Thank you for a great tutorial. It clarified several networking queries that I had. I have done the installation as per this video and everything seems to be working the way you have demonstrated through testing the IPs. This will be a good foundation for the home lab network that I want to build next. Thank you again.
Thank-you for the walkthrough, I got headscale up and running. I can work through CLI for initial setup just fine but for ongoing device/user setup and control it would be great to see a headscale-ui guide to compliment this video
Gotta say, this is the best guide on creating a cloud VPN from scratch without port forwarding on a free VPS. Was convinced after being able to RDP to my desktop from my phone. Need to also give credit to Oracle for offering a free tier and to the developers of Headscale/Tailscale. Had a better time with this than Netbird and it was easier using a command line interface. This was a lot more thorough and in-depth with the explanations of the technical stuff. Thanks, Jim! Subscribing after this. 👍
@@Jims-Garage I've been trying to sign up for the Oracle Cloud Free Tier, but I keep encountering an error message that says, "We're unable to complete your sign up..." Have you ever come across this issue, and do you know of any solutions to fix it? I'd appreciate any advice or insights you might have.
I was planning to use glinet routers for a site 2 site but ISP has blocked all port forwarding this will do it. will try to implement it tomorrow. thanks a lot for this amazing tutorial.
@Jims-Garage It went well! There were a few customizations needed with Headscale v0.23.0 for the commands to enable subnet advertising, but with some help from ChatGPT, everything worked flawlessly. My guy can now access the local network remotely, whether from his mobile, office PC, or even home. He can also choose whether to use the exit node or keep each device's public IP without any issues. Even the Windows machine is working to advertise the subnet. I had to adjust some firewall rules to open Tailscale's default port, but everything's working smoothly. Thanks again for the great video and inspiration! ISP can suck it up with their overpriced "business plans" just to open a port. No port forwarding needed outside the lan.
Thank you very much! My new ISP apparently has NAT addresses and requires to add almost 50% of monthly payment for dedicated IP v4 address This helped me significantly!
you are a god ser. thank you very much!!! switched from cable to 5g internet (unfortunately fibre is not available and 5g is faster than the cable lol, but yeah i wasn't able to port forward anymore and now it works perfectly! it was very disappointing to not find answers quickly until i stumbled over tailscale
This is a nice tutorial. Thanks for the hard work in putting this together. One question. Does the free Oracle VPS give a static public IP or does it change regularly? Thanks again. Great tutorial.
Informative video. 👍 Planning on showing headscale-ui? I've got it setup in conjuction with headscale in docker and the tailscale package in my pfsense to advertise the route to my local subnet.
Thanks! I showed that in my previous Headscale video where I deployed it on homelab infrastructure (this was more for people who cannot port forward). I might do the VPS side with a Web GUI at a later date but it would typically be a replica of the self-hosted version.
@@Clarence-Homelab I use Traefik, but yes, I did. Only happens if they're on separate subdomains. There's a fix you can add to the proxy to allow cross origin, shows on their GitHub.
This is really great. My only issue is that while I can browse to my headscale server on :8080, I don't get a rejection but I get a blank page. No windows instructions. Has anybody seen this? Thx.
Great content! Is there like an opposite to the exit node - like an entry not you can setup in different locations around the world to use it as same kind of site to site vpn - preferably without client installations on the endpoints but only on those entry/exit nodes?
You can have multiple exit nodes, that would give you what you're after. You could route traffic from the UK to US and vice versa by have both as exit nodes.
Very nice detail video. I have a question about the firewall. Do I need to setup a port forwarding. I setup the headscale on a linux server behind my firewall router, and I would like to connect my nodes from outside the internet. I did this with my openvpn. But I wonder if I need to do the same with headscale .
No, that's the whole idea. It uses reverse tunnelling so no port forwarding is required (as per title). The Linux machine creates a tunnel outwards, and then other nodes use this same tunnel in reverse (a bit like reverse ssh )
@@Jims-Garage Thank you. Yes that I thought too. So I did opened the port forwarding. Then allow the headscale server to connect to my phone. Once I succeed to have a tunnel/reverse-ssh connection between the two, I turned off the port forwarding. The tailscale on the IPhone can continuesly connected. But once I turn off the tailscale on the phone, and try to reconnect, it would not work. I have to turn the port forwarding back on again. So similar to reverse ssh, I still need to do port forwarding. Once I have the first handshake, I can turn off the port forwarding. So the key point is to keep the connection going.
Ok I understand what it is now. What I have been missing is the reverse proxy and a paid domain name. In that way, I dont have to poke a hole on the firewall. This cannot be done with openvpn because its a different traffic.
