devraza/website
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
website/public/blog/selfhost-tailscale/index.html

34 lines
15 KiB
HTML
Raw Blame History

<!doctype html><html lang=en><head><meta charset=utf-8><meta content="width=device-width,initial-scale=1.0" name=viewport><meta content="light dark" name=color-scheme><title>Take control of tailscale with headscale</title><link href=/img/favicon-32x32.png rel=icon sizes=32x32 type=image/png><link href=/img/favicon-16x16.png rel=icon sizes=16x16 type=image/png><link href=/img/apple-touch-icon.png rel=apple-touch-icon sizes=180x180><link href=https://fonts.googleapis.com rel=preconnect><link crossorigin href=https://fonts.gstatic.com rel=preconnect><link href="https://fonts.googleapis.com/css2?family=Signika&display=swap" rel=stylesheet><style>*{font-family:monospace!important}body{--primary-color:#8070c6;--primary-pale-color:#8070c61c;--text-color:#151517;--text-pale-color:#454449;--bg-color:#ece5ea;--highlight-mark-color:#5f75b045;--callout-note-color:#e887bb;--callout-important-color:#a292e8;--callout-warning-color:#d9d564;--callout-alert-color:#f06969;--callout-question-color:#78b9c4;--callout-tip-color:#91d65c}body.dark{--primary-color:#a292e8;--primary-pale-color:#a292e81c;--text-color:#ece5ea;--text-pale-color:#5c5c61;--bg-color:#151517;--highlight-mark-color:#5f75b045;--callout-note-color:#e887bb;--callout-important-color:#a292e8;--callout-warning-color:#d9d564;--callout-alert-color:#f06969;--callout-question-color:#78b9c4;--callout-tip-color:#91d65c}body{--main-font:'Signika',ui-sans-serif,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--code-font:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;--homepage-max-width:750px;--main-max-width:750px;--avatar-size:70px;--paragraph-font-size:18px;--paragraph-line-height:1.75;--aside-font-size:16px;--img-border-radius:0;--inline-code-border-radius:2px}</style><link href=/main.css rel=stylesheet><body class=post><script>if(localStorage.getItem('theme')=='dark'){document.body.classList.add('dark');const a=document.querySelector('link#hl');if(a)a.href='/hl-dark.css'}</script><header class=blur><div id=header-wrapper><nav><a href=/>devraza</a><button aria-label="toggle expand" class=separator id=toggler>::</button><span class="wrap left fold">{</span><a href=/blog>blog</a><span class="wrap-separator fold">,</span><a class=fold href=/projects>projects</a><span class="wrap right fold">} ;</span></nav><div id=btns><a aria-label="rss feed" href=/blog/feed.xml><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M3 17C5.20914 17 7 18.7909 7 21H3V17ZM3 10C9.07513 10 14 14.9249 14 21H12C12 16.0294 7.97056 12 3 12V10ZM3 3C12.9411 3 21 11.0589 21 21H19C19 12.1634 11.8366 5 3 5V3Z" fill=currentColor></path></svg></a><button aria-label="theme switch" data-moon-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M10 7C10 10.866 13.134 14 17 14C18.9584 14 20.729 13.1957 21.9995 11.8995C22 11.933 22 11.9665 22 12C22 17.5228 17.5228 22 12 22C6.47715 22 2 17.5228 2 12C2 6.47715 6.47715 2 12 2C12.0335 2 12.067 2 12.1005 2.00049C10.8043 3.27098 10 5.04157 10 7ZM4 12C4 16.4183 7.58172 20 12 20C15.0583 20 17.7158 18.2839 19.062 15.7621C18.3945 15.9187 17.7035 16 17 16C12.0294 16 8 11.9706 8 7C8 6.29648 8.08133 5.60547 8.2379 4.938C5.71611 6.28423 4 8.9417 4 12Z" fill="currentColor"></path></svg>' data-sun-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M12 18C8.68629 18 6 