import website from previous repo

1 files changed, 164 insertions, 0 deletions

diff --git a/src/tailscale.thrust b/src/tailscale.thrust
new file mode 100644
index 0000000..0019dd2
--- /dev/null
+++ b/src/tailscale.thrust
@@ -0,0 +1,164 @@
+---
+title: Tailscale
+date: 2020-04-08
+diagram source: |
+	graph {
+		rankdir="LR";
+
+		subgraph cluster_0 {
+			label = "Tailscale VPN";
+			phone   [ label="phone"  ];
+			relay   [ label="relay"  ];
+			server  [ label="server" ];
+
+			phone -- relay   [ style="dashed" ];
+			phone -- server  [ style="dashed" ];
+			relay -- server  [ style="dashed" ];
+		}
+
+		subgraph cluster_1 {
+			label = "LAN";
+			bulb      [ label="bulb"     ];
+			internet  [ label="internet" ];
+			router    [ label="router"   ];
+
+			relay  -- bulb     [ style="dashed" ];
+			relay  -- router   [ style="dashed" ];
+			router -- internet;
+		}
+	}
+---
+{% extends 'templates/base.html' %}
+{% block body %}
+	<nav>
+		<a href='/projects'>&gt; projects</a>
+	</nav>
+
+	<header>
+		<h1>{{ title }}</h1>
+	</header>
+
+	<article>
+	{% markdown %}
+	[Tailscale](https://tailscale.com) is a Virtual Private Network (VPN) product for creating simple low-configuration VPNs between Linux, Mac, and Windows computers, as well as iOS devices.
+
+	Rather than a "hub and spoke" model, where all devices dial in to the same VPN server, it builds a peer-to-peer network of [WireGuard](https://www.wireguard.com/) connections between your machines, with Tailscale itself authenticating and arranging those connections.
+
+	I have been using its free tier for a few weeks, and below are some of my notes.
+
+	<details markdown='1'>
+	<summary>contents…</summary>
+	<div markdown='block'>
+
+	[TOC]
+
+	</div>
+	</details>
+
+	## Bridging a LAN to the VPN
+
+	One nice feature of Tailscale is the ability to bridge existing networks with the VPN.
+	This is very useful for devices in the home that cannot run Tailscale themselves, such as IoT devices.
+
+	Here I will show how I have bridged Tailscale with my LAN.
+	This is an adaptation of the [guide from Tailscale themselves](https://tailscale.com/kb/1019/install-subnets).
+
+	First, some definitions:
+
+	- The **relay node** is the computer on my LAN doing the bridging.
+	- The LAN-facing network interface on my relay node is **`enp2s0`**, but yours may differ.
+	- The subnet for my LAN is **`192.168.16.0/24`**, but yours may differ.
+	
+	This example will be using [nftables](https://en.wikipedia.org/wiki/Nftables), but can also be done with [iptables](https://en.wikipedia.org/wiki/Iptables).
