path: root/src/tailscale.thrust

---
title: Tailscale
date: 2020-04-08
diagram source: |
	graph {
		rankdir="LR";

		subgraph cluster_0 {
			label = "Tailscale VPN";
			phone   [ label="phone"  ];
			relay   [ label="relay"  ];
			server  [ label="server" ];

			phone -- relay   [ style="dashed" ];
			phone -- server  [ style="dashed" ];
			relay -- server  [ style="dashed" ];
		}

		subgraph cluster_1 {
			label = "LAN";
			bulb      [ label="bulb"     ];
			internet  [ label="internet" ];
			router    [ label="router"   ];

			relay  -- bulb     [ style="dashed" ];
			relay  -- router   [ style="dashed" ];
			router -- internet;
		}
	}
---
{% extends 'templates/base.html' %}
{% block body %}
	<nav>
		<a href='/projects'>&gt; projects</a>
	</nav>

	<header>
		<h1>{{ title }}</h1>
	</header>

	<article>
	{% markdown %}
	[Tailscale](https://tailscale.com) is a Virtual Private Network (VPN) product for creating simple low-configuration VPNs between Linux, Mac, and Windows computers, as well as iOS devices.

	Rather than a "hub and spoke" model, where all devices dial in to the same VPN server, it builds a peer-to-peer network of [WireGuard](https://www.wireguard.com/) connections between your machines, with Tailscale itself authenticating and arranging those connections.

	I have been using its free tier for a few weeks, and below are some of my notes.

	<details markdown='1'>
	<summary>contents…</summary>
	<div markdown='block'>

	[TOC]

	</div>
	</details>

	## Bridging a LAN to the VPN

	One nice feature of Tailscale is the ability to bridge existing networks with the VPN.
	This is very useful for devices in the home that cannot run Tailscale themselves, such as IoT devices.

	Here I will show how I have bridged Tailscale with my LAN.
	This is an adaptation of the [guide from Tailscale themselves](https://tailscale.com/kb/1019/install-subnets).

	First, some definitions:

	- The **relay node** is the computer on my LAN doing the bridging.
	- The LAN-facing network interface on my relay node is **`enp2s0`**, but yours may differ.
	- The subnet for my LAN is **`192.168.16.0/24`**, but yours may differ.
	
	This example will be using [nftables](https://en.wikipedia.org/wiki/Nftables), but can also be done with [iptables](https://en.wikipedia.org/wiki/Iptables).

	### In abstract

	<svg xmlns='http://www.w3.org/2000/svg'
	     viewBox='0.00 0.00 404.65 254.00'
	     width='405pt' height='254pt'
	     style='font-family: "Times New Roman", Times, serif; font-size: 12pt; font-weight: lighter;'>
		<g transform='scale(1 1) rotate(0) translate(4 250)'>
			<polygon points='8,-144 8,-238 278.42,-238 278.42,-144 8,-144' />
			<text text-anchor='middle' x='143.21' y='-222.8'>Tailscale VPN</text>
			<polygon points='199.49,-8 199.49,-136 388.65,-136 388.65,-8 199.49,-8' />
			<text text-anchor='middle' x='294.07' y='-120.8'>LAN</text>
			<ellipse cx='47.72' cy='-180' rx='31.94' ry='18' />
			<text text-anchor='middle' x='47.72' y='-175.8'>phone</text>
			<ellipse cx='143.22' cy='-170' rx='27.56' ry='18' />
			<text text-anchor='middle' x='143.22' y='-165.8'>relay</text>
			<path stroke-dasharray='5,2' d='M79.08,-176.75C90.81,-175.5 104.11,-174.08 115.48,-172.86' />
			<ellipse cx='238.71' cy='-180' rx='31.92' ry='18' />
			<text text-anchor='middle' x='238.71' y='-175.8'>server</text>
			<path stroke-dasharray='5,2' d='M75.69,-188.5C87.72,-191.87 102.15,-195.33 115.44,-197 139.94,-200.07 146.5,-200.07 171,-197 184.28,-195.33 198.71,-191.87 210.74,-188.5' />
			<path stroke-dasharray='5,2' d='M170.76,-172.84C182.2,-174.06 195.65,-175.5 207.48,-176.77' />
			<ellipse cx='238.71' cy='-88' rx='27' ry='18' />
			<text text-anchor='middle' x='238.71' y='-83.8'>bulb</text>
			<path stroke-dasharray='5,2' d='M160.5,-155.72C177.66,-140.67 204.52,-117.11 221.61,-102.12' />
			<ellipse cx='238.71' cy='-34' rx='31.45' ry='18' />
			<text text-anchor='middle' x='238.71' y='-29.8'>router</text>
			<path stroke-dasharray='5,2' d='M150.17,-152.21C158.49,-129.25 175.35,-88.94 199.49,-61 204.16,-55.59 210.14,-50.71 215.97,-46.63' />
			<ellipse cx='343.54' cy='-34' rx='37.23' ry='18' />
			<text text-anchor='middle' x='343.54' y='-29.8'>internet</text>
			<path d='M270,-34C281.38,-34 294.42,-34 306.28,-34' />
		</g>
	</svg>

	1. Set up Tailscale to route traffic from the VPN into the LAN.
	2. Enable packet forwarding inside the Linux kernel on the relay node.
	   This allows the relay node itself to route traffic from the VPN into the LAN.
	3. Enable _IP masquerading_ on the relay node.
	   This a form of Network Address Translation (NAT) to make traffic from the VPN to the LAN appear to come from the relay node.

	### Setting it up
	
	<ol>
		<li>
			<p>On the relay node, run:</p>
			<pre><code>$ sudo tailscale up -advertise-routes=192.168.16.0/24</code></pre>
		</li>

		<li>
			<p>Go to the <a href='https://login.tailscale.com/admin/machines'>Tailscale admin console</a> and authorize subnet routes for the relay node.</p>
		</li>

		<li>
			<p>Back on the relay node, enable IP forwarding:</p>
			<pre><code>$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward</code></pre>
		</li>

		<li>
			<p>Enable IP masquerading for the _LAN-facing_ interfaces:</p>
			<pre><code>$ sudo nft add rule ip nat POSTROUTING oifname "enp2s0" counter masquerade</code></pre>
			<p>Alternatively, for iptables:</p>
			<pre><code>$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o enp2s0</code></pre>
		</li>

		<li>
			<p>Confirm it works by pinging a machine on your LAN from a machine that's not, for example pinging <code>192.168.16.1</code> from a phone with the Tailscale VPN on mobile data.</p>
		</li>
	</ol>

	### Making it persistent

	To make enable IP forwarding on boot:

	```sh
	$ cat /etc/sysctl.d/50-forwarding.conf
	net.ipv4.ip_forward=1
	```

	To enable NAT on boot with nftables, add the following to `/etc/nftables.conf`:

	```
	table ip tailscale_nat {
		chain postrouting {
			type nat hook postrouting priority 100; policy accept;
			oifname "enp2s0" masquerade
		}
	}
	```

	Reboot the relay node and confirm that it all still works.
	{% endmarkdown %}
	</article>
{% endblock %}