15.3137 6 12C6 8.68629 8.68629 6 12 6C15.3137 6 18 8.68629 18 12C18 15.3137 15.3137 18 12 18ZM12 16C14.2091 16 16 14.2091 16 12C16 9.79086 14.2091 8 12 8C9.79086 8 8 9.79086 8 12C8 14.2091 9.79086 16 12 16ZM11 1H13V4H11V1ZM11 20H13V23H11V20ZM3.51472 4.92893L4.92893 3.51472L7.05025 5.63604L5.63604 7.05025L3.51472 4.92893ZM16.9497 18.364L18.364 16.9497L20.4853 19.0711L19.0711 20.4853L16.9497 18.364ZM19.0711 3.51472L20.4853 4.92893L18.364 7.05025L16.9497 5.63604L19.0711 3.51472ZM5.63604 16.9497L7.05025 18.364L4.92893 20.4853L3.51472 19.0711L5.63604 16.9497ZM23 11V13H20V11H23ZM4 11V13H1V11H4Z" fill="currentColor"></path></svg>' id=theme-toggle><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M10 7C10 10.866 13.134 14 17 14C18.9584 14 20.729 13.1957 21.9995 11.8995C22 11.933 22 11.9665 22 12C22 17.5228 17.5228 22 12 22C6.47715 22 2 17.5228 2 12C2 6.47715 6.47715 2 12 2C12.0335 2 12.067 2 12.1005 2.00049C10.8043 3.27098 10 5.04157 10 7ZM4 12C4 16.4183 7.58172 20 12 20C15.0583 20 17.7158 18.2839 19.062 15.7621C18.3945 15.9187 17.7035 16 17 16C12.0294 16 8 11.9706 8 7C8 6.29648 8.08133 5.60547 8.2379 4.938C5.71611 6.28423 4 8.9417 4 12Z" fill=currentColor></path></svg></button><button aria-label="table of content" id=toc-toggle><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M3 4H21V6H3V4ZM3 11H15V13H3V11ZM3 18H21V20H3V18Z" fill=currentColor></path></svg></button></div></div></header><div id=wrapper><div id=blank></div><aside class=blur><nav><ul><li><a class=h2 href=#tailscale>Tailscale</a> <ul><li><a class=h3 href=#not-foss-what-do-you-mean>Not FOSS? What do you mean?</a></ul><li><a class=h2 href=#headscale>Headscale</a> <ul><li><a class=h3 href=#installing-on-nixos>Installing on NixOS</a></ul><li><a class=h2 href=#conclusion>Conclusion</a></ul></nav><button aria-label="back to top" id=back-to-top><svg viewbox="0 0 24 24" height=24 width=24 xmlns=http://www.w3.org/2000/svg><path d="M11.9997 10.8284L7.04996 15.7782L5.63574 14.364L11.9997 8L18.3637 14.364L16.9495 15.7782L11.9997 10.8284Z" fill=currentColor></path></svg></button></aside><main><div><div data-check-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M10.0007 15.1709L19.1931 5.97852L20.6073 7.39273L10.0007 17.9993L3.63672 11.6354L5.05093 10.2212L10.0007 15.1709Z" fill="currentColor"></path></svg>' data-copy-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="24" height="24"><path d="M6.9998 6V3C6.9998 2.44772 7.44752 2 7.9998 2H19.9998C20.5521 2 20.9998 2.44772 20.9998 3V17C20.9998 17.5523 20.5521 18 19.9998 18H16.9998V20.9991C16.9998 21.5519 16.5499 22 15.993 22H4.00666C3.45059 22 3 21.5554 3 20.9991L3.0026 7.00087C3.0027 6.44811 3.45264 6 4.00942 6H6.9998ZM5.00242 8L5.00019 20H14.9998V8H5.00242ZM8.9998 6H16.9998V16H18.9998V4H8.9998V6Z" fill="currentColor"></path></svg>' id=copy-cfg style=display:none></div><article data-backlink-icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20"><path d="M9.41421 8L18.0208 16.6066L16.6066 18.0208L8 9.41421V17H6V6H17V8H9.41421Z" fill="currentColor"></path></svg>' class=prose><h1>Take control of tailscale with headscale</h1><div id=post-info><div id=date><span id=publish>2024-01-10</span></div><div id=tags><a href=https://devraza.duckdns.org/tags/tailscale><span>#</span>tailscale</a><a href=https://devraza.duckdns.org/tags/headscale><span>#</span>headscale</a><a href=https://devraza.duckdns.org/tags/selfhosted><span>#</span>selfhosted</a><a