Just wanted to say how good of a tutorial this is. It breaks down everything into simple understandable parts and you give examples for everything. Well done sir.
It took me 2 days of sweating and cursing to get this working on pfSense a couple of weeks ago, I really applaud this video; it would have saved me a ton of time, this tutorial really hits the points that many similar vids have missed. Thankyou.
If I'd watched this vid explaining exactly how routes are advertised and approved, I'd have sorted it in an hour. I'm a monkey-see, monkey-do learner :) Vids like these should really help with adoption of the self hosted server stuff; keep up the good work.
The god-badger of homelab! Thanks for the awesome content (and exclusive) Alex. Your have less than 10 videos and they are more polished than most of the big youtubers (in the niche). Well done and thanks for SHS too.
Been so confused by this whole process after reading so many tutorials, this video totally cleared it up for me. Easy to follow and thoroughly explained, thanks so much!
Wow, thank you a lot for this video! I was struggling to understand the DNS settings in Tailscale but you made it really clear. My goal was to be able to use the same local urls on my tailscale network as I’m using on my local network (setup in pihole local DNS). By the looks of it, it shouldn’t be that difficult after watching this. You just got a new sub, I really like the format and you deserve way more subscribers mate! ⭐️ ⭐️ ⭐️ ⭐️ ⭐️
Been a while since I seen someone use vi. Glad I’m not the only one, forced myself to learn it many years ago and now wouldn’t use anything else 😂 Long time Network Security Engineer here, really enjoying your content
You can generally tell how well versed someone is, and how good they are at what they do by how simply they explain it. Dude is low key a networking guru. The concepts that he is able to simplify, while retaining focus on all important points to it, is testament to that.
Great overview, very clear and informative. Tailscale has been a gateway for a new interest in networking and self-hosting, and I think this video has sold me on running more infrastructure at home
Wow, loving this. Hope its the start of a series that focuses on those remote family and friends hookups and support we all do or want to do, but didn't have a good place to start. Can't wait to you get to the remote data backup but everything is helpful. I'm in the has not started, still dreaming quadrant on most everything. Saved to a purpose created playlist ... We been watching this video a few dozen more times and I will certainly let the ads play to support.
Crystal clear explanation. Tailscale does make it very easy to do. Compared to messing around with OpenVPN and crap this is a breath of fresh air. I'm making the company pay for some licenses...
You have a very pleasant way of explaining things and it's just the missing piece in my headscale/tailscale setup that I was looking for, thank you kindly Sir!!!
Quality content as usual. From what you do on the JB podcasts, to now your YT Channel, truly amazed and grateful for all you feedback to the community. On this subject of Tailscale atop OPNSense, my only wish was it was supported in the GUI and appeared as an interface one could both monitor and apply policy ules to. It's for this reason that I tend to prefer the ZeroTier method of treating every link as a pseudo L2 connection into a cloud acting as a ethernet switch. I guess I'm old school...but having a transparent connection into my home network (even when it's only allowing devices on my Tailnet Access) without a firewall in the middle just disturbs me.
In the video your internal services were using HTTPS. Do you have any information on how you set this up without exposing ports to the internet? You mentioned you are using Caddy. Are you using self signed certificates with a local CA? I've used SWAG from linux server previously, but want to move away from having an exposed ports. Thanks for the great video!
Thank you so much, I've been trying so hard for the past week and turns out it was much easier than I thought. At first it didn't worked but after 15-30 minutes everything would resolve. Probably some propagation or I don't know.
question : how's your computer dns is configured to use tailscale dns, normaly all computers are configured to use public dns like google cloudflare ...etc, but in your case i don't understand the way your computer request dns from tailsclae you need to show use the dns configuration for client computers side ???
Yeah I run 2 piholes in sync with gravity and as Alex said point router dhcp to use them for dns. Then have them both set as primary and secondary in Tailscale
Split-horizon DNS answers the way bind9 views work-where a source IP subnet determines the content of the record returned-is a challenge with pihole because dnsmasq has no such feature. It's necessary to run multiple dnsmasq instances or use bind9 views. All-tailscale situations don't need this, however source-IP-based split horizon is a cool way to bypass tailscale within a site. I have not gotten around to integrating this into my setup but I hope to at some point.
