected in ways Wireguard won't, by default. This helps with clients that are behind complex NATs. I've been running my own Wireguard tunnels for home access since before Tailscale came out and was always pretty impressed with what Wireguard represents over the alternatives. I ran an OpenVPN tunnel a long time ago and, to be honest, it was comparatively crap. Wireguard being just a key pair is so simple and the performance is basically native. -This meant that my remote access solution was heavily centered on my Pfsense router for both Wireguard tunnel hosting and all of the routing rules. +This meant that my remote access solution was heavily centred on my Pfsense router for both Wireguard tunnel hosting and all of the routing rules. These routing rules allowed me to build my reverse VPN solution and include any forward VPN connections. + +_Here, I am using reverse and forward in the way that it is used when talking about Proxies, which isn't a way I have heard VPNs described before but should make describing it easier. Here, a **reverse** VPN is for accessing protected resources, in the way that an enterprise VPN functions. A **forward** VPN is for protecting outgoing traffic using a commercial service like Nord/Proton VPN._ # Sharing +The ability to share resources is a powerful addition to the overlay network that allows exporting and importing components from other people. Previously, if I have wanted to share resources and services with friends and family they would either need to be publically accessible or people would need to be onboarded to the self-hosted Wireguard which is a bit onerrous. With Tailscale, it's super simple just invite them to access a specific node with a link or an email. + +You can then control what they can access further with ACL rules. + # Containers +While this is all very powerful, one of the things which finally got me to take another look was the ability to combine Tailscale and its Serve + Funnel features with individual Docker Containers. [Alex Kretzschmar did a video for Tailscale](https://tailscale.com/kb/1282/docker) where he lays out how this works. Essentially, instead of just adding a machine to Tailscale, you can add a single container. + +This works by standing up a Tailscale container alongside the target and making the target use it as its network using `network_mode`. Under the hood, this makes the two containers share a network namespace and effectively share a `localhost`. + +Combining this with the sharing capabilities, you no longer need to share a whole machine with someone else, instead you can share just one container. + +## Serve + Funnel + +I use a lot of NGINX, it's great. My Ansible setup templates my NGINX configs for me and it integrates with it really well. I'm also a big fan of Caddy, I tend to use this on my internet-facing services because the auto-provisioning and renewal of LetsEncrypt certificates really make life easy. What I'm saying is I like reverse proxies, they make me happy and they make life livable with a heavily containerised homelab. + +Tailscale Serve and Tailscale Funnel are ways to reverse proxy natively in Tailscale and really supercharge Tailscale-connected containers. In short, Tailscale Serve reverse proxies ports to your tailnet while Funnel extends that to make that port publically accessible, *with a LetsEncrypt certificate by default*. This is super cool. + +To be fair, directly connecting a container to the public internet without some sort of reverse proxy would probably be more pain than it's worth, few containers expose port 80 let alone 80 and 443 - *and this is a good thing, that's what reverse proxies are for*. but Serve + Funnel makes the whole thing work. + + # CI/CD +This is a bit of a rabbit hole, it's something I've done fairly recently and I'm not sure if I like it. It still sort of gives me weird vibes but it is undeniably powerful. You can create OAuth clients for Tailscale, allowing you to programmatically manage the network. You can use this to allow Github Actions runners to authenticate and gain access to your Tailnet. + +Combine this with Tailscale SSH which allows you to replace the SSH keys auth layer with the ACLs of Tailscale and you have a way to let your CI/CD pipelines SSH into your Tailnet machines and deploy code that isn't cloud-hosted. + +I really like how this closes the loop and helps implement full-throated CD. It also sort of scares me that Github can SSH into my infrastructure. Let's call it an experiment, we'll see if I stick with it. Don't get me wrong, it's ACL-ed to the eyeballs, but it still feels odd. + +# Dopamine + +A few things that I have managed to do with Tailscale that made me happy to wrap up. + +## Itty bitty containers of DNS + +You can set the DNS servers used by nodes on your Tailnet, you can also do split DNS where requests for specific domains are routed to specific servers. This was a bit of an itch for me, I use my own domain on my homelab and I wanted to be able to keep doing split DNS for my domain when on Tailscale. + +To achieve this I deployed containers for Bind DNS server that are only available on my Tailnet. Ansible renders the Zone files so that when you are requesting from a Tailscale IP it returns the Tailscale IP for the machine instead of the `192.168.x.x` IP. The config looks a bit like this: + +``` +acl "ts-subnet" { 100.64.0.0/10; }; + +view "tailscale" { + match-clients { "ts-subnet"; }; + + +}; + +view "native" { + match-clients { any; }; + + +}; +``` + +I also run three Bind containers, one at home, one in Linode and one in Oracle cloud. This not only adds redundancy but should also help with resolution speed when I'm not at home. + +## Shhh, what SSH + +There have been a few SSH scares recently, first the whole social engineering System D thing, [then the RCE](https://www.wiz.io/blog/cve-2024-6387-critical-rce-openssh). SSH is very secure and it's _proooobably_ fine to have it open on the internet, but with Tailscale you don't have to so I don't. That just makes me a bit happy. \ No newline at end of file From 86f1216ef1c39c007b868a05a866b49ee48c5353 Mon Sep 17 00:00:00 2001 From: Andy Pack Date: Mon, 8 Jul 2024 22:32:39 +0100 Subject: [PATCH 3/3] conclusion --- content/posts/tailscale/index.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/content/posts/tailscale/index.md b/content/posts/tailscale/index.md index ff4f0b3..740a9ff 100644 --- a/content/posts/tailscale/index.md +++ b/content/posts/tailscale/index.md @@ -74,4 +74,7 @@ I also run three Bind containers, one at home, one in Linode and one in Oracle c ## Shhh, what SSH -There have been a few SSH scares recently, first the whole social engineering System D thing, [then the RCE](https://www.wiz.io/blog/cve-2024-6387-critical-rce-openssh). SSH is very secure and it's _proooobably_ fine to have it open on the internet, but with Tailscale you don't have to so I don't. That just makes me a bit happy. \ No newline at end of file +There have been a few SSH scares recently, first the whole social engineering System D thing, [then the RCE](https://www.wiz.io/blog/cve-2024-6387-critical-rce-openssh). SSH is very secure and it's _proooobably_ fine to have it open on the internet, but with Tailscale you don't have to so I don't. That just makes me a bit happy. + + +So, for now, I'm using Tailscale as my VPN solution. It's still got some drawbacks, but I'm having fun playing with it, and it has some real strengths over rolling your own Wireguard solution. \ No newline at end of file