href=https://devraza.duckdns.org/tags/privacy><span>#</span>privacy</a></div></div><h1 id=tailscale>Tailscale<a aria-label="Anchor link for: tailscale" class=zola-anchor href=#tailscale>#</a></h1><p><a rel="nofollow noreferrer" href=https://tailscale.com/>Tailscale</a> is a modern tunnel VPN service based on <a rel="nofollow noreferrer" href=https://www.wireguard.com/>WireGuard®</a> which provides a 'free' and secure means of communication between devices within a <a rel="nofollow noreferrer" href=https://tailscale.com/kb/1136/tailnet>tailnet</a> - a private network which Tailscale provides its users.<p>Essentially, it provides a private and secure way of accessing any of your devices, no matter where you are in the world - a personal WAN encompassing the entire world.<p>And on top of this, Tailscale is completely free and open-source! At least, on the surface...<h2 id=not-foss-what-do-you-mean>Not FOSS? What do you mean?<a aria-label="Anchor link for: not-foss-what-do-you-mean" class=zola-anchor href=#not-foss-what-do-you-mean>#</a></h2><p>There's a quite popular saying within the free and open-source software community, which goes along the lines of:<blockquote><p>If you aren't paying for the product, then you are the product.</blockquote><p>Which makes perfect sense. It's the <em>modern</em> era so anything significant is powered by some form of <em>modern</em> technology, data is the new oil, and so on. In exchange for offering you 'free' services, companies collect and use your data; while there supposedly are laws in place preventing the inconcensual collection of data in most countries around the world, <em>your</em> personal data may <em>still</em> be traded unethically and inconsensually.<p>I personally am of the opinion that these laws are worth absolutely nothing if people aren't educated in how their data is being used, and what specifically is being collected. But I digress, and that's a blog post for another time.<p>I also think it's quite unfortunate that users of paid services <em>still</em> have their personal data collected in the unethical manner outlined above, despite the fact that they are <em>paying</em> for the service...<p>In the context of Tailscale: while their clients are all open-source, their control server - the thing that's managing and rerouting <em>everything</em> going through what they advertise as <em>your</em> 'secure' VPN, isn't. You've got no idea what this thing is doing with the traffic it recieves.<h1 id=headscale>Headscale<a aria-label="Anchor link for: headscale" class=zola-anchor href=#headscale>#</a></h1><p>For every problem, there's probably a solution somewhere. And luckily for this one (which may or may not actually be a problem for you), we've got <a rel="nofollow noreferrer" href=https://headscale.net/>Headscale</a> as our solution. Headscale's a self-hostable, open-source alternative to the Tailscale control server, and aims to 'provide self-hosters and hobbyists with an open-source server they can use for their projects and labs'.<h2 id=installing-on-nixos>Installing on NixOS<a aria-label="Anchor link for: installing-on-nixos" class=zola-anchor href=#installing-on-nixos>#</a></h2><p>Moving on to installing and setting up Headscale on NixOS.<pre class=language-nix data-lang=nix style=background:#151515;color:#e8e8d3><code class=language-nix data-lang=nix><span style=color:#888># ...
</span><span>{
</span><span> </span><span style=color:#888># ...