Hi Alex, thanks for this very nice video! I used many different dns-overlay-network-solutions like tailscale, zerotier, twingate, cloudflare tunnel, netmaker, netbird and so on... Actualy I use zerotier, because itcan be integrated to opnsense through web-gui, with separate interface and so with dedicated firewal-rules. A year ago I tried tailscale, but the performance was really bad (my case: I wanted to weekly backup a 4 GB file from my public mailserver to my internal backup-server) and I had interrupts and it took hours, though I have enough bandwicht up and down. I think it was because nat-traversal - it´s descriped in the tailscale documentation, but espesially for the opnsense the documetation doesn´t show a proper way to solve this issue. Ho did you solve this in your opnsense?
Hi this video was great I was struggling with tailscale so I can't wait to try this out. It's the first time I have seen the advertise marker will this only work on a router or could I set this up on a machine that is running tailscale?
Great video defo going to use my internal dns more thanks to this video. How do you add dns entries to Pi-hole wen they have a different port at the end like 8006 plz? Pi-hole only seems to accept an ip and not the :8006 port part after?
Great video, I've stolen your dns naming scheme. Q: If you have multiple sites (fam members homes) all joined to the same tailnet, doesn't that create its own security issues with lateral movement? Also is this solution dependent on each site having OpnSense and pihole locally? That seems like a havy maintenance overhead. I have 4 fam homes but each home in their own tailnet to keep them separated and tailscale on each users device. The subnet router option looks like a better solution and i guess gives me access to devices that can't install tail-scale right?
@ktzsystems - I can't figure out how to get a valid ssl cert using this setup. Caddy won't issue a real cert if the full domain doesn't resolve in the public internet. Can you share your caddyfile or otherwise point me in the right direction?
I have set this up meticulously and I am still pulling my hair out getting this to work from my windows 10 machine. I have setup the pihole on my raspberry pi and all seems good but the windows machine only resolves the fully qualified names and not any local DNS names defined on my PiHole even though the piholes is added as a custom nameserver in the split DNS set up. It seems as if my windows machine only uses quad 100 as its DNS and ignores the custom name server pihole instance if a short name used. Is this a "windows 10" feature? Am I missing something?
I'm having an odd issue that nobody else seems to have. I'm only getting Internet access when connected to my exit node. If I'm not connected to my exit node, I can't load any games on my phone, watch UA-cam or get new emails. Soon as I connect to my exit node everything starts working. I am however, able to access all my subnets regardless of being connected to my exit node. Any ideas what could be the problem?
What am I doing wrong. I have an Ubuntu server vm running in promox and I followed these instructions to the T but when I go to insatll the fetch file nothing happens.
But it seems to me that this only works by advertising a subnet. If I have tailscale installed in all my nodes (one one of those is my bind9 dns server) the best I can do is set up a search domain and use that.
hi brilliant video. I'm very confused. i have a home environment made as follows server running proxmox 8 home assistant , opnsense truenas all running as vms. i also have jellyfin (managing my media) running in a truenas jail. I would like to accsess my media from a remote site. where do i install tailscale? proxmox opnsense truenas home assistant or on ass of them? thank you
How can i setup caddy for this? I am using my own domain to implement the idea in the video. Currently I setup split dns and subnet router to point caddy so that it can serve as reverse proxy. From remote client I can ping both caddy and other docker services using their internal ip. But i cannot access them with subdomain. I assume something ls wrong with my caddy setup. However this setup work properly if I set up normally. (Without tailscale but using A and AAAA records)
You should niche publish bespoke setups for home game servers like this as a side hustle. Or have Tailscale finance them. I have a database of 5,000 people I've played hundreds of games with MMO flavor and I would pay for a video series documenting any MMOs like this (hostable at home). We have 5GBit fiber in San Diego now and plenty of parents would like kids to play MMOs with participants they trust. I setup a Conan Exiles server for this very purpose. I have plans to use Tailscale for a small business network but I would love to offer this setup as a service to sell locally for families, promoting Tailscale and paying whatever commercial fee I would need to use for installations. In a world where retiring Boomers need a hobby and income, here's a promotion tool your company may have the basic data already researched and ready to publish.
