devraza/warehouse
Archived
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-06-01. You can view files and clone it, but cannot push or open issues or pull requests.
warehouse/blog/selfhost-tailscale.typ

131 lines
4.5 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#set quote(block: true)
#show link: underline
#set text(
font: "ETBembo",
size: 10pt)
#set page(
paper: "a4",
margin: (x: 1cm, y: 1cm),
)
#set par(
justify: true,
leading: 0.52em,
)
#align(center, text(20pt)[
*Take control of tailscale with headscale*
])
= Tailscale
#link("https://tailscale.com/")[Tailscale] is a modern tunnel VPN
service based on #link("https://www.wireguard.com/")[WireGuard®] which
provides a 'free' and secure means of communication between devices
within a #link("https://tailscale.com/kb/1136/tailnet")[tailnet] - a
private network which Tailscale provides its users.
Essentially, it provides a private and secure way of accessing any of
your devices, no matter where you are in the world - a personal WAN
encompassing the entire world.
And on top of this, Tailscale is completely free and open-source! At
least, on the surface…
== Not FOSS? What do you mean?
Theres a quite popular saying within the free and open-source software
community, which goes along the lines of:
#quote(block: true)[
If you arent paying for the product, then you are the product.
]
Which makes perfect sense. Its the #emph[modern] era so anything
significant is powered by some form of #emph[modern] technology, data is
the new oil, and so on. In exchange for offering you 'free' services,
companies collect and use your data; while there supposedly are laws in
place preventing the inconcensual collection of data in most countries
around the world, #emph[your] personal data may #emph[still] be traded
unethically and inconsensually.
I personally am of the opinion that these laws are worth absolutely
nothing if people arent educated in how their data is being used, and
what specifically is being collected. But I digress, and thats a blog
post for another time.
I also think its quite unfortunate that users of paid services
#emph[still] have their personal data collected in the unethical manner
outlined above, despite the fact that they are #emph[paying] for the
service…
In the context of Tailscale: while their clients are all open-source,
their control server - the thing thats managing and rerouting
#emph[everything] going through what they advertise as #emph[your]
'secure' VPN, isnt. Youve got no idea what this thing is doing with
the traffic it recieves.
= Headscale
For every problem, theres probably a solution somewhere. And luckily
for this one \(which may or may not actually be a problem for you),
weve got #link("https://headscale.net/")[Headscale] as our solution.
Headscales a self-hostable, open-source alternative to the Tailscale
control server, and aims to 'provide self-hosters and hobbyists with an
open-source server they can use for their projects and labs'.
== Installing on NixOS
Moving on to installing and setting up Headscale on NixOS.
```nix
# ...
{
# ...
services.headscale = {
enable = true;
address = "0.0.0.0";
port = 7070;
settings = {
logtail.enabled = false;
server_url = "https://headscale.devraza.duckdns.org";
dns_config.base_domain = "devraza.duckdns.org";
};
};
# ...
}
```
This starts up the `headscale` systemd service on our host machine at
port `7070`. After that, we make Headscale available over the clearnet
with an NGINX reverse proxy, per the usual:
```nix
{
services.nginx = {
enable = true;
virtualHosts = {
"headscale" = {
addSSL = true;
serverName = "headscale.devraza.duckdns.org";
sslCertificate = ./services/nginx/certs/subdomains/fullchain.pem;
sslCertificateKey = ./services/nginx/certs/subdomains/privkey.pem;
# Headscale proxy
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
};
};
}
```
And thats it. A self-hosted, #emph[truly] open-source Wireguard®-based
VPN is now at your fingertips. Enjoy! Oh, but please read the conclusion
before doing that:
= Conclusion
For those of you who wish to have access to something like Tailscale but
value your privacy above all, you would genuinely be greatful for
Headscale. However, Ive found that some are fine with what Tailscale
#emph[does] provide in regards to FOSS, and are satisfied by the raw
convenience and simplicity of a non-selfhosted Tailscale control server - exactly what it hopes to provide, as shown by their self-description on their website: 'a zero-config, no-fuss VPN \[provider\]'.
Or you could just settle with bare Wireguard®.
Reference in a new issue View git blame Copy permalink