Still thanks for your video. The explanation is clear. For a somewhat novice user like me, I could still understand the concept because of your explanation. I saw video like this in the past. But when it was presented using docker, I totally lost it. Yeah docker is something I need to learn.
Could you do an follow up especially on DNS. I'm looking for a solution which makes my internal devices while either on local network or on tailscale network. And second how to handle a mobile if it roams from 5G to local network while still being connected via tailscale. BTW: Excellent demonstration and explanation!
Thanks. This should be simple enough - you need to set the DNS IP for the server and client (check the config on the headscale server and client - in my case I'd set it to my PiHole IP and make sure that traffic can reach it in my firewall). It's a similar process for 5G to local networks - you simply need to make sure that the routing is in place, typically it's firewall related. I will look to follow up at a later date with DNS for Headscale, but I've a few more things I want to cover first.
Excellent video with a lot of detail, yet very understandable. I have watched it a few times now and I have a question about devices on the local network that cannot have a tailscale clients installed on them (webcams or printers e.g). How can I reach those devices from e.g. my phone? I have experimented with Big Brother Tailscale and there you can have a device configured as a subnet router. Have I missed something in your video or is it possible at all with a headscale solution?
You advertise an internal node as an exit node. Then you can select that exit node on your phone and you should be able to access local network devices.
Tried again: Created a new Linux container and registered it with "tailscale up --login-server controller-ip-here:8080 --authkey my-key-here --advertise-exit-node". Then enabled it on the controller side. Started Tailscale on my iPhone, chose the new container as exit node, and tried to ping an ip on my local net. Still no luck, sigh! I guess I "have to stick" with my old Wireguard connection, which in itself is a good solution. My goal here was however to disable ALL ports in my home router for total security. In my case I do have access to the router and no CGNAT problems so as mentioned I can reach my local Wireguard server from the outside world. If you ever plan to do a followup in the future, I for one would be very grateful if you could present us with a live example. Thanks again though for your videos so far!
Thanks for these videos! I am eventually going to get headscale running eventually in my home server. Do you have any videos about Pterydactol? I'm having issues getting it connected to it's companion container 'wings' on another server in my home network.
If I running nginx reverse proxy. And have my router config to portforward port 80 and 443 to my nginx reverse server IP. What port should I have in the headscale then? And what kind of port to change in the config? There are multiple ports in the config to change. So I need some help here to config my headscale server. Thanks
I'm about 1 day into learning about Tailscale/Headscale.. But what if your "pixel-6-pro" want to access your Jellyfin (tcp/8096) on "home-pc" do the stream go trough the VPS or is it just the connection being created with the help of "VPS Headscale"?
@@emanuelpersson3168 you can either do peer to peer or via the headscale server. Depends on your firewall configuration. Both are secure but peer to peer will be faster.
@@Jims-Garage Thank you kindly! Reason for asking is simple because the VPS has limited amount of traffic if i understand this correctly. This will be my project for the day! I've just setup Docker, Portainer, Authentik, Traefik, Jellyfin with the help of you and a few others! CrowdSec will be added and a bunch more! But end game was to do it all in Kubernetes but this is a awesome start i will say! :) Would you then run the Tailscale client in pfSense or in the Docker that runs Jellyfin? I do understand it can be done both ways but reason for asking is related to you having a lot of experience with Docker and if there could be a reason for either.
@@emanuelpersson3168 the firewall is likely the best place as it's on the edge (directly connected to the internet, plus has control over the entire network, plus it's likely to be faster).
So I have a Static IP at home and im not behind a CGNAT, was looking to use Headscale instead of using a WireGuard Server and opening a port. When you say 'without port forwarding' you mean because you're hosting the server on a VPS and can still access your home network by advertising routes, or I can setup this at home without exposing port 8080? Is it possible to set it up at home, without exposing ANY ports to the public?
Great video! I may have missed this but does the Oracle free VPS have a static IP? What happens in Headscale if the IP address changes? Do you need to reconfigure all the clients? Thanks!
This is a great guide. I just have one question, Whats stopping a user from actual going to the webpage that is publical to anyone from connecting to my Headscale network? As I understand anyone can reach the registration page? headscale: Windows configuration
Thanks. Yes, that's the desired behaviour. What's stopping them is that you need access to the server to be able to register code. Without it being registered the code is useless.
yaml config files are picky. Make sure there's no space before "key: value" pairs, which can be easy to do if you uncomment a line by simply removing the # symbol and not the extra space that's usually there.
Thanks for the super video. One question. Setting up an exit node on oracle to use as a VPM on their free service is there a charge after so much data has been used over the VPN?
@@Jims-Garage thank you for the info. I was about to try and set this up but unfortunately there is no Home region for Hong Kong. Nearest seems to be Singapore South Korea or Japan.
