# Tailscale Integration Tailscale provides secure, zero-config VPN access to your internal network without exposing ports. ## Setup ### 1. Install Tailscale on Server ```bash # On Proxmox (Debian/Ubuntu) curl -fsSL https://tailscale.com/install.sh | sh # Start Tailscale sudo tailscale up # Get your Tailscale IP sudo tailscale ip -4 ``` ### 2. Configure DNS in Tailscale Admin 1. Go to [Tailscale Admin Console](https://login.tailscale.com/admin/dns) 2. Add **Nameservers**: - Your Raspberry Pi Tailscale IP (for AdGuard) - Or: `100.100.100.100` (Tailscale's MagicDNS) 3. Enable **Override local DNS** (optional) 4. Add **Search domain**: `local.lemonlink.eu` ### 3. DNS Split Horizon Configure AdGuard to handle `local.lemonlink.eu`: ``` # In AdGuard Home (dns.local.lemonlink.eu) # Filters → DNS rewrites *.local.lemonlink.eu → YOUR_TAILSCALE_IP ``` ### 4. Traefik Internal Entrypoint The internal entrypoint (port 8443) is configured to only listen on Tailscale: ```yaml # In docker-compose.yml, under traefik service: ports: - "${TAILSCALE_IP}:8443:8443" # Only accessible via Tailscale ``` Update `.env`: ``` TAILSCALE_IP=100.x.x.x # Your server's Tailscale IP ``` ### 5. ACLs (Access Control Lists) For extra security, configure Tailscale ACLs: ```json // In Tailscale Admin → Access Controls { "acls": [ // Allow users to access specific ports { "action": "accept", "src": ["group:family"], "dst": ["100.x.x.x:443,8443"] // Your server }, // Deny everything else { "action": "deny", "src": ["*"], "dst": ["100.x.x.x:*"] } ] } ``` ## Testing ```bash # From your phone/computer with Tailscale # Test internal DNS ping traefik.local.lemonlink.eu # Access internal services curl https://traefik.local.lemonlink.eu:8443 # Verify you're going through Tailscale # Should show 100.x.x.x IPs, not public IPs traceroute traefik.local.lemonlink.eu ``` ## Raspberry Pi 5 Setup Your Raspberry Pi can run additional monitoring services: ```yaml # On Raspberry Pi - docker-compose.yml version: "3.8" services: adguard: image: adguard/adguardhome:v0.107.52 ports: - "53:53/tcp" - "53:53/udp" - "3000:3000" # Initial setup only volumes: - ./adguard-work:/opt/adguardhome/work - ./adguard-conf:/opt/adguardhome/conf restart: unless-stopped ``` Configure AdGuard: 1. Bootstrap DNS: `1.1.1.1`, `8.8.8.8` 2. Upstream DNS: `https://dns.cloudflare.com/dns-query` 3. DNS rewrites for local domains ## Security Best Practices 1. **Disable key expiry** for servers: ```bash sudo tailscale up --reset --operator=$USER ``` 2. **Enable device approval** for new devices 3. **Use ACLs** to limit access between devices 4. **Enable HTTPS** (Beta feature): ```bash sudo tailscale up --accept-routes sudo tailscale cert your-host.local.lemonlink.eu ``` 5. **Disable subnet routing** if not needed: ```bash sudo tailscale up --accept-routes=false ``` ## Troubleshooting ### Can't resolve local.lemonlink.eu - Check AdGuard is running on Raspberry Pi - Verify Tailscale DNS settings - Test: `dig @100.x.x.x traefik.local.lemonlink.eu` (Raspberry Pi IP) ### Connection refused on :8443 - Verify Traefik is bound to Tailscale IP - Check firewall: `sudo ufw allow from 100.64.0.0/10 to any port 8443` - Test locally: `curl -k https://localhost:8443` ### Slow performance - Enable NAT optimization: ```bash echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p ``` - Use `--netfilter-mode=off` if issues persist ## Comparison: External vs Internal Access | Service | External URL | Internal URL | Auth | |---------|-------------|--------------|------| | Nextcloud | cloud.lemonlink.eu | cloud.local.lemonlink.eu:8443 | Authelia 2FA | | Vaultwarden | vault.lemonlink.eu | vault.local.lemonlink.eu:8443 | Authelia 2FA | | Portainer | - | docker.local.lemonlink.eu:8443 | Authelia 1FA | | Traefik Dashboard | - | traefik.local.lemonlink.eu:8443 | Authelia 1FA | | AdGuard | - | dns.local.lemonlink.eu:8443 | Authelia 1FA | *1FA = Username/Password, 2FA = + TOTP/WebAuthn*