10.1 Tailscale
Tailscale is a modern VPN service that allows you to create a secure, encrypted connection between your devices using a simple and user-friendly interface. It is especially useful for remote server access, such as connecting to your node from anywhere in the world without exposing public ports or relying on complicated firewall configurations.
Further details about SSH and VPN protocols can be found on the SSH and VPN Tunnel page in the 🧠 Theory section.
The following steps are performed on your 📟 node server.
1. Software Installation
Visit the Tailscale Webpage and register for the service. It's a free for a limited amount of users and devices. After logging in with your favorite identity provider, you will be prompted to connect your first two devices. Click on Linux to connect your node.
sudo apt-get update
sudo apt-get install tailscale
You can also enable auto-updates for Tailscale.
tailscale set --auto-update
After the installation, activate Tailscale.
tailscale up
You will receive a link that you must copy and paste to the terminal of your node in order to connect the device with your account.
Continue with the second device, like your personal computer or smartphone. The Guide on the Tailscale webpage will give you a selection of possible installations. After activating Tailscale on both, your devices will be able to communicate.
2. Configure Auto Startup
Tailscale comes with its own CLI tool called tailscaled. By default, it will list itself as a system service for easy maintenance. You can retreive the service's status directly from the system control or further stop, restart, or disable autostarts in a similar way.
systemctl status tailscaled
The output should be something similar to the following:
● tailscaled.service - Tailscale node agent
Loaded: loaded (/lib/systemd/system/tailscaled.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-05-19 20:01:42 UTC; 3h 19min ago
Docs: https://tailscale.com/kb/
Main PID: 1005 (tailscaled)
Status: "Connected; [EMAIL-ACCOUNT]; [TAILSCALE-IP] [MAC-ADDRESS]"
Tasks: 17 (limit: 38043)
Memory: 40.6M
CPU: 1min 29.134s
CGroup: /system.slice/tailscaled.service
└─1005 /usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailsc>
[DATE] [TIME] [USER] tailscaled[4974]: control: NetInfo: NetInfo{varies=false hairpin=false ipv6=true ipv>...
The service should already be configured to start and connect during boot or failure. Verify it once again.
sudo systemctl enable tailscaled
If it was not set already, the command created a symlink and print out the filenames.
The following steps are performed on your 💻 personal computer.
3. Update SSH Config
As Tailscale uses internal static IP addresses on both ends of the tunnel, you must also update the SSH configuration to connect to the new IP once outside of your home network. On your personal computer, open up the SSH file using your preferred text editor.
- Vim
- Nano
vim ~/.ssh/config
nano ~/.ssh/config
If you want to connect to your node via Tailscale, you must use the new Tailscale IP instead. You will find this static and internal IP on the Tailscale Device Dashboard. You can copy it over to a text file. Then dplicate the node's Host entry and exchange the HostName with the new IP and the Host property with a new alias. The final entry should look like this:
Host <ssh-device-alias-for-home-environment>
User <node-username>
HostName <node-ip>
Port <ssh-port>
IdentityFile ~/.ssh/<my-chosen-keyname>
Host <ssh-device-alias-for-tailscale-environment>
User <node-username>
HostName <tailscale-node-ip>
Port <ssh-port>
IdentityFile ~/.ssh/<my-chosen-keyname>
Save the file and exit. Then try to connect to your node while Tailscale is active.
ssh <ssh-device-alias-for-tailscale-environment>
Exchange the <ssh-device-alias-for-tailscale-environment> with the actual SSH device name.
4. Update Grafana Dashboard
If you want to visit your Grafana Dashboard outside your home network using Tailscale, you will need to adjust the IP once again. As you did with the SSH, having two different browser bookmarks is recommended: one for your home environment and one for the static Tailscale IP. Within your browser, you can find Grafana at the following address in case your VPN is activated:
http://<tailscale-node-ip>:3000/login
Exchange the <tailscale-node-ip> with the actual IP address found in the Tailscale Device Dashboard.
5. Disable Key Expiry
By default, Tailscale session keys from devices expire after 180 days of being unused, meaning you wont be able to re-connect to your node without maintenance. If you want to raise the limit or turn key expiry off for your main devices, you can do so by navigating into the Tailscale Device Dashboard once logged in to their web service. On your node device, click on the three dots menu behind the static Tailscale IP and either select Disable Expiry Date or Specify Expiry Period.
Expiry settings are device-specific and can be adjusted anytime within the Tailscale Device Dashboard.