Tailscale VPN

--- name: Tailscale VPN description: Use this skill when you need to set up secure mesh networking, connect devices across networks, manage zero-trust access, or troubleshoot Tailscale VPN connectivity issues. metadata: author: skynet version: 1.0.0 category: infrastructure --- # Tailscale VPN Tailscale creates secure mesh networks using WireGuard, enabling direct device-to-device connections through NAT traversal. ## Installation ### Linux (Debian/Ubuntu) ```bash curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up ``` ### macOS ```bash brew install tailscale sudo tailscale up ``` ### Windows ```powershell # Download from tailscale.com/download or via Chocolatey choco install tailscale ``` ## Basic Setup ### Initial Authentication ```bash # Start Tailscale and authenticate sudo tailscale up # Login with specific flags sudo tailscale up --accept-routes --accept-dns=false # Login as operator (non-admin) sudo tailscale up --operator=$USER ``` ### Check Status ```bash # View connection status tailscale status # View detailed status tailscale status --peers # Check IP address tailscale ip -4 ``` ## Common Workflows ### Secure File Sharing ```bash # Serve files on Tailscale network tailscale serve http 8080 # Share specific directory tailscale funnel --bg --https=443 /path/to/files # Temporary file sharing python3 -m http.server 8000 --bind $(tailscale ip -4) ``` ### SSH Access Configuration ```bash # Enable SSH server through Tailscale sudo tailscale up --ssh # Connect to remote machine ssh user@100.x.x.x # Use Tailscale IP # SSH with Tailscale hostname ssh user@machine-name.tail-scale.ts.net ``` ### Exit Node Setup ```bash # Configure machine as exit node echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p sudo tailscale up --advertise-exit-node # Use exit node on client sudo tailscale up --exit-node=100.x.x.x # Stop using exit node sudo tailscale up --exit-node= ``` ## Decision Tree: Network Configuration ``` Need to connect devices? ├─ Same organization │ ├─ Basic connection → tailscale up │ └─ Need subnet access → tailscale up --accept-routes └─ Different organizations ├─ Temporary access → Share machine via admin console └─ Permanent access → Set up shared nodes ``` ## Advanced Configuration ### Subnet Routing ```bash # Advertise subnet routes sudo tailscale up --advertise-routes=192.168.1.0/24,10.0.0.0/16 # Accept subnet routes from other nodes sudo tailscale up --accept-routes # Check advertised routes tailscale status --peers ``` ### ACL and Security ```bash # View current ACL policy tailscale acl get # Test ACL changes tailscale acl test --src=user@domain.com --dst=tag:server --proto=tcp --port=22 # Lock network configuration sudo tailscale lock init sudo tailscale lock status ``` ### DNS Configuration ```bash # Use Tailscale DNS sudo tailscale up --accept-dns # Disable Tailscale DNS sudo tailscale up --accept-dns=false # Set custom nameservers sudo tailscale up --accept-dns --nameserver=1.1.1.1 ``` ## Monitoring and Logs ### Connection Debugging ```bash # Verbose status with connection details tailscale debug prefs # View connection metrics tailscale debug netmap # Check connectivity to specific peer tailscale ping 100.x.x.x # Monitor real-time connections sudo tailscale debug watch-ipn ``` ### Log Collection ```bash # Generate bug report tailscale bugreport # View logs (systemd systems) sudo journalctl -u tailscaled -f # Debug connectivity issues tailscale debug --logs netcheck ``` ## Troubleshooting ### Error: "tailscaled socket not found" ```bash # Check if service is running sudo systemctl status tailscaled # Start service if stopped sudo systemctl start tailscaled sudo systemctl enable tailscaled # Alternative: run tailscaled manually sudo tailscaled --state=/var/lib/tailscale/tailscaled.state ``` ### Error: "connection refused" or timeouts ```bash # Check firewall settings sudo ufw allow in on tailscale0 sudo firewall-cmd --zone=trusted --add-interface=tailscale0 # Verify Tailscale interface ip addr show tailscale0 # Reset connection sudo tailscale down sudo tailscale up ``` ### Error: "authentication required" ```bash # Re-authenticate tailscale logout sudo tailscale up # Check auth key (for automated setup) sudo tailscale up --authkey=tskey-auth-xxx ``` ### Performance Issues ```bash # Check MTU settings ip link show tailscale0 # Adjust MTU if needed sudo ip link set dev tailscale0 mtu 1280 # Test bandwidth between nodes iperf3 -s # On server iperf3 -c 100.x.x.x # On client ``` ### Split DNS Not Working ```bash # Check current DNS settings tailscale status --peers resolvectl status # Force DNS refresh sudo systemctl restart systemd-resolved # Manual DNS configuration echo "nameserver 100.100.100.100" | sudo tee /etc/resolv.conf.d/tailscale ``` ## Best Practices ### Security Hardening ```bash # Regular key rotation tailscale logout sudo tailscale up # Forces re-auth # Use ACLs for access control # Set up device approval requirements # Enable audit logs in admin console ``` ### Production Deployment ```bash # Automated provisioning with auth keys sudo tailscale up --authkey=tskey-auth-xxx --hostname=prod-server-01 # Service management sudo systemctl enable tailscaled sudo systemctl daemon-reload # Monitoring integration curl -s http://localhost:41641/localapi/v0/status | jq . ```