@@Jims-Garage I thought I would give it a go but Oracle are able to take card payments ok but then they say my address is not correct. I have tried twice and both times they take a payment and all seems ok then the screen change and says address doesn't match. The on screen chat says I will get a refund but I can't understand if the address isn't matching how can they take the money. Very odd 🤔
@@Jims-Garage Sorry, I may be confused. The headscale server coordinates connecting the clients/nodes. If the headscale server on VPS goes down, how do the clients/nodes make the connection? I was thinking that if I had two headscale servers running, that would provide redundancy - similar concept to your high availability firewall. Thank you. Your videos are amazing. I am working my way through all of them.
I followed your guide step-by-step. I can access the Windows page on the server. But the login commands just hang--they never bring up the authentication message, never open a webpage, never display an error. Same thing on Android as well.
please tell us more about all types of CF tunnels. There is http/s, TCP, unix/unix+TLS and others. I don't understand some. http tunnel is easy and understandable, you can, for example, forward the web page of the server on the local network through the virtual box (Debian) virtual machine. And how to use other types of tunnels?
@@Jims-Garage I'm trying to get headscale to broadcast via a cloudflare tunnel, but there seem to be a problem with how headscale does websockets, that do not match how cloudflare wants them (2023-09-10T14:40:30Z ERR noise upgrade failed error="Could not accept WebSocket connection failed to accept WebSocket connection: WebSocket protocol violation: handshake request method is not GET but \"POST\"")
Would it be possible to use a dynamic dns to route to the controller? Also, can there be multiple controllers that dynamically update each other to keep the DDNS functionality within the context of the encrypted communication?
Dynamic DNS works, I use it for my home setup. I believe you can assign a DNS name for each node, so as long as those dynamically update it should work. I haven't tested this though.
A question, how do I so that all the traffic goes through headscale? Since when I connect my public IP does not change and my normal public IP continues to appear, but I want to make full use of the headscale internet, is there any option?
You need to set the exit node in the app. Obviously if you're connecting over WiFi at home to a home node, the IP will be the same. Best way to test is on mobile via 5g.
@@Jims-Garage Great!! :) That's it, I already did it! Incredible, after searching and analyzing on my own and obviously because of the support in the videos, I managed to do it, I can now pass all the traffic through a node and not only that, many other things, if anyone needs help, let me know and I have delved deeper into the topic heheheh
Following the instructions verbatim leads me to an issue with key issues, according to the log files - Error loading config error="fatal error reading config file: While parsing config: yaml: line 80: did not find expected key" Digging into that now. super weird.
@@Jims-Garage will do. I tried a few things some related error reports in the GitHub page for headscale mentioned, including complete scrub and reinstall; but same issue persists. Travelling for the holidays and will jump in the dc when I get back. Maybe someone can spot the thing k did wrong :)
Before I go and install anything, am I able to create a network only between my home server and the oracle vps, then point my DNS records on a domain I own to the oracle vps and have it route traffic from my server to the domain? Im using cloudflare's tunnels at the moment, but it doesn't work for TCP connections like a Minecraft server and I feel like this would be faster.
Thanks for this video :D I got it up and running in no time I have a few questions Is headscale safe without a reverse proxy etc ? i mean there is no waf etc... but i recon it must as there is no forms or anything on the website... its just a blank site is sending the key to the phone without tls secure ? mtm attacks ? Thanks again for the video :) :)
People can see the code but only a person with access to the server can use it. Behind a reverse proxy would be best for browser compatibility but it's not a deal breaker.
@@Jims-Garage yes, I am testing it since few time ago. I think it should be fine, I haven't read anything related that prohibits this. The traffic is low. Still need to configure a split horizon in my PiHole, so I don't get out to internet when I am at home, but that is easy to achieve. Waiting to have some spare time to do it. I am also planning to try Nebula, similar concept, but a bit more flexible on the lighthouses, you can have more than just one as here. That is a powerful bonus for HA. Cheers!
Hello excellent video. unfortunately for a simple bloke that is not IP savvy . I currently have A PROXMOX server with OPNsense Home assistant and truenas scale as vms.I would like to access my media remotely. How Can i accomplish this? do install it in opensense as a lxc? do i need to add ubuntu and docker? or native? Would do be so kind and make a video on this i am sure many individuals in my shoes that would benefit from this Thank you
Check out my OPNSense video, it details how to create a wireguard VPN on the firewall. Or, you can deploy it as a Docker container if you wish (I also have a video on that).
@@gRocketOne I did some web searching since my post and it seems that they give you a small value estimate but don't subsequently charge you. I suppose I will find out soon!