Hi, Do you have and idea of it is possible to join two networks together? Like my parents and my network have like one DHCP server ideally over tailscale?
Technically it is possible. Practically speaking, horrible idea. If Tailscale goes down or the internet goes out all devices on that orphaned network are unable to get an IP.
hey KTZ, I have usb router i want to use it as a mini NAS with attaching external HDD. My ISP blocked all the ports and i dont have static Ip i have dynamic ip so, can't port forwarding. I am also tried with DDNS (noip) but not worked. Is there anyway to access router usb from outside network. Note- i don''t want to build a raspberry pi or budget pc for this(NAS)
pkg install tailscale "No packages available to install matching 'tailscale' have been found, this is a clean install opensense pkg update was successful. odd eh?
Could someone achieve the split DNS concept with just pi-hole? That would be extremely useful for the deployment of 3CX ver20 on premises, since it has a lot of requirements. Im trying to accomplish that, but I have set the have part of split dns since by using only the Local DNS tab of PI-Hole, I m setting up only the internal part and not the external.
there are so much part I don't even understand. Better video would be something that takes in a already setup connection, explaining that and then converting that into the tailscale system. Tried to setup tailscale for about a week, but couldn't
I want to ask, brother, yesterday I played a cloud game and coincidentally the cloud game requires this tailscale to run, I activated the connection and I unknowingly entered paypal and saw my password and paypal information, I forgot to turn off the connection, bro, and I haven't closed the cloud application window, can the owner of the cloud see the information on the cellphone screen because it's like a remote from a distance, or can he not see my information because maybe he can only see his monitor because I play his monitor from a distance (cloud) or can he also see my cellphone screen when I'm in the tailscale or cloud application?, bro, please answer this, I'm very confused and scared
Today I learned what a Split DNS is. Thanks!
Just wanted to say how good of a tutorial this is. It breaks down everything into simple understandable parts and you give examples for everything. Well done sir.
There is a lot of videos explaining the same, but no-one explaining it as easy to follow as you, thanks for this!!
Totally concur, new subscription attained ❤
It took me 2 days of sweating and cursing to get this working on pfSense a couple of weeks ago, I really applaud this video; it would have saved me a ton of time, this tutorial really hits the points that many similar vids have missed. Thankyou.
The mimugmail repo for opnsense makes everything so easy! Glad this helped.
Hopefully you’ve recovered from your experience!
If I'd watched this vid explaining exactly how routes are advertised and approved, I'd have sorted it in an hour. I'm a monkey-see, monkey-do learner :)
Vids like these should really help with adoption of the self hosted server stuff; keep up the good work.
Pfsense keeps dropping tailscale connection even I bought edge device still. But opnsense just works
From non-it person from the villages of africa
The god-badger of homelab! Thanks for the awesome content (and exclusive) Alex.
Your have less than 10 videos and they are more polished than most of the big youtubers (in the niche). Well done and thanks for SHS too.
The only way is up! And down. And probably also sideways.
This is awesome. Would love to see/read more on the reverse proxy part of this!
Been so confused by this whole process after reading so many tutorials, this video totally cleared it up for me. Easy to follow and thoroughly explained, thanks so much!
Best and most straight forward video on this I've seen yet. Thank you!
Wow, thank you a lot for this video! I was struggling to understand the DNS settings in Tailscale but you made it really clear. My goal was to be able to use the same local urls on my tailscale network as I’m using on my local network (setup in pihole local DNS). By the looks of it, it shouldn’t be that difficult after watching this. You just got a new sub, I really like the format and you deserve way more subscribers mate! ⭐️ ⭐️ ⭐️ ⭐️ ⭐️
Been a while since I seen someone use vi. Glad I’m not the only one, forced myself to learn it many years ago and now wouldn’t use anything else 😂
Long time Network Security Engineer here, really enjoying your content
You can generally tell how well versed someone is, and how good they are at what they do by how simply they explain it. Dude is low key a networking guru. The concepts that he is able to simplify, while retaining focus on all important points to it, is testament to that.
your blog guides got my devops career started! Excited you're making youtube videos now too :)
Wow this is so beautiful to hear and motivational!
