This is what I'm exactly am searching. Thank you! Can you make a video about cloudflare and dns at home through a tunnel connection with a long-term certificate?
Hi, thank for the beautiful guide. I am wondering have you managed to setup a UI for headscale? instead of using the command line, I am unable to get either headscale-ui or headscale-webui on the same docker stack to work using this method, I am not sure what to edit in the tunnel peer services. would be much appreciated if you could give a guide in attaching a UI.
Personally I've not found a need for a UI for Headscale, as I'm happy managing clients via the command line. That said there are several out there that you could try such as github.com/gurucomputing/headscale-ui they do have examples on how to edit your docker-compose.yml to connect them.
This is awesome, I was looking into a way to replace WireGuard with Firewall holes and like you mentioned, CloudFlare Tunnel wasn't an option. You got me lost when you showed the Cloudflare portal, I got lost big times haha I run Pi-Hole + Unbound Recursive DNS and I wanna be able to use it on the go as I do now with WireGuard.
Thanks for sharing i really like the idea , I did some testing and got wired results within ntopng . the traffic ( around 2GB) from the advertised host is going directly to to tailscale derp servers ( not through wireguard ) I'm not sure if its related to this setup or bug in headscale / tail-scale software
Yes, that's how I believe it works. Headscale is a Tailscale control/coordinator server that sets up a connection between clients. In my testing I was able to connect 2 clients on different networks via Headscale then I was able to shutdown Headscale and the WireGuard tunnel and both clients were still connected and able to communicate (since the connection was setup via Tailscale). I believe if they can't create a direct connection between clients then a secure relay maybe used tailscale.com/blog/how-tailscale-works/
indeed you were correct , after multiple testing seems that clients behind firewall advertising routes will go through relays with TCP connection ( might some allow NAT needed ) while if used on pfsense directly there will be direct UDP connection . I have to look for way to force direct connection without relaying on the firewall @@DigitallyRefined
Hi, thank you for this tutorial. It was nice and easy to set this up with your instructions. I was wondering how is flyio any different than Tailscale web controller?
Glad it was helpful. Fly.io is used as a way to expose your Headscale container to the internet via a tunnel. For example if you don't have a public IP address. If you do have a publicly accessible IP address you could remove Fly.io and setup your own DNS or use a service like DuckDNS and then open/forward ports 80 & 443 to your Headscale container. The differences with the Headscale vs. Tailscale coordinators are that you're in control of your infrastructure by self hosting it, so for example you don't need to register for a Tailscale account, you also don't have any device or account limits and it's also better for security as the only way devices can join your network is via the Headscale command line.
@@DigitallyRefined Thank you for clarifying that. I have a Cloudflare domain that is registered, I was thinking of using it but you mentioned that Cloudflare does not support and fly io has no way to see my traffic so I will stick to that for now. Until fly io starts charging for giving out IPs 😅
Cloudflare does support Fly.io, its Cloudflare Tunnels that don't support Headscale. You create a subdomain in Cloudflare and use the IP address from: "fly ips list" 👍
Yes, that's correct. If the ports are available to the container (i.e. it's on the same Docker network), then you can add any number of additional ports to the comma separated SERVICES list (check the docker-wireguard-tunnel repo for more info). So you only need to run one peer per host. Or alternatively you could expose only the required ports for Headscale and then use Tailscale to connect back to the peer (which is what I do).
@@DigitallyRefined wow it works in first try. IMHO, This is so far the easiest wg tunnel i ever deployed. Now, I'm trying to make it work on nginx proxy manager
Fly.io no longer offers free dedicated IPv4 addresses, as they will starting charging for them from 2024 which is why they require a credit card. You could try a service that gives you temporary online credit cards if you wanted to try it out, but your account maybe suspended if you don't pay any outstanding charges 😥
I guess I'm going to have to switch to this but the problem is having access to files on devices that I can't install tailscale on, and giving public access to some files.
Good spot! A Fly.io staff member does say on their community forum that they will start charging for dedicated IPv4 addresses in the future (which is required for UDP apps like WireGuard), however they haven’t enabled billing for them yet. Fly.io does also offer free dedicated anycast IPv6 addresses which should also be fine for WireGuard, but I may need update the setup guide for IPv6.
When setting up I selected "Yes" to a dedicated IPv4 IP address, which may become paid for in the future. If that does happen then in theory IPv6 should work and would remain free to use.
@@DigitallyRefined hello again, they will start billing in january. While I have no problem paying the 2$ a month if i have to, I was trying to use the app without the designated IPv4 address and it doesn't seem to work. Any advice? Should I be changing somethink in the fly.toml?
Great video I am using headscale about 7 months now! Now that they are actually billing, did you set it up with ip6 and does it work? And is there an easy way to switch?@@DigitallyRefined
After enabling a client to be an exit node, you'll need to find the ID and enable it. On the machine that's running Headscale you should be able to run `docker exec headscale headscale routes list` to find the ID then run `docker exec headscale headscale routes enable -r `. There's more info in their docs at headscale.net/exit-node/#on-the-control-server
Thank you for taking the time to make this video. It was a a very good walk through.
I look forward to seeing what is next.
Very nice indeed! I lost you a couple of times but not because you haven't explained everything in an excellent mode... well done !!!!
thanks for the demo and info, have a great day
This is what I'm exactly am searching. Thank you!
Can you make a video about cloudflare and dns at home through a tunnel connection with a long-term certificate?
