It's been a long time since I've been so impressed with software. I love this software almost as much as I love Node-red. I wanted the ability to have different machines in different locations all connected so that I could simply and easily navigate them without needing a degree in IPSEC or Cisco Advanced Networking to configure them. yesterday i stumbledtail scaleπ§π· TL:DR It's a game changer!
In this post, I'll go through a quick tutorial on how to set it up on your devices. I will mainly focus on Unraid, Windows and Linux. When we've done that, you'll master it. I also installed it on my iPad and Android phone literally in seconds. If that's not enough to get you excited, in the second half of the post, I'm going to show you some tricks that literally blew my mind. Let's go after him!
Yesterday I was watching a Youtube video of Ibracorp (link below). If she uses Unraid, I suggest she stick with it. She's up there with Spaceinvader One. She was showing how to set up Tailscale. She hadn't even heard of Tailscale before this point, but in about an hour, he had the network set up he could only have dreamed of! Tailscale is what is known as Zero config vpn. It's built on top of Wireguard, so it's fast and relatively lightweight, but it doesn't require a single port forwarding. Yes, you read that right:
NOT A DOOR AHEAD!
I have wireguard and openvpn set up on my main workstations and servers as a backup, but compared to that they seem basic and difficult to configure. Previously, I played around with Zerotier (a similar concept, ie zero configuration), but got mixed results. The administrative side of things was not good and I was never able to get Unraid to connect properly. I watched the video and decided to try Tailscale. I'll quickly skip through the steps I've followed here for those who measure attention span in terms of Instagram posts π
not attacked
Consider my current setup. My remote network is in another country and is on the 192.168.1.0/24 subnet. My local network is 192.168.2.0/24. What we want to do is connect these networks quickly and efficiently so that we can effectively navigate them as if they were on the network. Let's start with Unraid.
Go to the community apps tab and find and install Tailscale. Then we go to the model and add the Tailscale container (not the client).
Add this argument in the UP_FLAGS field:--advertise-routes=192.168.1.0/24
Change the subnet to whatever remote network you want to access. In simple terms, we are asking Unraid to set up a final scale server for direct access, but also to allow routes to other machines on the 192.168.1.0 network.
Now click apply and that's it. You will need to check the container logs and you should see a URL where you will need to access and authenticate.
I chose to authenticate using github, but you have options here. Copy and paste the link and authenticate yourself. This will effectively create a specific scale account for you. All Tailscale administration will be performedhereπ§π· After a moment you should see your unattacked machine appear and hopefully if you followed these steps it will appear connected.
windows
Now that we have Unraid connected to Tailscale, we need to test it. Download and install the tailscale installer fromhereπ§π· Alternatively, you can use Chocolatey to download it, using a simple PowerShell command (as administrator):
Choco install tailscale -y
If you're not using chocolate milk, you should! In addition to being easy to install or uninstall applications, it allows for easy automated updating. You can read more about it.hereπ§π· Once installed, you will need to re-authenticate with the same account you previously used for Unraid (github in my case). Once authenticated, you should see your Windows PC in your list of machines. Again, we expect it to show connected. At this point, you should be able to use the IP address that Tailscale assigned next to your Unraid machine to connect directly.
At this point, you're done! Is that. No port forwarding. No scanning QR codes or trying to figure out public and private keys. No mass, no sha, no need to look at number 2048! How cool is that? An advert. You will need to be connected to the Tailscale network in order to simply use IP addresses. Therefore, if you close the Tailscale daemon from the taskbar, the address will not be sent. Also for servers, it's probably a good idea to remove the expiration of authentication keys. You can do this by clicking on the three dots at the end of the line.
linux
Now that we have the network up and running, let's add an Ubuntu server to the mix. Mine is running 21.04 and hosts my full local docker stack. SSH into the server normally and run the following commands:
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | sudo apt-key add
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | sudo tee /etc/apt/sources.list.d/tailscale.list
sudo apt-get update
sudo apt-get install tailscale
You should then see the Tailscale authentication link appear on the screen. As before, copy it to the browser and authenticate again. Once authenticated, you just need to run one more command:
sudo tail scale up
You should now see your Ubuntu Server appear on your machine.Listπ§π· Again, assuming there is a small green icon and it shows connected, you should be able to SSH into the server with your normal credentials, only this time you don't have to use the local IP address. You can use the queue scale assigned to you. i.e. ssh[email protected]
Tablets and Smartphones
Now for them, installing Tailscale is as simple as downloading and installing the app. I will not take you through this. You download, authenticate, and then hit the toggle button on the apps (same for Android and iOS). Once authenticated in the app, you will see them in the list of machines. You turn it on or off to connect to the network. On my OnePlus 9 pro, I switched the connection to On and was able to instantly browse my Unraid server and access my Ubuntu server using the IP addresses generated in Tailscale.
The above literally took me about 30 minutes to run and I was completely hooked. Now, here's how to take it a step further.
tips and tricks
Let's start with Unraid. Once you have your Tailscale container up and running, open the console in Unraid and paste in the following:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
This essentially enables port forwarding. Remember that we already included ββadvertise-routes=192.168.1.0/24β in our original container configuration. If for some reason you want to revert or reset this, just change =1 to =0 above, ie echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf would become echo 'net.ipv4.ip_forward = 0' | sudo tee -a /etc/sysctl.conf
Now click on the three dots after your unhacked machine in the Tailscale managerconsole.