Thank you so much for making this. I love the Self-Hosted podcast and you are just proving here how Tailscale is such a great sponser to have!
Great overview, very clear and informative. Tailscale has been a gateway for a new interest in networking and self-hosting, and I think this video has sold me on running more infrastructure at home
Amazing stuff! Tailscale truly is a game changer!
Wow, loving this. Hope its the start of a series that focuses on those remote family and friends hookups and support we all do or want to do, but didn't have a good place to start.
Can't wait to you get to the remote data backup but everything is helpful. I'm in the has not started, still dreaming quadrant on most everything.
Saved to a purpose created playlist ... We been watching this video a few dozen more times and I will certainly let the ads play to support.
I need about another 48 hours in the day to make all the content I have lined up. Glad you're enjoying this one so much and thanks for the kind words.
I normally don't bother leaving comments on UA-cam, but this is excellent stuff. Thank you, sir.
Crystal clear explanation. Tailscale does make it very easy to do. Compared to messing around with OpenVPN and crap this is a breath of fresh air. I'm making the company pay for some licenses...
You have a very pleasant way of explaining things and it's just the missing piece in my headscale/tailscale setup that I was looking for, thank you kindly Sir!!!
Your channel is fantastic. Thanks so much for this tutorial.
What an incredible video! I really like how you explain things, it really hits :-)
Quality content as usual. From what you do on the JB podcasts, to now your YT Channel, truly amazed and grateful for all you feedback to the community. On this subject of Tailscale atop OPNSense, my only wish was it was supported in the GUI and appeared as an interface one could both monitor and apply policy
ules to. It's for this reason that I tend to prefer the ZeroTier method of treating every link as a pseudo L2 connection into a cloud acting as a ethernet switch. I guess I'm old school...but having a transparent connection into my home network (even when it's only allowing devices on my Tailnet Access) without a firewall in the middle just disturbs me.
You mentioned you're running Caddy. Are you running that as a plugin in OPNsense? I'm interested in seeing how the Reverse Proxy was configured.
Thanks Alex,
The bit I was missing was adding the local dns server for a specific site or domain. Cheers!
Is a small but super important detail
In the video your internal services were using HTTPS. Do you have any information on how you set this up without exposing ports to the internet? You mentioned you are using Caddy. Are you using self signed certificates with a local CA? I've used SWAG from linux server previously, but want to move away from having an exposed ports. Thanks for the great video!
it would be nice to get the local ssl details, great video by the way
@@IstvanKovacs Did you ever figure out how to do the local ssl?
Did you ever figure out how to do the local ssl?
@@tfeagans yes, I did but it doesn’t depend on tailscale. I use Caddy
Beautifully explained. Worked like a charm. Awesome Vid.
Can this be integrated with Headscale?
Thank you so much, I've been trying so hard for the past week and turns out it was much easier than I thought. At first it didn't worked but after 15-30 minutes everything would resolve. Probably some propagation or I don't know.
Great video, would love to see a follow up on how you setup OPNSense with your home network.
Your Video help me out alot i am useing talscale and bind9
Well done; thank you for the info.
tailscale is goated. it really allows my to use my stuff the way I really want. I just usually have to find out how
Fantastic content, thanks very much!
question : how's your computer dns is configured to use tailscale dns, normaly all computers are configured to use public dns like google cloudflare ...etc, but in your case i don't understand the way your computer request dns from tailsclae you need to show use the dns configuration for client computers side ???
Stop making too much sense with the DNS scheme, your making me change everything. After I JUST CHANGED everything.
Shan’t.
@@ktzsystems Here's I'm trying to figure out how cheap I can go with 10gb after watching a backup restoration take 17 hours.
UniFi agg. A couple connect x3 cards and a couple transceivers… simple.
Hit me up on discord if you want me to work out the details with you.
@@ktzsystemsShart
Amazing Tutorial 👍🏻
Very helpful. Thank you!
Great content. Very helpful. Thank you!
can you add Pi hole as the main DNS server, so you can have ad blocking in every device?
Yep, you would configure that in your DHCP settings to point to PiHole.