Hi, thank for the beautiful guide. I am wondering have you managed to setup a UI for headscale? instead of using the command line, I am unable to get either headscale-ui or headscale-webui on the same docker stack to work using this method, I am not sure what to edit in the tunnel peer services. would be much appreciated if you could give a guide in attaching a UI.
Personally I've not found a need for a UI for Headscale, as I'm happy managing clients via the command line. That said there are several out there that you could try such as github.com/gurucomputing/headscale-ui they do have examples on how to edit your docker-compose.yml to connect them.
+1 sub. Keep up the good work
Awesome video
This is awesome, I was looking into a way to replace WireGuard with Firewall holes and like you mentioned, CloudFlare Tunnel wasn't an option.
You got me lost when you showed the Cloudflare portal, I got lost big times haha
I run Pi-Hole + Unbound Recursive DNS and I wanna be able to use it on the go as I do now with WireGuard.
Thanks for sharing i really like the idea , I did some testing and got wired results within ntopng . the traffic ( around 2GB) from the advertised host is going directly to to tailscale derp servers ( not through wireguard )
I'm not sure if its related to this setup or bug in headscale / tail-scale software
Yes, that's how I believe it works. Headscale is a Tailscale control/coordinator server that sets up a connection between clients. In my testing I was able to connect 2 clients on different networks via Headscale then I was able to shutdown Headscale and the WireGuard tunnel and both clients were still connected and able to communicate (since the connection was setup via Tailscale).
I believe if they can't create a direct connection between clients then a secure relay maybe used tailscale.com/blog/how-tailscale-works/
indeed you were correct , after multiple testing seems that clients behind firewall advertising routes will go through relays with TCP connection ( might some allow NAT needed ) while if used on pfsense directly there will be direct UDP connection .
I have to look for way to force direct connection without relaying on the firewall
@@DigitallyRefined
Hi, thank you for this tutorial. It was nice and easy to set this up with your instructions.
I was wondering how is flyio any different than Tailscale web controller?
Glad it was helpful. Fly.io is used as a way to expose your Headscale container to the internet via a tunnel. For example if you don't have a public IP address. If you do have a publicly accessible IP address you could remove Fly.io and setup your own DNS or use a service like DuckDNS and then open/forward ports 80 & 443 to your Headscale container.
The differences with the Headscale vs. Tailscale coordinators are that you're in control of your infrastructure by self hosting it, so for example you don't need to register for a Tailscale account, you also don't have any device or account limits and it's also better for security as the only way devices can join your network is via the Headscale command line.
@@DigitallyRefined Thank you for clarifying that. I have a Cloudflare domain that is registered, I was thinking of using it but you mentioned that Cloudflare does not support and fly io has no way to see my traffic so I will stick to that for now. Until fly io starts charging for giving out IPs 😅
Cloudflare does support Fly.io, its Cloudflare Tunnels that don't support Headscale. You create a subdomain in Cloudflare and use the IP address from: "fly ips list" 👍
Hi, great job!! I want to ask about your wireguard docker tunnel in peer side, do you just need 1 peer for a number of containers in same host?
Yes, that's correct. If the ports are available to the container (i.e. it's on the same Docker network), then you can add any number of additional ports to the comma separated SERVICES list (check the docker-wireguard-tunnel repo for more info). So you only need to run one peer per host. Or alternatively you could expose only the required ports for Headscale and then use Tailscale to connect back to the peer (which is what I do).
@@DigitallyRefined wow it works in first try. IMHO, This is so far the easiest wg tunnel i ever deployed. Now, I'm trying to make it work on nginx proxy manager
tnx you, i have a problem: i don't want give my credit card to fly.
Are there workaround?
Fly.io no longer offers free dedicated IPv4 addresses, as they will starting charging for them from 2024 which is why they require a credit card. You could try a service that gives you temporary online credit cards if you wanted to try it out, but your account maybe suspended if you don't pay any outstanding charges 😥
tnx, i prefer use another "way" :)
@@DigitallyRefined
I guess I'm going to have to switch to this but the problem is having access to files on devices that I can't install tailscale on, and giving public access to some files.
Why not install tailscale on a device that can serve as a jump box and access the devices that way?
if im not wrong, i will have to pay 2$ a month for the ipv4 address right? also, thanks for the tutorial. very easy to set up.
Good spot! A Fly.io staff member does say on their community forum that they will start charging for dedicated IPv4 addresses in the future (which is required for UDP apps like WireGuard), however they haven’t enabled billing for them yet. Fly.io does also offer free dedicated anycast IPv6 addresses which should also be fine for WireGuard, but I may need update the setup guide for IPv6.
Correct me if I am wrong, by default we are using shared IPs right? and I have been this setup for quote sometime and have had no issues.
When setting up I selected "Yes" to a dedicated IPv4 IP address, which may become paid for in the future. If that does happen then in theory IPv6 should work and would remain free to use.
@@DigitallyRefined hello again, they will start billing in january. While I have no problem paying the 2$ a month if i have to, I was trying to use the app without the designated IPv4 address and it doesn't seem to work. Any advice? Should I be changing somethink in the fly.toml?
Great video I am using headscale about 7 months now! Now that they are actually billing, did you set it up with ip6 and does it work? And is there an easy way to switch?@@DigitallyRefined
super nice but how to approve exit nodes the same way you approved routes?
After enabling a client to be an exit node, you'll need to find the ID and enable it. On the machine that's running Headscale you should be able to run `docker exec headscale headscale routes list` to find the ID then run `docker exec headscale headscale routes enable -r `. There's more info in their docs at headscale.net/exit-node/#on-the-control-server
@@DigitallyRefined I found already, thx