</span><span> </span><span style=color:#ffb964>services</span><span>.</span><span style=color:#ffb964>headscale </span><span>= {
</span><span> </span><span style=color:#ffb964>enable </span><span>= true;
</span><span> </span><span style=color:#ffb964>address </span><span>= </span><span style=color:#99ad6a>"0.0.0.0"</span><span>;
</span><span> </span><span style=color:#ffb964>port </span><span>= </span><span style=color:#cf6a4c>7070</span><span>;
</span><span> </span><span style=color:#ffb964>settings </span><span>= {
</span><span> </span><span style=color:#ffb964>logtail</span><span>.</span><span style=color:#ffb964>enabled </span><span>= false;
</span><span> </span><span style=color:#ffb964>server_url </span><span>= </span><span style=color:#99ad6a>"https://headscale.devraza.duckdns.org"</span><span>;
</span><span> </span><span style=color:#ffb964>dns_config</span><span>.</span><span style=color:#ffb964>base_domain </span><span>= </span><span style=color:#99ad6a>"devraza.duckdns.org"</span><span>;
</span><span> };
</span><span> };
</span><span> </span><span style=color:#888># ...
</span><span>}
</span></code></pre><p>This starts up the <code>headscale</code> systemd service on our host machine at port <code>7070</code>. After that, we make Headscale available over the clearnet with an NGINX reverse proxy, per the usual:<pre class=language-nix data-lang=nix style=background:#151515;color:#e8e8d3><code class=language-nix data-lang=nix><span>{
</span><span> </span><span style=color:#ffb964>services</span><span>.</span><span style=color:#ffb964>nginx </span><span>= {
</span><span> </span><span style=color:#ffb964>enable </span><span>= true;
</span><span> </span><span style=color:#ffb964>virtualHosts </span><span>= {
</span><span> </span><span style=color:#99ad6a>"headscale" </span><span>= {
</span><span> </span><span style=color:#ffb964>addSSL </span><span>= true;
</span><span> </span><span style=color:#ffb964>serverName </span><span>= </span><span style=color:#99ad6a>"headscale.devraza.duckdns.org"</span><span>;
</span><span> </span><span style=color:#ffb964>sslCertificate </span><span>= </span><span style=color:#99ad6a>./services/nginx/certs/subdomains/fullchain.pem</span><span>;
</span><span> </span><span style=color:#ffb964>sslCertificateKey </span><span>= </span><span style=color:#99ad6a>./services/nginx/certs/subdomains/privkey.pem</span><span>;
</span><span> </span><span style=color:#888># Headscale proxy
</span><span> </span><span style=color:#ffb964>locations</span><span>.</span><span style=color:#99ad6a>"/" </span><span>= {
</span><span> </span><span style=color:#ffb964>proxyPass </span><span>= </span><span style=color:#99ad6a>"http://127.0.0.1:${toString </span><span style=color:#ffb964>config</span><span style=color:#99ad6a>.</span><span style=color:#ffb964>services</span><span style=color:#99ad6a>.</span><span style=color:#ffb964>headscale</span><span style=color:#99ad6a>.</span><span style=color:#ffb964>port</span><span style=color:#99ad6a>}"</span><span>;
</span><span> </span><span style=color:#ffb964>proxyWebsockets </span><span>= true;
</span><span> };
</span><span> };
</span><span> };
</span><span> };
</span><span>}
</span></code></pre><p>And that's it. A self-hosted, <em>truly</em> open-source Wireguard®-based VPN is now at your fingertips. Enjoy! Oh, but please read the conclusion before doing that:<h1 id=conclusion>Conclusion<a aria-label="Anchor link for: conclusion" class=zola-anchor href=#conclusion>#</a></h1><p>For those of you who wish to have access to something like Tailscale but value your privacy above all, you would genuinely be greatful for Headscale. However, I've found that some are fine with what Tailscale <em>does</em> provide in regards to FOSS, and are satisfied by the raw convenience and simplicity of a non-selfhosted Tailscale control server - exactly what it hopes to provide, as shown by their self-description on their website: 'a zero-config, no-fuss VPN [provider]'.<p>Or you could just settle with bare Wireguard®.</article><div class=giscus></div></div><footer><div class=copyright><p>© 2024 Muhammad Nauman Raza</div><div class=credits>powered by <a rel="noreferrer noopener" href=https://www.getzola.org target=_blank>zola</a> and <a rel="noreferrer noopener" href=https://github.com/isunjn/serene target=_blank>serene</a></div></footer></main></div><script src=/js/lightense.min.js></script><script src=/js/main.js></script>
Reference in a new issue View git blame Copy permalink