docs: new document selfhost-tailscale.typ
This commit is contained in:
parent
0fe9834574
commit
2cd0c9db0a
130
blog/selfhost-tailscale.typ
Normal file
130
blog/selfhost-tailscale.typ
Normal file
|
|
@ -0,0 +1,130 @@
|
|||
#set quote(block: true)
|
||||
#show link: underline
|
||||
#set text(
|
||||
font: "ETBembo",
|
||||
size: 10pt)
|
||||
#set page(
|
||||
paper: "a4",
|
||||
margin: (x: 1cm, y: 1cm),
|
||||
)
|
||||
#set par(
|
||||
justify: true,
|
||||
leading: 0.52em,
|
||||
)
|
||||
|
||||
#align(center, text(20pt)[
|
||||
*Take control of tailscale with headscale*
|
||||
])
|
||||
|
||||
= Tailscale
|
||||
#link("https://tailscale.com/")[Tailscale] is a modern tunnel VPN
|
||||
service based on #link("https://www.wireguard.com/")[WireGuard®] which
|
||||
provides a 'free' and secure means of communication between devices
|
||||
within a #link("https://tailscale.com/kb/1136/tailnet")[tailnet] - a
|
||||
private network which Tailscale provides its users.
|
||||
|
||||
Essentially, it provides a private and secure way of accessing any of
|
||||
your devices, no matter where you are in the world - a personal WAN
|
||||
encompassing the entire world.
|
||||
|
||||
And on top of this, Tailscale is completely free and open-source! At
|
||||
least, on the surface…
|
||||
|
||||
== Not FOSS? What do you mean?
|
||||
There’s a quite popular saying within the free and open-source software
|
||||
community, which goes along the lines of:
|
||||
|
||||
#quote(block: true)[
|
||||
If you aren’t paying for the product, then you are the product.
|
||||
]
|
||||
|
||||
Which makes perfect sense. It’s the #emph[modern] era so anything
|
||||
significant is powered by some form of #emph[modern] technology, data is
|
||||
the new oil, and so on. In exchange for offering you 'free' services,
|
||||
companies collect and use your data; while there supposedly are laws in
|
||||
place preventing the inconcensual collection of data in most countries
|
||||
around the world, #emph[your] personal data may #emph[still] be traded
|
||||
unethically and inconsensually.
|
||||
|
||||
I personally am of the opinion that these laws are worth absolutely
|
||||
nothing if people aren’t educated in how their data is being used, and
|
||||
what specifically is being collected. But I digress, and that’s a blog
|
||||
post for another time.
|
||||
|
||||
I also think it’s quite unfortunate that users of paid services
|
||||
#emph[still] have their personal data collected in the unethical manner
|
||||
outlined above, despite the fact that they are #emph[paying] for the
|
||||
service…
|
||||
|
||||
In the context of Tailscale: while their clients are all open-source,
|
||||
their control server - the thing that’s managing and rerouting
|
||||
#emph[everything] going through what they advertise as #emph[your]
|
||||
'secure' VPN, isn’t. You’ve got no idea what this thing is doing with
|
||||
the traffic it recieves.
|
||||
|
||||
= Headscale
|
||||
For every problem, there’s probably a solution somewhere. And luckily
|
||||
for this one \(which may or may not actually be a problem for you),
|
||||
we’ve got #link("https://headscale.net/")[Headscale] as our solution.
|
||||
Headscale’s a self-hostable, open-source alternative to the Tailscale
|
||||
control server, and aims to 'provide self-hosters and hobbyists with an
|
||||
open-source server they can use for their projects and labs'.
|
||||
|
||||
== Installing on NixOS
|
||||
Moving on to installing and setting up Headscale on NixOS.
|
||||
|
||||
```nix
|
||||
# ...
|
||||
{
|
||||
# ...
|
||||
services.headscale = {
|
||||
enable = true;
|
||||
address = "0.0.0.0";
|
||||
port = 7070;
|
||||
settings = {
|
||||
logtail.enabled = false;
|
||||
server_url = "https://headscale.devraza.duckdns.org";
|
||||
dns_config.base_domain = "devraza.duckdns.org";
|
||||
};
|
||||
};
|
||||
# ...
|
||||
}
|
||||
```
|
||||
|
||||
This starts up the `headscale` systemd service on our host machine at
|
||||
port `7070`. After that, we make Headscale available over the clearnet
|
||||
with an NGINX reverse proxy, per the usual:
|
||||
|
||||
```nix
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"headscale" = {
|
||||
addSSL = true;
|
||||
serverName = "headscale.devraza.duckdns.org";
|
||||
sslCertificate = ./services/nginx/certs/subdomains/fullchain.pem;
|
||||
sslCertificateKey = ./services/nginx/certs/subdomains/privkey.pem;
|
||||
# Headscale proxy
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
And that’s it. A self-hosted, #emph[truly] open-source Wireguard®-based
|
||||
VPN is now at your fingertips. Enjoy! Oh, but please read the conclusion
|
||||
before doing that:
|
||||
|
||||
= Conclusion
|
||||
For those of you who wish to have access to something like Tailscale but
|
||||
value your privacy above all, you would genuinely be greatful for
|
||||
Headscale. However, I’ve found that some are fine with what Tailscale
|
||||
#emph[does] provide in regards to FOSS, and are satisfied by the raw
|
||||
convenience and simplicity of a non-selfhosted Tailscale control server - exactly what it hopes to provide, as shown by their self-description on their website: 'a zero-config, no-fuss VPN \[provider\]'.
|
||||
|
||||
Or you could just settle with bare Wireguard®.
|
||||
Reference in a new issue