readme for thewarrens setup
This commit is contained in:
parent
ac7dc8b9bc
commit
a98ce97787
1 changed files with 3 additions and 59 deletions
62
README.md
62
README.md
|
|
@ -1,68 +1,12 @@
|
|||
# Tailscale
|
||||
|
||||
|
||||
This Ansible role installs and configure the [Tailscale client](https://tailscale.com/download)
|
||||
for Linux (Ubuntu) devices.
|
||||
This Ansible role installs and configure the [Tailscale client](https://tailscale.com/download) on debian machines and points it to my headscale instance.
|
||||
|
||||
This role was written based on [artis3n/ansible-role-tailscale](https://github.com/artis3n/ansible-role-tailscale).
|
||||
|
||||
|
||||
## Use Tailscale as exit node and DNS server for devices
|
||||
## Setup
|
||||
|
||||
For example, when abroad. The point then is to route *all traffic* via
|
||||
our Tailscale exit node, *including* DNS queries.
|
||||
Add a reusable key to vars/main.yml as tailscale_auth_key
|
||||
|
||||
Designate a Tailscale node as **exit node** via the web UI.
|
||||
To route the traffic from your device to that exit node,
|
||||
run`tailscale up --exit-node=<ip-exit-node>` (on Linux) or select the corresponding
|
||||
menu option on Android.
|
||||
|
||||
When you use the exit node feature, DNS traffic is automatically forwarded
|
||||
(so [no DNS leakage](https://github.com/tailscale/tailscale/issues/1713)).
|
||||
Awesome!
|
||||
|
||||
Tailscale exit nodes can then be shared with other users in our Github org,
|
||||
or with external users. Very cool!
|
||||
|
||||
Note that you need to add the Tailscale IP address of the exit node to
|
||||
the **Nameservers** setting in the Tailscale web UI. Also, it might be a good
|
||||
idea to set `override local DNS`.
|
||||
|
||||
Finally, internet connectivity from your Tailscale nodes will not work at all
|
||||
unless you set Pi-Hole's listening behaviour to **Listen on all interfaces, permit all origins**
|
||||
(default was **Listen only on eth0**).
|
||||
|
||||
|
||||
|
||||
## Use Tailscale as DNS server for Android devices?
|
||||
|
||||
The idea is to *not* route all traffic via the exit node, only the DNS traffic.
|
||||
This might be useful in certain situations (where you don't mind the ISP seeing
|
||||
your traffic, but you still want to benefit from our ad/tracker blocking).
|
||||
|
||||
I have not tested this properly yet.
|
||||
|
||||
+ https://shotor.com/blog/run-your-own-mesh-vpn-and-dns-with-tailscale-and-pihole/
|
||||
+ https://forum.tailscale.com/t/need-some-help-with-default-dns-when-using-tailscale/341
|
||||
+ https://github.com/tailscale/tailscale/issues/915
|
||||
+ https://github.com/tailscale/tailscale/issues/74
|
||||
|
||||
|
||||
## Notes on running Tailscale client inside LXC container
|
||||
|
||||
My DNS server (PiHole + unbound) runs as an LXC container.
|
||||
In the same container we also run Tailscale.
|
||||
|
||||
This works fine. For details on how the LXC profile was setup,
|
||||
see the [lxd-server role](https://codeberg.org/ansible/lxd-server).
|
||||
|
||||
|
||||
## Refs
|
||||
|
||||
+ https://github.com/artis3n/ansible-role-tailscale
|
||||
+ https://github.com/dockpack/base_tailscale
|
||||
+ https://tailscale.com/kb/1103/exit-nodes/
|
||||
+ https://tailscale.com/kb/1114/pi-hole/
|
||||
+ https://tailscale.com/kb/1130/lxc-unprivileged/
|
||||
+ https://tailscale.com/kb/1112/userspace-networking/
|
||||
+ https://tailscale.com/kb/1084/sharing/#sharing--exit-nodes
|
||||
|
|
|
|||
Loading…
Reference in a new issue