Click review route settings. Hopefully, you'll see your subnet appear at the top. Click to enable. Wait a few moments and then you will see the subnet appear below the generated IP address in the final scale.
You should now be able to browse the remote LAN. In my case, everything on 192.168.1.0/24 became available to me. Even for the Unraid machine itself, this meant that I could use its default 192.168.1.X address or the 100.X.X.X address that Tailscale was giving me. This means that if you have a device that can't connect to Tailscale, you'll still be able to access it. That remote IP camera or smart plug, no problem! That's optimal. This is not everything. It also means that on Windows I can now map an unhacked server share as a plain network drive. You literally add the location in Windows Explorer with your Unraid login credentials and you're done. No need for complicated file managers or FTP clients, I can just drag and drop right from the desktop!
Already impressed? No, well, there's more.
home assistant
This blog is mainly focused on smarthome, so let's dig a little deeper. I am a keen user ofhome assistantmired knotπ§π· At one point I was paying for Nabu Casa because I liked the idea of ββhaving remote access to the house when I was away. Unfortunately, I was struggling to stay connected to Nabu Casa and ended up giving up. Instead, I was relying on an OpenVPN connection to access it. I would activate the VPN connection and use the mobile app normally. So I had a problem where I changed my home and ISP and now I'm under CG NAT (carrier level NAT). That is, I can't use internal VPN connections, although there are third-party solutions likeSaletc. With Tailscale, this is no longer necessary. I found out that someone had written a Tailscale integration for Home-Assistant!
If you are running Hassio (or supervised), go to supervisor panel -> plugin store and click on the dots in the top right corner.
Add the following repository:
https://github.com/tsujamin/hass-addons
Then go to the plugins section, scroll down until you see Tailscale.
Install it and click documentation. As you can see, you will need to obtain a key fromhere:
Take the key, paste it into the auth_key section in Settings in the plugin, and give yourself a hostname. Save and start the plugin. You will see it in the list of machines and it should show up as connected. The best thing about this is that you will get a 100.x.x.x IP address. Now go to the Home-Assistant mobile app and paste that IP address as the external URL (remember to add the port and slash at the end). Turn off your wi-fi and (as long as you're connected via Tailscale) you now have external access to Home-Assistant for free. Again, no port forwarding required!
Now you won't get any of the good stuff that Nabu Casa also offers via alexa/google integration etc, but not everyone needs that, though I suggest it's worth the price just to help out developers.
Heimdall
Another small element that I configured yesterday was the home page of my browser. I am a keen user ofHeimdallon my main machine. I like that I can use the API to display additional information about some of the docker containers I'm running. allows me to useduck duck to winAs a search engine, but also with the click of a tile, I can now access my servers, my router, my various applications, quickly and easily. I have Heimdall running via portainer on my linux server. Since this is permanently connected to Tailscale now, there's no reason I can't make my Heimdall page my default home page for all my devices, no matter where I am in the world.
pi-hole
I haveholerunning on my Unraid server. Thanks to Tailscale, I can now have all my devices use the same Pi-hole as their DNS (centralized ad blocking) server. Although I recommend adding a secondary DNS server in case you forget to connect to Tailscale to avoid loss of service.
output nodes
Last but not least, I didn't touch the exit nodes. In addition to joining all the devices in a network, Tailscale also allows you to designate some of the devices as an exit node, that is, you can route your Internet traffic through them. You may or may not want this, depending on your needs. For example, if I want my Unraid server in country B to be an exit node, all I need to do is add an additional UP_FLAGS parameter to the container template:
--advertise-exit-node
(You can paste this directly after announcing the subnet.) Then power on the exit node where we enabled subnet routes. Since we already added port forwarding in Unraid above (via the console), this should work out of the box. I tried this and my local internet traffic went through the Unraid server (verified by checking the IP address).
A lot more can be done with Tailscale, and I'm only scratching the surface, but considering that I set this all up in a few hours and it works flawlessly, I'm pretty impressed. I've wanted a setup like this for years, but my eyes would cloud over every time someone mentioned Masquerade or IP tables etc.
References and Acknowledgments
I want to say thank you where it's due. The initial video I watched on YouTube can be found here:
They also have some great writing to go along with the video that can be foundhereπ§π· There is much more information on exit node configuration and more on MagicDNS.
Ibracorp has a fantastic discord server where people are really helpful and take the time to advise and work with you. I highly recommend you check it out.https://discord.gg/VWAG7rZ
Many thanks@Hawksmi@DiscPatothere for literally holding my hand yesterday and helping me solve the subnetting crossover. It's not the first time these guys have helped me!
In sum
I'm absolutely glad I was able to get this set up and working as above. It will make my life so much easier and as long as I still keepOpenVPNas a backup, it means I removed both Wireguard and Zerotier from my installation. This saved me some port forwarding and allowed me to close ports on both routers as well as my Ubuntu (UFW) machine. It also allowed me to bypass the CG NAT locally, which was really bugging me.
If you are interested in sharing your own solutions, tips and tricks with like-minded people, you may want to consider joining our Facebook group. We hope this group is more about show and tell than support, but that doesn't mean we can't help!
https://www.facebook.com/groups/386238285944105
Also, if you're interested in supporting the blog, feel free to check out my Smarthome Book available at all good bookstores. If you're thinking of renovating, maybe this will save you some headaches!
