From b1e6491f77421ae4623391a7f53af7f3e6c13f34 Mon Sep 17 00:00:00 2001 From: Ethel Morgan Date: Mon, 6 Jul 2020 18:23:10 +0100 Subject: import website from previous repo --- src/tailscale.thrust | 164 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 164 insertions(+) create mode 100644 src/tailscale.thrust (limited to 'src/tailscale.thrust') diff --git a/src/tailscale.thrust b/src/tailscale.thrust new file mode 100644 index 0000000..0019dd2 --- /dev/null +++ b/src/tailscale.thrust @@ -0,0 +1,164 @@ +--- +title: Tailscale +date: 2020-04-08 +diagram source: | + graph { + rankdir="LR"; + + subgraph cluster_0 { + label = "Tailscale VPN"; + phone [ label="phone" ]; + relay [ label="relay" ]; + server [ label="server" ]; + + phone -- relay [ style="dashed" ]; + phone -- server [ style="dashed" ]; + relay -- server [ style="dashed" ]; + } + + subgraph cluster_1 { + label = "LAN"; + bulb [ label="bulb" ]; + internet [ label="internet" ]; + router [ label="router" ]; + + relay -- bulb [ style="dashed" ]; + relay -- router [ style="dashed" ]; + router -- internet; + } + } +--- +{% extends 'templates/base.html' %} +{% block body %} + + +
+

{{ title }}

+
+ +
+ {% markdown %} + [Tailscale](https://tailscale.com) is a Virtual Private Network (VPN) product for creating simple low-configuration VPNs between Linux, Mac, and Windows computers, as well as iOS devices. + + Rather than a "hub and spoke" model, where all devices dial in to the same VPN server, it builds a peer-to-peer network of [WireGuard](https://www.wireguard.com/) connections between your machines, with Tailscale itself authenticating and arranging those connections. + + I have been using its free tier for a few weeks, and below are some of my notes. + +
+ contents… +
+ + [TOC] + +
+
+ + ## Bridging a LAN to the VPN + + One nice feature of Tailscale is the ability to bridge existing networks with the VPN. + This is very useful for devices in the home that cannot run Tailscale themselves, such as IoT devices. + + Here I will show how I have bridged Tailscale with my LAN. + This is an adaptation of the [guide from Tailscale themselves](https://tailscale.com/kb/1019/install-subnets). + + First, some definitions: + + - The **relay node** is the computer on my LAN doing the bridging. + - The LAN-facing network interface on my relay node is **`enp2s0`**, but yours may differ. + - The subnet for my LAN is **`192.168.16.0/24`**, but yours may differ. + + This example will be using [nftables](https://en.wikipedia.org/wiki/Nftables), but can also be done with [iptables](https://en.wikipedia.org/wiki/Iptables). + + ### In abstract + + + + + Tailscale VPN + + LAN + + phone + + relay + + + server + + + + bulb + + + router + + + internet + + + + + 1. Set up Tailscale to route traffic from the VPN into the LAN. + 2. Enable packet forwarding inside the Linux kernel on the relay node. + This allows the relay node itself to route traffic from the VPN into the LAN. + 3. Enable _IP masquerading_ on the relay node. + This a form of Network Address Translation (NAT) to make traffic from the VPN to the LAN appear to come from the relay node. + + ### Setting it up + +
    +
  1. +

    On the relay node, run:

    + 
    $ sudo tailscale up -advertise-routes=192.168.16.0/24
    +
    2. + +
  2. +

    Go to the Tailscale admin console and authorize subnet routes for the relay node.

    +
    3. + +
  3. +

    Back on the relay node, enable IP forwarding:

    + 
    $ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
    +
    4. + +
  4. +

    Enable IP masquerading for the _LAN-facing_ interfaces:

    + 
    $ sudo nft add rule ip nat POSTROUTING oifname "enp2s0" counter masquerade
    +

    Alternatively, for iptables:

    + 
    $ sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o enp2s0
    +
    5. + +
  5. +

    Confirm it works by pinging a machine on your LAN from a machine that's not, for example pinging 192.168.16.1 from a phone with the Tailscale VPN on mobile data.

    +
    6. +
+ + ### Making it persistent + + To make enable IP forwarding on boot: + + ```sh + $ cat /etc/sysctl.d/50-forwarding.conf + net.ipv4.ip_forward=1 + ``` + + To enable NAT on boot with nftables, add the following to `/etc/nftables.conf`: + + ``` + table ip tailscale_nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname "enp2s0" masquerade + } + } + ``` + + Reboot the relay node and confirm that it all still works. + {% endmarkdown %} +
+{% endblock %} -- cgit v1.2.3