Retired Techie

Getting Older, not Necessarily Wiser

Search

Recent

Categories

Archives

  • TailScale Subnet Router

    Introduction

    Last week, I faced a challenge when my Plex server crashed while I was away visiting family. Thankfully, I had a Tailscale Subnet Router installed, allowing me to remotely fix and restart the server without a hitch.

    Today we’ll set up a TailScale subnet router inside an LXC container on a Proxmox Virtual Environment (VE) server. This configuration enables secure access to our local area network (LAN) devices from anywhere with a reliable internet connection via TailScale.

    One thing I’ve noticed is that many TailScale tutorials often lack depth regarding the reasoning behind certain steps and what’s actually going on, which can be confusing. If you’re new to TailScale, you’re in the right place! However, if you’re seeking advanced content, this video may not meet your expectations.

    My goal is to bridge that gap by providing insight into both the procedure and the underlying principles without getting overly technical. Essentially, TailScale operates its own private, encrypted network through the Internet, known as Tailnet. With the right clients, you can access this network from various locations—whether you’re at a coffee shop, school, or your office, as long as you have a reliable internet connection. Any two devices with a TailScale client can communicate seamlessly across the Tailnet.

    We’ll focus on two main topics: setting up the TailScale client on Linux and turning that client into a subnet router. This setup will allow access to any device on your LAN, especially those that don’t have a TailScale client application.

    In the context of TailScale, a subnet router refers to a client configured as an endpoint that connects to other devices via a Local Area Network (LAN). This configuration enables devices on Tailnet to connect to the subnet router, which in turn accesses devices that are not TailScale-enabled on the LAN.

    We’ll start by examining how TailScale works, then set up an LXC container on our Proxmox VE server with a TailScale client. Finally, we’ll attempt to connect to a device on our LAN from a TailScale-enabled device on a separate network.

    How does a TailScale Subnet Router Work?

    Understanding how a TailScale subnet router works can initially seem complex. But breaking it down into basic steps clarifies the process.

    1. Setting Up a Tailscaleour Account. To use TailScale, you need an account, which is free to sign up for. Just be aware that verification isn’t as simple as entering a name and password. I use GitHub for this, but you can also sign up with Microsoft, Apple, or Google. The Personal (free) plan usually suffices for most home labs, while other plans offer more users and advanced features at a cost. Check TailScale’s homepage for the latest pricing and capabilities.
    2. Create an Encrypted Network. TailScale establishes an encrypted overlay network called Tailnet, linking your devices using addresses per IETF RFC6598, specifically in the range of 100.64.0.0/10. The default protocol is WireGuard, which ensures secure communications. When a direct connection isn’t possible, such as with Carrier Grade NAT (CGNAT) from your ISP, it uses a Designated Encrypted Relay for Packets (DERP). A TailScale subnet router is essentially a device equipped with TailScale that allows communication between Tailnet and your LAN.
    3. Install TailScale Client. For devices to connect directly, users must install the TailScale client. This client creates a secure, encrypted tunnel via Tailnet, allowing active TailScale clients under the same account to communicate. Account owners can manage client permissions through the Tailscale admin panel, enabling or disabling specific devices as needed. If your ISP uses CGNAT, the TailScale client sends periodic keep-alive UDP packets to ensure network mapping and connectivity
    4. Configuring Subnet Routing. TailScale clients function like standard computers, allowing interaction with other devices on your LAN. By enabling IP address forwarding on the client and advertising it through the admin panel, you can set it up as a subnet router. This configuration enables communication with both TailScale and local, non-TailScale devices.
    5. Data Flow Information from Tailnet is relayed through the TailScale client to your local router, which directs traffic to the appropriate computer on the LAN. Keep in mind that a TailScale subnet router can only forward IP packets from one network to another; it does not perform Network Address Translation (NAT) and isn’t a bridge.

    Accessing Tailscale from Linux

    Linux can feel like the odd child out, since there isn’t a dedicated graphical user interface (GUI) for TailScale. Instead, we rely solely on the console and web interface. It’s important to keep this in mind, especially if you’ve used TailScale on other platforms.

    First, visit the TailScale website. Feel free to explore a bit. Once you’re ready, select “Download” from the top right corner of the main page.

    Linux requires a script for the TailScale installation due to its diverse configurations. In contrast, if we look at the other unified monolithic operating systems, they have a single program for installation.

    Before proceeding, take a moment to review the TailScale pricing page, which outlines the various plans. We’ll be using the Personal (free) plan.

    Next, head to the “Get Started” page. When creating an account or logging in, remember that TailScale does not validate users directly. You’ll need to verify your account through a third-party service like Microsoft, Google, GitHub, or Apple. I recommend using GitHub, especially in light of ongoing privacy concerns with Microsoft, Apple, and Google.

    After logging in, you’ll land in the Admin panel, where you can see all your TailScale devices listed along with their status.

    Build LXC Container

    I’m using Proxmox to optimize my home lab by reducing the number of physical servers. However, Tailscale can also be installed on other hypervisors or standalone machines.

    1: Pre-Setup Requirements

    The setup requirements for this configuration are relatively lightweight, please gather the following information;

    • Hostname
    • Domain (if needed)
    • root password
    • static IP address
    • non root user
    • If on Proxmox don’t forget the container ID.

    For this setup, we will use a base LXC container image of Debian 13, which we will download through Proxmox. My container’s specifications will include:

    • 1 CPU core
    • 512 MB of memory
    • 5 GB of storage

    If you’re setting up a dedicated computer or VM, consider increasing the memory to 1 GB and the storage to 10 GB.