@@Jims-Garage your prompt response gave me an idea, I used my phone on 4G instead of using my regular VM that has the discord application installed. Through the mobile app I was able to join! Thank you for letting me use your brain through telepathy
@@Jims-Garage Oh really? I wonder why. because tailscale is user based. Each user and have multiple devices. and users can share devices each users. without sharing, users can only access their devices.
@@ckwcfm sorry, I misread your question. In my previous video I covered users. Yes, one user can have multiple devices, and there can be multiple users. Exactly the same as Tailscale.
32:50 This is basically what just an OpenVPN instance on the VPS would do, but now done through headscale, talescale and many confihuration steps ... ;)
@@Jims-Garage Sure, if I got it right, you have access to local services running on every device within the mesh. But regarding the title "How To VPN Without Port Forwarding" you could simplify the process by titling on "... Using Free VPS and OpenVPN" ;) If it's just about having VPN while on the go without port forwarding on my home network, if I considered the VPN server to be ran by my own somehow. I know, it's more about connecting your devices all together. Nevertheless, you're absolutely right, performance is a thing. Is the difference really that big in comparison?
Can you make a video on how to host your own tailscale drep server in docker and keep it at 1st priority and keep offical drep server by tailscale as backup only if our drep server is not working. long waited for this.
Really nice video and that was a lot of work. Thank you.
Thanks, it sure was 😅
I ve been following you for a few months now. I find your videos very easy to follow and well explained. Thank you very much for your time!
Thanks, Robert, I appreciate the feedback.
didn't really need head/tailscale on a VPS, but watched the whole thing. You're a great teacher. Logged into youtube just to say thank you
Thanks, I really appreciate your feedback
Thank you for a great tutorial. It clarified several networking queries that I had. I have done the installation as per this video and everything seems to be working the way you have demonstrated through testing the IPs. This will be a good foundation for the home lab network that I want to build next. Thank you again.
Great, glad it worked out for you
Thanks!
Thanks, that's very kind
Thank-you for the walkthrough, I got headscale up and running. I can work through CLI for initial setup just fine but for ongoing device/user setup and control it would be great to see a headscale-ui guide to compliment this video
Thanks, I'll likely come back to this
Gotta say, this is the best guide on creating a cloud VPN from scratch without port forwarding on a free VPS. Was convinced after being able to RDP to my desktop from my phone. Need to also give credit to Oracle for offering a free tier and to the developers of Headscale/Tailscale. Had a better time with this than Netbird and it was easier using a command line interface. This was a lot more thorough and in-depth with the explanations of the technical stuff. Thanks, Jim! Subscribing after this. 👍
Really appreciate the feedback, thanks!
Very informative and detail oriented. Thank you very much for taking the time to make this most excellent video.
Glad you enjoyed it! Thanks!
This is exactly what I wanted! Thanks!
Great 👍
@@Jims-Garage I've been trying to sign up for the Oracle Cloud Free Tier, but I keep encountering an error message that says, "We're unable to complete your sign up..." Have you ever come across this issue, and do you know of any solutions to fix it? I'd appreciate any advice or insights you might have.
Awesome content, I've been wanting to play with headscale after playing with netmaker, thanks!
Awesome!
Thank you for making this video Jim.
You're welcome 😁
I was planning to use glinet routers for a site 2 site but ISP has blocked all port forwarding this will do it. will try to implement it tomorrow. thanks a lot for this amazing tutorial.
@@brunoabeshi7121 you're welcome, good luck with it. Let me know how it goes.
@Jims-Garage It went well! There were a few customizations needed with Headscale v0.23.0 for the commands to enable subnet advertising, but with some help from ChatGPT, everything worked flawlessly. My guy can now access the local network remotely, whether from his mobile, office PC, or even home. He can also choose whether to use the exit node or keep each device's public IP without any issues. Even the Windows machine is working to advertise the subnet. I had to adjust some firewall rules to open Tailscale's default port, but everything's working smoothly. Thanks again for the great video and inspiration! ISP can suck it up with their overpriced "business plans" just to open a port. No port forwarding needed outside the lan.
@brunoabeshi7121 that's awesome, good job 👍
Thank you very much!
My new ISP apparently has NAT addresses and requires to add almost 50% of monthly payment for dedicated IP v4 address
This helped me significantly!
Glad it was useful
Very informative and excellent presented. Thanks!
You're welcome 😁
you are a god ser. thank you very much!!! switched from cable to 5g internet (unfortunately fibre is not available and 5g is faster than the cable lol, but yeah i wasn't able to port forward anymore and now it works perfectly! it was very disappointing to not find answers quickly until i stumbled over tailscale
That's awesome, I'm glad it worked for you!
Hi, Thank you, really full step by step and flawless tutorial.
