4.1 KiB
4.1 KiB
Tailscale Integration
Tailscale provides secure, zero-config VPN access to your internal network without exposing ports.
Setup
1. Install Tailscale on Server
# On Proxmox (Debian/Ubuntu)
curl -fsSL https://tailscale.com/install.sh | sh
# Start Tailscale
sudo tailscale up
# Get your Tailscale IP
sudo tailscale ip -4
2. Configure DNS in Tailscale Admin
- Go to Tailscale Admin Console
- Add Nameservers:
- Your Raspberry Pi Tailscale IP (for AdGuard)
- Or:
100.100.100.100(Tailscale's MagicDNS)
- Enable Override local DNS (optional)
- Add Search domain:
local.lemonlink.eu
3. DNS Split Horizon
Configure AdGuard to handle local.lemonlink.eu:
# In AdGuard Home (dns.local.lemonlink.eu)
# Filters → DNS rewrites
*.local.lemonlink.eu → YOUR_TAILSCALE_IP
4. Traefik Internal Entrypoint
The internal entrypoint (port 8443) is configured to only listen on Tailscale:
# In docker-compose.yml, under traefik service:
ports:
- "${TAILSCALE_IP}:8443:8443" # Only accessible via Tailscale
Update .env:
TAILSCALE_IP=100.x.x.x # Your server's Tailscale IP
5. ACLs (Access Control Lists)
For extra security, configure Tailscale ACLs:
// In Tailscale Admin → Access Controls
{
"acls": [
// Allow users to access specific ports
{
"action": "accept",
"src": ["group:family"],
"dst": ["100.x.x.x:443,8443"] // Your server
},
// Deny everything else
{
"action": "deny",
"src": ["*"],
"dst": ["100.x.x.x:*"]
}
]
}
Testing
# From your phone/computer with Tailscale
# Test internal DNS
ping traefik.local.lemonlink.eu
# Access internal services
curl https://traefik.local.lemonlink.eu:8443
# Verify you're going through Tailscale
# Should show 100.x.x.x IPs, not public IPs
traceroute traefik.local.lemonlink.eu
Raspberry Pi 5 Setup
Your Raspberry Pi can run additional monitoring services:
# On Raspberry Pi - docker-compose.yml
version: "3.8"
services:
adguard:
image: adguard/adguardhome:v0.107.52
ports:
- "53:53/tcp"
- "53:53/udp"
- "3000:3000" # Initial setup only
volumes:
- ./adguard-work:/opt/adguardhome/work
- ./adguard-conf:/opt/adguardhome/conf
restart: unless-stopped
Configure AdGuard:
- Bootstrap DNS:
1.1.1.1,8.8.8.8 - Upstream DNS:
https://dns.cloudflare.com/dns-query - DNS rewrites for local domains
Security Best Practices
-
Disable key expiry for servers:
sudo tailscale up --reset --operator=$USER -
Enable device approval for new devices
-
Use ACLs to limit access between devices
-
Enable HTTPS (Beta feature):
sudo tailscale up --accept-routes sudo tailscale cert your-host.local.lemonlink.eu -
Disable subnet routing if not needed:
sudo tailscale up --accept-routes=false
Troubleshooting
Can't resolve local.lemonlink.eu
- Check AdGuard is running on Raspberry Pi
- Verify Tailscale DNS settings
- Test:
dig @100.x.x.x traefik.local.lemonlink.eu(Raspberry Pi IP)
Connection refused on :8443
- Verify Traefik is bound to Tailscale IP
- Check firewall:
sudo ufw allow from 100.64.0.0/10 to any port 8443 - Test locally:
curl -k https://localhost:8443
Slow performance
- Enable NAT optimization:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p - Use
--netfilter-mode=offif issues persist
Comparison: External vs Internal Access
| Service | External URL | Internal URL | Auth |
|---|---|---|---|
| Nextcloud | cloud.lemonlink.eu | cloud.local.lemonlink.eu:8443 | Authelia 2FA |
| Vaultwarden | vault.lemonlink.eu | vault.local.lemonlink.eu:8443 | Authelia 2FA |
| Portainer | - | docker.local.lemonlink.eu:8443 | Authelia 1FA |
| Traefik Dashboard | - | traefik.local.lemonlink.eu:8443 | Authelia 1FA |
| AdGuard | - | dns.local.lemonlink.eu:8443 | Authelia 1FA |
1FA = Username/Password, 2FA = + TOTP/WebAuthn