Tailscale & Headscale - Setting up your own self hosted remote access

Поділитися
Вставка
  • Опубліковано 29 жов 2024

КОМЕНТАРІ • 35

  • @jasonperry6046
    @jasonperry6046 Рік тому +4

    Thank you for taking the time to make this video. It was a a very good walk through.
    I look forward to seeing what is next.

  • @iliondocs6006
    @iliondocs6006 Рік тому +2

    Very nice indeed! I lost you a couple of times but not because you haven't explained everything in an excellent mode... well done !!!!

  • @chrisumali9841
    @chrisumali9841 Рік тому +2

    thanks for the demo and info, have a great day

  • @DanielBeszterda
    @DanielBeszterda Рік тому +4

    This is what I'm exactly am searching. Thank you!
    Can you make a video about cloudflare and dns at home through a tunnel connection with a long-term certificate?

  • @hayanradwan6100
    @hayanradwan6100 Рік тому +1

    Hi, thank for the beautiful guide. I am wondering have you managed to setup a UI for headscale? instead of using the command line, I am unable to get either headscale-ui or headscale-webui on the same docker stack to work using this method, I am not sure what to edit in the tunnel peer services. would be much appreciated if you could give a guide in attaching a UI.

    • @DigitallyRefined
      @DigitallyRefined  Рік тому +1

      Personally I've not found a need for a UI for Headscale, as I'm happy managing clients via the command line. That said there are several out there that you could try such as github.com/gurucomputing/headscale-ui they do have examples on how to edit your docker-compose.yml to connect them.

  • @l0gic23
    @l0gic23 11 місяців тому +1

    +1 sub. Keep up the good work

  • @dmbrv
    @dmbrv Рік тому +2

    Awesome video

  • @hakunamatata324
    @hakunamatata324 Рік тому +4

    This is awesome, I was looking into a way to replace WireGuard with Firewall holes and like you mentioned, CloudFlare Tunnel wasn't an option.
    You got me lost when you showed the Cloudflare portal, I got lost big times haha
    I run Pi-Hole + Unbound Recursive DNS and I wanna be able to use it on the go as I do now with WireGuard.

  • @ICTS-e2d
    @ICTS-e2d Рік тому +1

    Thanks for sharing i really like the idea , I did some testing and got wired results within ntopng . the traffic ( around 2GB) from the advertised host is going directly to to tailscale derp servers ( not through wireguard )
    I'm not sure if its related to this setup or bug in headscale / tail-scale software

    • @DigitallyRefined
      @DigitallyRefined  Рік тому +1

      Yes, that's how I believe it works. Headscale is a Tailscale control/coordinator server that sets up a connection between clients. In my testing I was able to connect 2 clients on different networks via Headscale then I was able to shutdown Headscale and the WireGuard tunnel and both clients were still connected and able to communicate (since the connection was setup via Tailscale).
      I believe if they can't create a direct connection between clients then a secure relay maybe used tailscale.com/blog/how-tailscale-works/

    • @ICTS-e2d
      @ICTS-e2d Рік тому

      indeed you were correct , after multiple testing seems that clients behind firewall advertising routes will go through relays with TCP connection ( might some allow NAT needed ) while if used on pfsense directly there will be direct UDP connection .
      I have to look for way to force direct connection without relaying on the firewall
      @@DigitallyRefined

  • @mesharetelohim
    @mesharetelohim Рік тому +1

    Hi, thank you for this tutorial. It was nice and easy to set this up with your instructions.
    I was wondering how is flyio any different than Tailscale web controller?

    • @DigitallyRefined
      @DigitallyRefined  Рік тому +5

      Glad it was helpful. Fly.io is used as a way to expose your Headscale container to the internet via a tunnel. For example if you don't have a public IP address. If you do have a publicly accessible IP address you could remove Fly.io and setup your own DNS or use a service like DuckDNS and then open/forward ports 80 & 443 to your Headscale container.
      The differences with the Headscale vs. Tailscale coordinators are that you're in control of your infrastructure by self hosting it, so for example you don't need to register for a Tailscale account, you also don't have any device or account limits and it's also better for security as the only way devices can join your network is via the Headscale command line.