You're welcome 😁
Really liked the way you explained it. Thanks for sharing this :)
You're welcome, glad you liked it
WOW. Fantastic job explaining this technology and walking through setting it up. Head scale ftw 🎉
Liked and subbed
Awesome, thank you!
detail guide, easy to follow. Thank you!
Thanks 👍
This is a gem, why doesn't it have more views??
Thanks, really appreciate your feedback. The algorithm gods are cruel!
Very professional. Thanks
Thanks, appreciate the feedback
This is a nice tutorial. Thanks for the hard work in putting this together. One question. Does the free Oracle VPS give a static public IP or does it change regularly? Thanks again. Great tutorial.
I'm fairly sure it's static. You could always use ddns if not.
@@Jims-Garage Thanks for the tip. Perhaps an idea for your next tutorial. 😀
Informative video. 👍
Planning on showing headscale-ui? I've got it setup in conjuction with headscale in docker and the tailscale package in my pfsense to advertise the route to my local subnet.
Thanks! I showed that in my previous Headscale video where I deployed it on homelab infrastructure (this was more for people who cannot port forward). I might do the VPS side with a Web GUI at a later date but it would typically be a replica of the self-hosted version.
Yeah, I agree. Would in essence be duplicate content.
Out of interest: Did you run into any "CORS" issues with headscale-ui and nignx-proxymanager?
@@Clarence-Homelab I use Traefik, but yes, I did. Only happens if they're on separate subdomains. There's a fix you can add to the proxy to allow cross origin, shows on their GitHub.
This is really great. My only issue is that while I can browse to my headscale server on :8080, I don't get a rejection but I get a blank page. No windows instructions. Has anybody seen this? Thx.
I also never see a change when running ss -tulw after I make the changes in the iptables. Using Ubuntu 20.04 FWIW
Great content!
Is there like an opposite to the exit node - like an entry not you can setup in different locations around the world to use it as same kind of site to site vpn - preferably without client installations on the endpoints but only on those entry/exit nodes?
You can have multiple exit nodes, that would give you what you're after. You could route traffic from the UK to US and vice versa by have both as exit nodes.
Awesome video. Are the public ipv4 address static?
No, but sticky. I use DDNS to avoid issues.
@@Jims-Garage thank you for the reply. guess I'll have to figure out how to set up a ddns with my cloudflair domain. Any tutorial on that?
@@mastermoarman depends, there's a docker container, and options for OPNSense, pfSense and Sophos xg. I'll probably do a video
@@Jims-Garage
ya I seen tutorials for pfsence. I was wondering about setting a ddns for the oracle vps ip
@@mastermoarman if running docker use a DDNS container (there are also scripts)
Very nice detail video. I have a question about the firewall. Do I need to setup a port forwarding. I setup the headscale on a linux server behind my firewall router, and I would like to connect my nodes from outside the internet. I did this with my openvpn. But I wonder if I need to do the same with headscale
.
No, that's the whole idea. It uses reverse tunnelling so no port forwarding is required (as per title). The Linux machine creates a tunnel outwards, and then other nodes use this same tunnel in reverse (a bit like reverse ssh )
@@Jims-Garage Thank you. Yes that I thought too. So I did opened the port forwarding. Then allow the headscale server to connect to my phone. Once I succeed to have a tunnel/reverse-ssh connection between the two, I turned off the port forwarding. The tailscale on the IPhone can continuesly connected. But once I turn off the tailscale on the phone, and try to reconnect, it would not work. I have to turn the port forwarding back on again. So similar to reverse ssh, I still need to do port forwarding. Once I have the first handshake, I can turn off the port forwarding. So the key point is to keep the connection going.
Ok I understand what it is now. What I have been missing is the reverse proxy and a paid domain name. In that way, I dont have to poke a hole on the firewall. This cannot be done with openvpn because its a different traffic.
Still thanks for your video. The explanation is clear. For a somewhat novice user like me, I could still understand the concept because of your explanation. I saw video like this in the past. But when it was presented using docker, I totally lost it. Yeah docker is something I need to learn.
@@salamdamai thanks, I really appreciate the feedback
Could you do an follow up especially on DNS. I'm looking for a solution which makes my internal devices while either on local network or on tailscale network.
And second how to handle a mobile if it roams from 5G to local network while still being connected via tailscale.
BTW: Excellent demonstration and explanation!
Thanks. This should be simple enough - you need to set the DNS IP for the server and client (check the config on the headscale server and client - in my case I'd set it to my PiHole IP and make sure that traffic can reach it in my firewall). It's a similar process for 5G to local networks - you simply need to make sure that the routing is in place, typically it's firewall related. I will look to follow up at a later date with DNS for Headscale, but I've a few more things I want to cover first.