Yeah I run 2 piholes in sync with gravity and as Alex said point router dhcp to use them for dns. Then have them both set as primary and secondary in Tailscale
Island hopping vs lateral movement; compare and contrast. Or synonymous?
Hi. Great video. One question. Why do you use pihole and not unbound in OPNSense?
I couldn’t automate things easily with unbound.
needless to say its the best so far.
Split-horizon DNS answers the way bind9 views work-where a source IP subnet determines the content of the record returned-is a challenge with pihole because dnsmasq has no such feature. It's necessary to run multiple dnsmasq instances or use bind9 views. All-tailscale situations don't need this, however source-IP-based split horizon is a cool way to bypass tailscale within a site. I have not gotten around to integrating this into my setup but I hope to at some point.
Hi Alex, thanks for this very nice video! I used many different dns-overlay-network-solutions like tailscale, zerotier, twingate, cloudflare tunnel, netmaker, netbird and so on... Actualy I use zerotier, because itcan be integrated to opnsense through web-gui, with separate interface and so with dedicated firewal-rules. A year ago I tried tailscale, but the performance was really bad (my case: I wanted to weekly backup a 4 GB file from my public mailserver to my internal backup-server) and I had interrupts and it took hours, though I have enough bandwicht up and down. I think it was because nat-traversal - it´s descriped in the tailscale documentation, but espesially for the opnsense the documetation doesn´t show a proper way to solve this issue. Ho did you solve this in your opnsense?
Awesome video.
What is the new limit on subnet router with the new pricing structure? I couldn't find that information
Hi this video was great I was struggling with tailscale so I can't wait to try this out. It's the first time I have seen the advertise marker will this only work on a router or could I set this up on a machine that is running tailscale?
In my home lab I just setup tailscale and used Duckdns with nginx so if I connect to tailscale then I just use Duckdns api to switch ip
If there was a page deidcated to making sense of tech stuff
I think this should go to the tailscale page. This is the holly grill of self hosting.
I was struggling with reverse proxy and ddns for so long. This video have nie clear info how to achieve what I neeed. Thanks
Good work, thnx for sharing.
I came to say that i got lost on the first minute of explanation but my tailscale is still running like a charm on all my devices 😂
Great video defo going to use my internal dns more thanks to this video. How do you add dns entries to Pi-hole wen they have a different port at the end like 8006 plz? Pi-hole only seems to accept an ip and not the :8006 port part after?
Q: You are using mkcert for the local SSL certificates or you are using the Tailscale HTTPS?
likely using the acme built in to whatever load balancer i hit via dns
Great video! Any reason you can't just use opnsense as the DNS server (using host overrides) and achieve similar results?
No reason really. Opnsense by default ships unbound as it’s DNS server. I just have a ton of Ansible automation around my pihole dnsmasq setup.
What if your subnets do overlap? How do you change one?
Great video, I've stolen your dns naming scheme.
Q: If you have multiple sites (fam members homes) all joined to the same tailnet, doesn't that create its own security issues with lateral movement? Also is this solution dependent on each site having OpnSense and pihole locally? That seems like a havy maintenance overhead.
I have 4 fam homes but each home in their own tailnet to keep them separated and tailscale on each users device. The subnet router option looks like a better solution and i guess gives me access to devices that can't install tail-scale right?
cool. can we just use Cloudflare to manage the local DNS?
Technically yes but no but.
@ktzsystems - I can't figure out how to get a valid ssl cert using this setup. Caddy won't issue a real cert if the full domain doesn't resolve in the public internet. Can you share your caddyfile or otherwise point me in the right direction?
How did you get TLS working?
I have set this up meticulously and I am still pulling my hair out getting this to work from my windows 10 machine. I have setup the pihole on my raspberry pi and all seems good but the windows machine only resolves the fully qualified names and not any local DNS names defined on my PiHole even though the piholes is added as a custom nameserver in the split DNS set up. It seems as if my windows machine only uses quad 100 as its DNS and ignores the custom name server pihole instance if a short name used. Is this a "windows 10" feature? Am I missing something?
