impulsivefps
/
LemonSec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
LemonSec/docs/TAILSCALE.md

174 lines
4.1 KiB
Markdown
Raw Blame History

# Tailscale Integration
Tailscale provides secure, zero-config VPN access to your internal network without exposing ports.
## Setup
### 1. Install Tailscale on Server
```bash
# On Proxmox (Debian/Ubuntu)
curl -fsSL https://tailscale.com/install.sh | sh
# Start Tailscale
sudo tailscale up
# Get your Tailscale IP
sudo tailscale ip -4
```
### 2. Configure DNS in Tailscale Admin
1. Go to [Tailscale Admin Console](https://login.tailscale.com/admin/dns)
2. Add **Nameservers**:
- Your Raspberry Pi Tailscale IP (for AdGuard)
- Or: `100.100.100.100` (Tailscale's MagicDNS)
3. Enable **Override local DNS** (optional)
4. Add **Search domain**: `local.lemonlink.eu`
### 3. DNS Split Horizon
Configure AdGuard to handle `local.lemonlink.eu`:
```
# In AdGuard Home (dns.local.lemonlink.eu)
# Filters → DNS rewrites
*.local.lemonlink.eu → YOUR_TAILSCALE_IP
```
### 4. Traefik Internal Entrypoint
The internal entrypoint (port 8443) is configured to only listen on Tailscale:
```yaml
# In docker-compose.yml, under traefik service:
ports:
- "${TAILSCALE_IP}:8443:8443" # Only accessible via Tailscale
```
Update `.env`:
```
TAILSCALE_IP=100.x.x.x # Your server's Tailscale IP
```
### 5. ACLs (Access Control Lists)
For extra security, configure Tailscale ACLs:
```json
// In Tailscale Admin → Access Controls
{
"acls": [
// Allow users to access specific ports
{
"action": "accept",
"src": ["group:family"],
"dst": ["100.x.x.x:443,8443"] // Your server
},
// Deny everything else
{
"action": "deny",
"src": ["*"],
"dst": ["100.x.x.x:*"]
}
]
}
```
## Testing
```bash
# From your phone/computer with Tailscale
# Test internal DNS
ping traefik.local.lemonlink.eu
# Access internal services
curl https://traefik.local.lemonlink.eu:8443
# Verify you're going through Tailscale
# Should show 100.x.x.x IPs, not public IPs
traceroute traefik.local.lemonlink.eu
```
## Raspberry Pi 5 Setup
Your Raspberry Pi can run additional monitoring services:
```yaml
# On Raspberry Pi - docker-compose.yml
version: "3.8"
services:
adguard:
image: adguard/adguardhome:v0.107.52
ports:
- "53:53/tcp"
- "53:53/udp"
- "3000:3000" # Initial setup only
volumes:
- ./adguard-work:/opt/adguardhome/work
- ./adguard-conf:/opt/adguardhome/conf
restart: unless-stopped
```
Configure AdGuard:
1. Bootstrap DNS: `1.1.1.1`, `8.8.8.8`
2. Upstream DNS: `https://dns.cloudflare.com/dns-query`
3. DNS rewrites for local domains
## Security Best Practices
1. **Disable key expiry** for servers:
```bash
sudo tailscale up --reset --operator=$USER
```
2. **Enable device approval** for new devices
3. **Use ACLs** to limit access between devices
4. **Enable HTTPS** (Beta feature):
```bash
sudo tailscale up --accept-routes
sudo tailscale cert your-host.local.lemonlink.eu
```
5. **Disable subnet routing** if not needed:
```bash
sudo tailscale up --accept-routes=false
```
## Troubleshooting
### Can't resolve local.lemonlink.eu
- Check AdGuard is running on Raspberry Pi
- Verify Tailscale DNS settings
- Test: `dig @100.x.x.x traefik.local.lemonlink.eu` (Raspberry Pi IP)
### Connection refused on :8443
- Verify Traefik is bound to Tailscale IP
- Check firewall: `sudo ufw allow from 100.64.0.0/10 to any port 8443`
- Test locally: `curl -k https://localhost:8443`
### Slow performance
- Enable NAT optimization:
```bash
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
```
- Use `--netfilter-mode=off` if issues persist
## Comparison: External vs Internal Access
| Service | External URL | Internal URL | Auth |
|---------|-------------|--------------|------|
| Nextcloud | cloud.lemonlink.eu | cloud.local.lemonlink.eu:8443 | Authelia 2FA |
| Vaultwarden | vault.lemonlink.eu | vault.local.lemonlink.eu:8443 | Authelia 2FA |
| Portainer | - | docker.local.lemonlink.eu:8443 | Authelia 1FA |
| Traefik Dashboard | - | traefik.local.lemonlink.eu:8443 | Authelia 1FA |
| AdGuard | - | dns.local.lemonlink.eu:8443 | Authelia 1FA |
*1FA = Username/Password, 2FA = + TOTP/WebAuthn*
Reference in New Issue View Git Blame Copy Permalink