Excellent video with a lot of detail, yet very understandable. I have watched it a few times now and I have a question about devices on the local network that cannot have a tailscale clients installed on them (webcams or printers e.g). How can I reach those devices from e.g. my phone? I have experimented with Big Brother Tailscale and there you can have a device configured as a subnet router. Have I missed something in your video or is it possible at all with a headscale solution?
You advertise an internal node as an exit node. Then you can select that exit node on your phone and you should be able to access local network devices.
Tried again: Created a new Linux container and registered it with "tailscale up --login-server controller-ip-here:8080 --authkey my-key-here --advertise-exit-node". Then enabled it on the controller side. Started Tailscale on my iPhone, chose the new container as exit node, and tried to ping an ip on my local net. Still no luck, sigh! I guess I "have to stick" with my old Wireguard connection, which in itself is a good solution. My goal here was however to disable ALL ports in my home router for total security. In my case I do have access to the router and no CGNAT problems so as mentioned I can reach my local Wireguard server from the outside world. If you ever plan to do a followup in the future, I for one would be very grateful if you could present us with a live example. Thanks again though for your videos so far!
Thanks for these videos! I am eventually going to get headscale running eventually in my home server. Do you have any videos about Pterydactol? I'm having issues getting it connected to it's companion container 'wings' on another server in my home network.
I don't, sorry. It looks like a cool project. I'll need to research it's benefits over standard kubernetes.
Shouldn't you setup TLS on the headscale server?
You can do, but it doesn't really matter. There's nothing important on the default /windows page
If I running nginx reverse proxy. And have my router config to portforward port 80 and 443 to my nginx reverse server IP.
What port should I have in the headscale then? And what kind of port to change in the config? There are multiple ports in the config to change. So I need some help here to config my headscale server.
Thanks
I'm about 1 day into learning about Tailscale/Headscale.. But what if your "pixel-6-pro" want to access your Jellyfin (tcp/8096) on "home-pc" do the stream go trough the VPS or is it just the connection being created with the help of "VPS Headscale"?
@@emanuelpersson3168 you can either do peer to peer or via the headscale server. Depends on your firewall configuration. Both are secure but peer to peer will be faster.
@@Jims-Garage Thank you kindly! Reason for asking is simple because the VPS has limited amount of traffic if i understand this correctly. This will be my project for the day! I've just setup Docker, Portainer, Authentik, Traefik, Jellyfin with the help of you and a few others! CrowdSec will be added and a bunch more! But end game was to do it all in Kubernetes but this is a awesome start i will say! :) Would you then run the Tailscale client in pfSense or in the Docker that runs Jellyfin? I do understand it can be done both ways but reason for asking is related to you having a lot of experience with Docker and if there could be a reason for either.
@@emanuelpersson3168 the firewall is likely the best place as it's on the edge (directly connected to the internet, plus has control over the entire network, plus it's likely to be faster).
So I have a Static IP at home and im not behind a CGNAT, was looking to use Headscale instead of using a WireGuard Server and opening a port.
When you say 'without port forwarding' you mean because you're hosting the server on a VPS and can still access your home network by advertising routes, or I can setup this at home without exposing port 8080?
Is it possible to set it up at home, without exposing ANY ports to the public?
Great video! I may have missed this but does the Oracle free VPS have a static IP? What happens in Headscale if the IP address changes? Do you need to reconfigure all the clients? Thanks!
I believe it does. Worse case you can use dynamic DNS. Nodes should update their external IP from my understanding.
New question! The login server (Oracle Cloud) in your video uses HTTP. Is that correct? How about HTTPS?
Sure, you can add HTTPS but it doesn't matter as the data isn't sensitive.
@@Jims-Garage Oh! true i did not think ahead far enough! Thank you once again! :)
@@emanuelpersson3168 you're welcome
Is it just me or anyone is seeing him in the Netflix series Dark?
😂 Jonas?
@@Jims-Garage yeah man, I hope some day you will end an episode/series saying "don't believe anything else, we are prefect for each other" ❤️
@@RajveerSingh-vf7pr hahaha 🤣
This is a great guide. I just have one question, Whats stopping a user from actual going to the webpage that is publical to anyone from connecting to my Headscale network? As I understand anyone can reach the registration page? headscale: Windows configuration
Thanks. Yes, that's the desired behaviour. What's stopping them is that you need access to the server to be able to register code. Without it being registered the code is useless.
yaml config files are picky. Make sure there's no space before "key: value" pairs, which can be easy to do if you uncomment a line by simply removing the # symbol and not the extra space that's usually there.
Thanks for the reminder
@@Jims-Garage I make this mistake all the time, lol.
Thanks for the super video. One question. Setting up an exit node on oracle to use as a VPM on their free service is there a charge after so much data has been used over the VPN?
I don't believe there is a limit on traffic volume, but the bandwidth is limited to 50Mb.
