¶ Using Tailscale service from tailscale.com
¶ Register an account
You need an account on tailscale. You must have a already registered provider account on Google/Microsoft/GitHub/Apple or any OIDC provider.
(Free account until 100 registered devices)
¶ Create ACLs
Copy the following content into ACLs tab:
{
"tagOwners": {
"tag:follower": ["autogroup:admin"],
"tag:gw": ["autogroup:admin"],
},
"acls": [
{
"action": "accept",
"src": ["autogroup:admin"],
"dst": ["tag:gw:*", "tag:follower:*"],
},
{"action": "accept", "src": ["tag:follower"], "dst": ["tag:gw:*"]},
],
}
These ACLs rules:
- Create a tag named “gw” and "follower"
- restrict gw access (gw can only be accessed and NEVER access a computer)
- restrict follower access to gw (to setup a Small Private Network for example …)
¶ Create auth key
For more information, refers to tailscale documentation about authkey
Under Settings, click on Keys, then Generate auth key.
- You can create a reusable key, if you plan to use this key for more than once gateway.
- Under Tags add automatically device registered with this key to tag:gw.
- Save your generated key in a safe place, and copy it for next step.
¶ Gateway side
¶ Upgrade your gateway
sudo apt update && sudo apt upgrade
¶ Install tailscale client
sudo apt install tailscale
¶ Register your gateway
sudo tailscale up --authkey tskey-abcdef1432341818
Replace tskey-abcdef1432341818 by your generated key.
Once connected, you can check the tailscale status:
admin@klk-wifc-0304af:~# sudo systemctl status tailscaled.service
● tailscaled.service - Tailscale node agent
Loaded: loaded (/usr/lib/systemd/system/tailscaled.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-07-02 13:26:16 UTC; 17min ago
Docs: https://tailscale.com/kb/
Process: 29877 ExecStartPre=/usr/sbin/tailscaled --cleanup (code=exited, status=0/SUCCESS)
Main PID: 29906 (tailscaled)
Status: "Connected; xxxx@xxxx.com; 100.65.8.51 fd7a:115c:a1e0::xx:xx"
IP: 856.3K in, 420.7K out
Tasks: 12 (limit: 489)
Memory: 35.3M
CPU: 15.389s
CGroup: /system.slice/tailscaled.service
└─29906 /usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled…
Jul 02 13:43:42 klk-wifc-0304af tailscaled[29906]: LinkChange: major, rebind…ue}
Jul 02 13:43:42 klk-wifc-0304af tailscaled[29906]: dns: Set: {DefaultResolve…:1}
Jul 02 13:43:42 klk-wifc-0304af tailscaled[29906]: dns: Resolvercfg: {Routes…pa}
Jul 02 13:43:42 klk-wifc-0304af tailscaled[29906]: dns: OScfg: {Nameservers:…] }
Jul 02 13:43:42 klk-wifc-0304af systemd[1]: tailscaled.service: Got notifica…906
Jul 02 13:43:42 klk-wifc-0304af tailscaled[29906]: restarted resolved after …7ms
Jul 02 13:43:42 klk-wifc-0304af tailscaled[29906]: wgengine: set DNS config …nge
Jul 02 13:43:42 klk-wifc-0304af tailscaled[29906]: Rebind; defIf="wlan0", ip…64]
Jul 02 13:43:42 klk-wifc-0304af tailscaled[29906]: magicsock: 1 active derp …26s
Jul 02 13:43:43 klk-wifc-0304af tailscaled[29906]: post-rebind ping of DERP …kay
Hint: Some lines were ellipsized, use -l to show in full.
On tailscale account, you should also see your gateway connected
¶ Usage
After tailscale installation on your computer/smartphone, gateway services (SSH, WebUI, ...) are finally easily accessible.