    After Setup we will want to log in as root and;

    • FQDN (consistency on my network)
    • unprivileged user (not root)
    • Install openssh-server and sudo for remote access with unprivileged user
    • Install Curl for downloading and installing Tail scale.

    2: Downloading the Image

    We begin the build process by downloading the Debian 13 LXC container image via Proxmox. If you’re using a VM or standalone computer, you may need to prepare an ISO instead.

    Start the Proxmox Container Creation Wizard and fill in the parameters based on the information you’ve gathered. Since this is a container and not a full OS, it relies on the host OS for certain functionalities, making containers lighter on resources than traditional VMs.

    Do not start the LXC container yet, as we need to make adjustments.

    3: Adjusting Container Configuration

    As I’m running an unprivileged container, I need to modify the container configuration file for proper network access. This minor change, recommended by the Tailscale website, will not grant the container root access to the host. If you run into any issues, using a VM is always a viable alternative.

    On the host system, with root privileges, open and edit the container configuration file. For my setup, with the container numbered 601, and using nano as the text editor, the command will be:

        nano /etc/pve/lxc/601.conf

    Add the following two lines:

        lxc.cgroup2.devices.allow: c 10:200 rwm
        lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

    4: Starting the Container

    Once the configuration file adjustments are made, I will start the container.

    Before doing anything else I want to verify the network by pining a known site (I used 8.8.8.8 which is a Goggle DNS resolver).

    It’s crucial to update the OS, especially with a container. Since containers use images, you may not know when the image was last created; therefore, it’s doubly important to perform updates.

    Run the following commands:

        sudo apt update
        sudo apt upgrade

    5: Setup SSH Access

    Because there can be display issues in the Proxmox terminal (especially with larger fonts), I will set up SSH access. Additionally, I’ll add an unprivileged user with sudo access and install curl for Tailscale installation. For this, install the necessary packages:

        sudo apt install sudo openssh-server curl

    Next, when creating a user, substitute your information for mine in the below commands:

        useradd -m -c ‘Retired Techie’ -s /bin/bash rt
        passwd rt
        usermod -aG sudo rt

    6: Final Steps

    Finally, I’ll restart the container, log in via SSH.

    Following these steps will ensure your LXC container is set up correctly and ready for Tailscale installation!

    Installing TailScale Client

    To get started with Tailscale, ensure your computer is up and running (whether virtualized or not).

    Open your terminal and download the Tailscale installation script without running it. Use wget to download the file, and less to review the file.

        wget https://tailscale.sh
        less tailscale.sh

    The script checks various system parameters to identify your Linux distribution and environment, ensuring the installation is compatible. You might need root permissions to proceed.

    If the script looks good, we can delete the downloaded copy then proceed to run the installer using curl and piping to bash.

        curl -fsSL https://tailscale.com/install.sh | bash

    The options used in the curl command are; “f” – Fail on HTTP 400 or higher, “s” – Silent Mode, “S” – Show Error messages, “L” – Location, follow Link from server.

    Once the installation is complete, and you will receive an IP address to finalize the activation. Make sure to write it down.

    To allow the Tailscale client to function as a subnet router, enable IP forwarding by creating a configuration file in the /etc/sysctl.d directory.

        sudo nano /etc/sysctl.d/99-tailscale.conf

    Add the lines:

        net.ipv4_forward =1
        net.ipv6.conf.all.forwarding = 1

    Next, apply the changes to the kernel runtime parameters:

        sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

    After applying the settings, reboot the system.

    Now, we can activate the Tailscale client and configure it to advertise our LAN and function as an exit node:

        tailscale up --advertise-routes=172.20.30.0/24 –advertise-exit-node

    Next, navigate to the network address provided at the end of the installation. You did remember to write it down?

    You will be directed to the Tailscale login page. Use the authentication method you set up when creating your account (e.g., GitHub in my case). After logging in, you will need to authorize Tailscale access and connect the new device. Once activated, you will be redirected to the Tailscale admin page.

    Your new device should appear and show as connected. Below your device name, you will see two small blue boxes labeled “Subnets” and “Exit Node,” both showing exclamation points, indicating they are inactive.

    To enable these options, click the three dots on the right, next to your device name and select “Edit Route Settings.” In the window that pops up, check the boxes for your IP address and the “Exit Node.” After saving, both options will be activated.

    It’s important to note that Tailscale uses encryption, and the access key does expire. If you right-click the three dots again and select “Disable Key Expiry,” this will prevent the key from expiring. While this might be acceptable for home lab use, I would not recommend doing this for professional settings due to security concerns.

    Testing the TailScale SubNet Router

    This is teh easy part. Get outside your local network, open a browser and try to reach a site within your local network. if everything went correctly you should be able to easly do this.

    Conclusion

    That is it. If everything went correctly you should now be able to access your network from outside using a Tailscale client. And all local devices should be visible by their native IP address. Pretty cool, right?

    While TailScale looks complex initially, we can easily make sense of it by breaking down the individual steps.

    I am hoping I provided enough detail to help everyone understand the steps and the reasons behind them.

    I will admit I could have gone into a bit more detail about LXC configuration, but I try to limit my videos to half an hour, and it is not something we will be using on a daily basis, so thought it was better to leave it out.

    Retired Techie

This site is governed by the terms and conditions set forth in the below links. To use this site, you must read and agree to abide by them. By clinging the "Accept" button below, you are stating that you have read the content form the links, understand the content, and agree to abide by them while using this site.

Terms of Service

Privacy Policy

License and Copyright

Agree Disagree