+
+	### In abstract
+
+	<svg xmlns='http://www.w3.org/2000/svg'
+	     viewBox='0.00 0.00 404.65 254.00'
+	     width='405pt' height='254pt'
+	     style='font-family: "Times New Roman", Times, serif; font-size: 12pt; font-weight: lighter;'>
+		<g transform='scale(1 1) rotate(0) translate(4 250)'>
+			<polygon points='8,-144 8,-238 278.42,-238 278.42,-144 8,-144' />
+			<text text-anchor='middle' x='143.21' y='-222.8'>Tailscale VPN</text>
+			<polygon points='199.49,-8 199.49,-136 388.65,-136 388.65,-8 199.49,-8' />
+			<text text-anchor='middle' x='294.07' y='-120.8'>LAN</text>
+			<ellipse cx='47.72' cy='-180' rx='31.94' ry='18' />
+			<text text-anchor='middle' x='47.72' y='-175.8'>phone</text>
+			<ellipse cx='143.22' cy='-170' rx='27.56' ry='18' />
+			<text text-anchor='middle' x='143.22' y='-165.8'>relay</text>
+			<path stroke-dasharray='5,2' d='M79.08,-176.75C90.81,-175.5 104.11,-174.08 115.48,-172.86' />
+			<ellipse cx='238.71' cy='-180' rx='31.92' ry='18' />
+			<text text-anchor='middle' x='238.71' y='-175.8'>server</text>
+			<path stroke-dasharray='5,2' d='M75.69,-188.5C87.72,-191.87 102.15,-195.33 115.44,-197 139.94,-200.07 146.5,-200.07 171,-197 184.28,-195.33 198.71,-191.87 210.74,-188.5' />
+			<path stroke-dasharray='5,2' d='M170.76,-172.84C182.2,-174.06 195.65,-175.5 207.48,-176.77' />
+			<ellipse cx='238.71' cy='-88' rx='27' ry='18' />
+			<text text-anchor='middle' x='238.71' y='-83.8'>bulb</text>
+			<path stroke-dasharray='5,2' d='M160.5,-155.72C177.66,-140.67 204.52,-117.11 221.61,-102.12' />
+			<ellipse cx='238.71' cy='-34' rx='31.45' ry='18' />
+			<text text-anchor='middle' x='238.71' y='-29.8'>router</text>
+			<path stroke-dasharray='5,2' d='M150.17,-152.21C158.49,-129.25 175.35,-88.94 199.49,-61 204.16,-55.59 210.14,-50.71 215.97,-46.63' />
+			<ellipse cx='343.54' cy='-34' rx='37.23' ry='18' />
+			<text text-anchor='middle' x='343.54' y='-29.8'>internet</text>
+			<path d='M270,-34C281.38,-34 294.42,-34 306.28,-34' />
+		</g>
+	</svg>
+
+	1. Set up Tailscale to route traffic from the VPN into the LAN.
+	2. Enable packet forwarding inside the Linux kernel on the relay node.
+	   This allows the relay node itself to route traffic from the VPN into the LAN.
+	3. Enable _IP masquerading_ on the relay node.
+	   This a form of Network Address Translation (NAT) to make traffic from the VPN to the LAN appear to come from the relay node.
+
+	### Setting it up
+	
+	<ol>
+		<li>
+			<p>On the relay node, run:</p>
+			<pre><code>$ sudo tailscale up -advertise-routes=192.168.16.0/24</code></pre>
+		</li>
+
+		<li>
+			<p>Go to the <a href='https://login.tailscale.com/admin/machines'>Tailscale admin console</a> and authorize subnet routes for the relay node.</p>
+		</li>
+
+		<li>
+			<p>Back on the relay node, enable IP forwarding:</p>
+			<pre><code>$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward</code></pre>
+		</li>
+
+		<li>
+			<p>Enable IP masquerading for the _LAN-facing_ interfaces:</p>
+			<pre><code>$ sudo nft add rule ip nat POSTROUTING oifname "enp2s0" counter masquerade</code></pre>
+			<p>Alternatively, for iptables:</p>
+			<pre><code>$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o enp2s0</code></pre>
+		</li>
+
+		<li>
+			<p>Confirm it works by pinging a machine on your LAN from a machine that's not, for example pinging <code>192.168.16.1</code> from a phone with the Tailscale VPN on mobile data.</p>
+		</li>
+	</ol>
+
+	### Making it persistent
+
+	To make enable IP forwarding on boot:
+
+	```sh
+	$ cat /etc/sysctl.d/50-forwarding.conf
+	net.ipv4.ip_forward=1
+	```
+
+	To enable NAT on boot with nftables, add the following to `/etc/nftables.conf`:
+
+	```
+	table ip tailscale_nat {
+		chain postrouting {
+			type nat hook postrouting priority 100; policy accept;
+			oifname "enp2s0" masquerade
+		}
+	}
+	```
+
+	Reboot the relay node and confirm that it all still works.
+	{% endmarkdown %}
+	</article>
+{% endblock %}