@@Jims-Garage thank you for the info. I was about to try and set this up but unfortunately there is no Home region for Hong Kong. Nearest seems to be Singapore South Korea or Japan.
@@dhk1 that shouldn't be a problem unless latency is really important
@@Jims-Garage I thought I would give it a go but Oracle are able to take card payments ok but then they say my address is not correct. I have tried twice and both times they take a payment and all seems ok then the screen change and says address doesn't match. The on screen chat says I will get a refund but I can't understand if the address isn't matching how can they take the money. Very odd 🤔
@@dhk1 hmm. You could try a different free tier on aws for example but it's not as feature rich as oracle's sadly
In this setup. Can the mobile phone access devices on the windows pc subnet? Eg a printer?
Anything is possible provided you allow it to route.
Excellent video. Thank you.
What happens if the VPS headscale is running on goes down? Is there a way to setup a second headscale server as backup?
Thank you. Yes, absolutely, just setup more nodes and advertise them.
@@Jims-Garage Sorry, I may be confused. The headscale server coordinates connecting the clients/nodes. If the headscale server on VPS goes down, how do the clients/nodes make the connection? I was thinking that if I had two headscale servers running, that would provide redundancy - similar concept to your high availability firewall. Thank you. Your videos are amazing. I am working my way through all of them.
I followed your guide step-by-step. I can access the Windows page on the server. But the login commands just hang--they never bring up the authentication message, never open a webpage, never display an error. Same thing on Android as well.
please tell us more about all types of CF tunnels. There is http/s, TCP, unix/unix+TLS and others. I don't understand some. http tunnel is easy and understandable, you can, for example, forward the web page of the server on the local network through the virtual box (Debian) virtual machine. And how to use other types of tunnels?
Sure, I'll put together a video on Cloudflare Tunnels - I know they're very popular.
@@Jims-Garage I'm trying to get headscale to broadcast via a cloudflare tunnel, but there seem to be a problem with how headscale does websockets, that do not match how cloudflare wants them (2023-09-10T14:40:30Z ERR noise upgrade failed error="Could not accept WebSocket connection failed to accept WebSocket connection: WebSocket protocol violation: handshake request method is not GET but \"POST\"")
Would it be possible to use a dynamic dns to route to the controller?
Also, can there be multiple controllers that dynamically update each other to keep the DDNS functionality within the context of the encrypted communication?
Dynamic DNS works, I use it for my home setup.
I believe you can assign a DNS name for each node, so as long as those dynamically update it should work. I haven't tested this though.
A question, how do I so that all the traffic goes through headscale? Since when I connect my public IP does not change and my normal public IP continues to appear, but I want to make full use of the headscale internet, is there any option?
You need to set the exit node in the app.
Obviously if you're connecting over WiFi at home to a home node, the IP will be the same. Best way to test is on mobile via 5g.
@@Jims-Garage Great!! :) That's it, I already did it! Incredible, after searching and analyzing on my own and obviously because of the support in the videos, I managed to do it, I can now pass all the traffic through a node and not only that, many other things, if anyone needs help, let me know and I have delved deeper into the topic heheheh
Following the instructions verbatim leads me to an issue with key issues, according to the log files -
Error loading config error="fatal error reading config file: While parsing config: yaml: line 80: did not find expected key"
Digging into that now. super weird.
Interesting. Hop into Discord and submit a ticket if you're still struggling.
@@Jims-Garage will do. I tried a few things some related error reports in the GitHub page for headscale mentioned, including complete scrub and reinstall; but same issue persists. Travelling for the holidays and will jump in the dc when I get back. Maybe someone can spot the thing k did wrong :)
Before I go and install anything, am I able to create a network only between my home server and the oracle vps, then point my DNS records on a domain I own to the oracle vps and have it route traffic from my server to the domain? Im using cloudflare's tunnels at the moment, but it doesn't work for TCP connections like a Minecraft server and I feel like this would be faster.
Yes, it's possible. There will be some advanced networking needed but it should be fine.
@@Jims-Garagealright, thanks for the great video 👍
@@Jims-Garage Where would I be able to find how to do this advanced networking?
Nice video 🙌🏻! As some sort of variant to this theme, I wonder if you have also tried zero trust configurations? (Like Twingate or Open Ziti?)
Thanks, I haven't but it's on my list to try and make a video about.
you know the price for a diff region in oci?
I'm not sure, I think they do a free tier for multiple territories.
@@Jims-Garage thx for the reply dude....and dang really ima have to look now! Lol
Thanks for this video :D
I got it up and running in no time
I have a few questions
Is headscale safe without a reverse proxy etc ? i mean there is no waf etc... but i recon it must as there is no forms or anything on the website... its just a blank site
is sending the key to the phone without tls secure ? mtm attacks ?