I'm having an odd issue that nobody else seems to have. I'm only getting Internet access when connected to my exit node. If I'm not connected to my exit node, I can't load any games on my phone, watch UA-cam or get new emails. Soon as I connect to my exit node everything starts working. I am however, able to access all my subnets regardless of being connected to my exit node. Any ideas what could be the problem?
Finally found a fix....had to disable MagicDNS. Something with using mobile 4g and having MagicDNS enabled doesn't jive.
What am I doing wrong. I have an Ubuntu server vm running in promox and I followed these instructions to the T but when I go to insatll the fetch file nothing happens.
Wish tailscale would allow me to access my dell server's idrac. I get a connection refused error if I use tailscale
But it seems to me that this only works by advertising a subnet. If I have tailscale installed in all my nodes (one one of those is my bind9 dns server) the best I can do is set up a search domain and use that.
hi brilliant video. I'm very confused. i have a home environment made as follows server running proxmox 8 home assistant , opnsense truenas all running as vms. i also have jellyfin (managing my media) running in a truenas jail. I would like to accsess my media from a remote site. where do i install tailscale? proxmox opnsense truenas home assistant or on ass of them? thank you
How can i setup caddy for this?
I am using my own domain to implement the idea in the video. Currently I setup split dns and subnet router to point caddy so that it can serve as reverse proxy. From remote client I can ping both caddy and other docker services using their internal ip. But i cannot access them with subdomain. I assume something ls wrong with my caddy setup. However this setup work properly if I set up normally. (Without tailscale but using A and AAAA records)
You should niche publish bespoke setups for home game servers like this as a side hustle. Or have Tailscale finance them. I have a database of 5,000 people I've played hundreds of games with MMO flavor and I would pay for a video series documenting any MMOs like this (hostable at home). We have 5GBit fiber in San Diego now and plenty of parents would like kids to play MMOs with participants they trust. I setup a Conan Exiles server for this very purpose. I have plans to use Tailscale for a small business network but I would love to offer this setup as a service to sell locally for families, promoting Tailscale and paying whatever commercial fee I would need to use for installations. In a world where retiring Boomers need a hobby and income, here's a promotion tool your company may have the basic data already researched and ready to publish.
Hi,
Do you have and idea of it is possible to join two networks together? Like my parents and my network have like one DHCP server ideally over tailscale?
Technically it is possible. Practically speaking, horrible idea. If Tailscale goes down or the internet goes out all devices on that orphaned network are unable to get an IP.
hey KTZ, I have usb router i want to use it as a mini NAS with attaching external HDD. My ISP blocked all the ports and i dont have static Ip i have dynamic ip so, can't port forwarding. I am also tried with DDNS (noip) but not worked. Is there anyway to access router usb from outside network.
Note- i don''t want to build a raspberry pi or budget pc for this(NAS)
pkg install tailscale "No packages available to install matching 'tailscale' have been found, this is a clean install opensense pkg update was successful. odd eh?
Could someone achieve the split DNS concept with just pi-hole? That would be extremely useful for the deployment of 3CX ver20 on premises, since it has a lot of requirements. Im trying to accomplish that, but I have set the have part of split dns since by using only the Local DNS tab of PI-Hole, I m setting up only the internal part and not the external.
there are so much part I don't even understand. Better video would be something that takes in a already setup connection, explaining that and then converting that into the tailscale system.
Tried to setup tailscale for about a week, but couldn't
I want to ask, brother, yesterday I played a cloud game and coincidentally the cloud game requires this tailscale to run, I activated the connection and I unknowingly entered paypal and saw my password and paypal information, I forgot to turn off the connection, bro, and I haven't closed the cloud application window, can the owner of the cloud see the information on the cellphone screen because it's like a remote from a distance, or can he not see my information because maybe he can only see his monitor because I play his monitor from a distance (cloud) or can he also see my cellphone screen when I'm in the tailscale or cloud application?, bro, please answer this, I'm very confused and scared
You should be fine. Change your PayPal password if you are concerned.
this is not working anymore, could be nice having an upgrade
I’m relatively tech savvy and I don’t understand.
great video but plz plz hide the flashy switch in the background, sooo distracting
Blinky lights look so 1337 h4x0r though