    • @mesharetelohim
      @mesharetelohim Рік тому +1

      @@DigitallyRefined Thank you for clarifying that. I have a Cloudflare domain that is registered, I was thinking of using it but you mentioned that Cloudflare does not support and fly io has no way to see my traffic so I will stick to that for now. Until fly io starts charging for giving out IPs 😅

    • @DigitallyRefined
      @DigitallyRefined  Рік тому +3

      Cloudflare does support Fly.io, its Cloudflare Tunnels that don't support Headscale. You create a subdomain in Cloudflare and use the IP address from: "fly ips list" 👍

  • @daledroid
    @daledroid Рік тому

    Hi, great job!! I want to ask about your wireguard docker tunnel in peer side, do you just need 1 peer for a number of containers in same host?

    • @DigitallyRefined
      @DigitallyRefined  Рік тому +1

      Yes, that's correct. If the ports are available to the container (i.e. it's on the same Docker network), then you can add any number of additional ports to the comma separated SERVICES list (check the docker-wireguard-tunnel repo for more info). So you only need to run one peer per host. Or alternatively you could expose only the required ports for Headscale and then use Tailscale to connect back to the peer (which is what I do).

    • @daledroid
      @daledroid Рік тому

      @@DigitallyRefined wow it works in first try. IMHO, This is so far the easiest wg tunnel i ever deployed. Now, I'm trying to make it work on nginx proxy manager

  • @alexzappaladra
    @alexzappaladra 10 місяців тому +1

    tnx you, i have a problem: i don't want give my credit card to fly.
    Are there workaround?

    • @DigitallyRefined
      @DigitallyRefined  10 місяців тому +1

      Fly.io no longer offers free dedicated IPv4 addresses, as they will starting charging for them from 2024 which is why they require a credit card. You could try a service that gives you temporary online credit cards if you wanted to try it out, but your account maybe suspended if you don't pay any outstanding charges 😥

    • @alexzappaladra
      @alexzappaladra 10 місяців тому

      tnx, i prefer use another "way" :)
      @@DigitallyRefined

  • @MarthinusBosman
    @MarthinusBosman Рік тому +1

    I guess I'm going to have to switch to this but the problem is having access to files on devices that I can't install tailscale on, and giving public access to some files.

    • @killacups
      @killacups Рік тому

      Why not install tailscale on a device that can serve as a jump box and access the devices that way?

  • @mcqueen4343
    @mcqueen4343 Рік тому +1

    if im not wrong, i will have to pay 2$ a month for the ipv4 address right? also, thanks for the tutorial. very easy to set up.

    • @DigitallyRefined
      @DigitallyRefined  Рік тому +2

      Good spot! A Fly.io staff member does say on their community forum that they will start charging for dedicated IPv4 addresses in the future (which is required for UDP apps like WireGuard), however they haven’t enabled billing for them yet. Fly.io does also offer free dedicated anycast IPv6 addresses which should also be fine for WireGuard, but I may need update the setup guide for IPv6.

    • @mesharetelohim
      @mesharetelohim Рік тому +1

      Correct me if I am wrong, by default we are using shared IPs right? and I have been this setup for quote sometime and have had no issues.

    • @DigitallyRefined
      @DigitallyRefined  Рік тому +2

      When setting up I selected "Yes" to a dedicated IPv4 IP address, which may become paid for in the future. If that does happen then in theory IPv6 should work and would remain free to use.

    • @mcqueen4343
      @mcqueen4343 11 місяців тому

      @@DigitallyRefined hello again, they will start billing in january. While I have no problem paying the 2$ a month if i have to, I was trying to use the app without the designated IPv4 address and it doesn't seem to work. Any advice? Should I be changing somethink in the fly.toml?

    • @EmotionlessAnthem
      @EmotionlessAnthem 8 місяців тому

      Great video I am using headscale about 7 months now! Now that they are actually billing, did you set it up with ip6 and does it work? And is there an easy way to switch?@@DigitallyRefined

  • @zyghom
    @zyghom 8 місяців тому

    super nice but how to approve exit nodes the same way you approved routes?

    • @DigitallyRefined
      @DigitallyRefined  8 місяців тому +1

      After enabling a client to be an exit node, you'll need to find the ID and enable it. On the machine that's running Headscale you should be able to run `docker exec headscale headscale routes list` to find the ID then run `docker exec headscale headscale routes enable -r `. There's more info in their docs at headscale.net/exit-node/#on-the-control-server

    • @zyghom
      @zyghom 8 місяців тому +1

      @@DigitallyRefined I found already, thx