Thanks again for the video :) :)
People can see the code but only a person with access to the server can use it. Behind a reverse proxy would be best for browser compatibility but it's not a deal breaker.
@@Jims-Garage Thanks again
If you find the time a video on google 2fa for headscale... please do make it 🙃
what about using a Cloudflare Tunnel to self host this, without opening any ports?
It's something I am currently looking into. I'm not sure if Cloudflare will block this kind of traffic. Do you have a similar solution working?
@@Jims-Garage yes, I am testing it since few time ago. I think it should be fine, I haven't read anything related that prohibits this. The traffic is low. Still need to configure a split horizon in my PiHole, so I don't get out to internet when I am at home, but that is easy to achieve. Waiting to have some spare time to do it.
I am also planning to try Nebula, similar concept, but a bit more flexible on the lighthouses, you can have more than just one as here. That is a powerful bonus for HA.
Cheers!
@@fedefede843 good to know, thanks.
Any docker images
Check out my other video with Docker: ua-cam.com/video/OECp6Pj2ihg/v-deo.htmlsi=xBRwOzMbWT-kdtno
Like u videos. Ty bro
Thanks!
Hello
excellent video. unfortunately for a simple bloke that is not IP savvy . I currently have A PROXMOX server with OPNsense Home assistant and truenas scale as vms.I would like to access my media remotely.
How Can i accomplish this? do install it in opensense as a lxc? do i need to add ubuntu and docker? or native?
Would do be so kind and make a video on this i am sure many individuals in my shoes that would benefit from this
Thank you
Check out my OPNSense video, it details how to create a wireguard VPN on the firewall. Or, you can deploy it as a Docker container if you wish (I also have a video on that).
I dont have iptables :( i'm using aws and they have netplan and other things) should i Install iptables in my ubuntu 22.04 instance?
Nice 👍🏻
In the new Android UI, there is no option to add server.
Tried doing this but Oracle seems to want to charge $2 for the boot volume
In theory Oracle Cloud allows 2 block volumes (up to 200GB total storage) as "always free"
@@gRocketOne
I did some web searching since my post and it seems that they give you a small value estimate but don't subsequently charge you.
I suppose I will find out soon!
Great Video
Thanks!
Can this work if I have the arm based vm(ampere)? This video is what I was looking but I have the ampere shape vm with ubuntu 22.04 image on oci.
Give it a go and let me know :) I don't think that ARM is supported currently, but could be wrong.
@@Jims-GarageDidn't pursue to install it on ampere, but i manage to get it working on the amd e1 image. Thanks for the tutorial. It helps me alot.
@@IamJeffrey you're welcome 😁
Is the discord invite stil valid? (I tried several time to join but discord keeps erroring: "unable to accept invite" )
The link in the description works fine for me. Hmm.
@@Jims-Garage your prompt response gave me an idea, I used my phone on 4G instead of using my regular VM that has the discord application installed. Through the mobile app I was able to join! Thank you for letting me use your brain through telepathy
@@alphenit welcome 😁
Ensure you have TUN/TAP enabled if it's a OpenVZ VPS, otherwise tailscale won't even start up in it.
Thanks, good to know.
Can we just use one user? Not user per device
There's no sense of users, it's device based.
@@Jims-Garage Oh really? I wonder why. because tailscale is user based. Each user and have multiple devices. and users can share devices each users. without sharing, users can only access their devices.
@@ckwcfm sorry, I misread your question. In my previous video I covered users. Yes, one user can have multiple devices, and there can be multiple users. Exactly the same as Tailscale.
Netbird is open source and looks as good as Tailscale
It's on my to-do list, I've heard good things.
32:50 This is basically what just an OpenVPN instance on the VPS would do, but now done through headscale, talescale and many confihuration steps ... ;)
Kind of, but not really. This is a mesh network with much better control and it's more performant.
@@Jims-Garage Sure, if I got it right, you have access to local services running on every device within the mesh. But regarding the title "How To VPN Without Port Forwarding" you could simplify the process by titling on "... Using Free VPS and OpenVPN" ;) If it's just about having VPN while on the go without port forwarding on my home network, if I considered the VPN server to be ran by my own somehow. I know, it's more about connecting your devices all together.
Nevertheless, you're absolutely right, performance is a thing. Is the difference really that big in comparison?
This video is amazing! Thanks!
Glad you liked it!
Can you make a video on how to host your own tailscale drep server in docker and keep it at 1st priority and keep offical drep server by tailscale as backup only if our drep server is not working.
long waited for this.
Is "$sudo iptables-restore < /etc/iptables/rules.v4" persistent?
Today my connection was off and I had to run it again to establish the connections
Thanks!
Very generous, thank you!