68 lines
2.5 KiB
Markdown
68 lines
2.5 KiB
Markdown
# Tailscale
|
|
|
|
|
|
This Ansible role installs and configure the [Tailscale client](https://tailscale.com/download)
|
|
for Linux (Ubuntu) devices.
|
|
|
|
This role was written based on [artis3n/ansible-role-tailscale](https://github.com/artis3n/ansible-role-tailscale).
|
|
|
|
|
|
## Use Tailscale as exit node and DNS server for devices
|
|
|
|
For example, when abroad. The point then is to route *all traffic* via
|
|
our Tailscale exit node, *including* DNS queries.
|
|
|
|
Designate a Tailscale node as **exit node** via the web UI.
|
|
To route the traffic from your device to that exit node,
|
|
run`tailscale up --exit-node=<ip-exit-node>` (on Linux) or select the corresponding
|
|
menu option on Android.
|
|
|
|
When you use the exit node feature, DNS traffic is automatically forwarded
|
|
(so [no DNS leakage](https://github.com/tailscale/tailscale/issues/1713)).
|
|
Awesome!
|
|
|
|
Tailscale exit nodes can then be shared with other users in our Github org,
|
|
or with external users. Very cool!
|
|
|
|
Note that you need to add the Tailscale IP address of the exit node to
|
|
the **Nameservers** setting in the Tailscale web UI. Also, it might be a good
|
|
idea to set `override local DNS`.
|
|
|
|
Finally, internet connectivity from your Tailscale nodes will not work at all
|
|
unless you set Pi-Hole's listening behaviour to **Listen on all interfaces, permit all origins**
|
|
(default was **Listen only on eth0**).
|
|
|
|
|
|
|
|
## Use Tailscale as DNS server for Android devices?
|
|
|
|
The idea is to *not* route all traffic via the exit node, only the DNS traffic.
|
|
This might be useful in certain situations (where you don't mind the ISP seeing
|
|
your traffic, but you still want to benefit from our ad/tracker blocking).
|
|
|
|
I have not tested this properly yet.
|
|
|
|
+ https://shotor.com/blog/run-your-own-mesh-vpn-and-dns-with-tailscale-and-pihole/
|
|
+ https://forum.tailscale.com/t/need-some-help-with-default-dns-when-using-tailscale/341
|
|
+ https://github.com/tailscale/tailscale/issues/915
|
|
+ https://github.com/tailscale/tailscale/issues/74
|
|
|
|
|
|
## Notes on running Tailscale client inside LXC container
|
|
|
|
My DNS server (PiHole + unbound) runs as an LXC container.
|
|
In the same container we also run Tailscale.
|
|
|
|
This works fine. For details on how the LXC profile was setup,
|
|
see the [lxd-server role](https://codeberg.org/ansible/lxd-server).
|
|
|
|
|
|
## Refs
|
|
|
|
+ https://github.com/artis3n/ansible-role-tailscale
|
|
+ https://github.com/dockpack/base_tailscale
|
|
+ https://tailscale.com/kb/1103/exit-nodes/
|
|
+ https://tailscale.com/kb/1114/pi-hole/
|
|
+ https://tailscale.com/kb/1130/lxc-unprivileged/
|
|
+ https://tailscale.com/kb/1112/userspace-networking/
|
|
+ https://tailscale.com/kb/1084/sharing/#sharing--exit-nodes
|