Tailscale For Developers

Introduction to Tailscale

In this post, I'll talk about three features of tailscale: the ability to connect securely to devices on my home network, automatic DNS entry creation, and free TLS certificates for devices on my private network.

Tailscale is a mesh VPN product, meaning that devices on the network connect to each other directly, rather than through a central funnel like OpenVPN. To use Tailscale, you install a client which will establish an overlay network atop your existing network.

Tailscale is (as of this writing) free for up to 3 users and 100 devices. In my case, I want to expose my home linux server to my Macbook, which may be on the road with me. This lets me run heavier workloads without draining my laptop's battery (2013 was peak Macbook). Without additional configuration, this won't touch any of my regular internet traffic, and it won't expose my home linux server to the public internet - it will only be visible from other devices connected to tailscale on my account.

Note that we're not talking about using the VPN to browse the web anonymously. You can see here that my default route is unaffected, and only two CIDR blocks get routed through the tunnel.

Each machine is given an IP on the private network, as well as a human-friendly DNS entry based on the machine's hostname. For example, bowser.tail966571.ts.net resolves to the private IP of the linux machine on my home network, 100.102.249.68.

Tailscale Setup

Setup is a two-part process.

1. Install a client
2. Create a (social) login

On linux, a shell script will set up a daemon process and place the tailscale command in the $PATH.

On desktop systems, tailscale will run from the system tray.

‍

TLS Certificates

Tailscale will issue free TLS certificates for your hosts using its own tailscale command line app. You'll need to enable the https beta in your tailscale settings at https://login.tailscale.com/admin/dns. With that done, setting TLS certificates for your node is as easy as running sudo tailscale cert.

This isn't quite "certbot" wizzy, but it's good enough for development, and easier than some of the other methods for trying to get certificates for a private network like using email verification or managing your own CA. Certificates will be generated for <hostname>.<your-tailscale-domain>.ts.net.

Example: TLS in Kubernetes

I have kubernetes workloads running on my linux machine, so I can import the certificates and create an ingress controller.

‍

sudo microk8s kubectl create secret tls tailscale \
    --key bowser.tail96671.ts.net.key \
    --cert bowser.tail96671.ts.net.crt

microk8s kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-example-ingress
spec:
  tls:
  - hosts:
      - bowser.tail96671.ts.net
    secretName: tailscale
  rules:
  - host: bowser.tail96671.ts.net
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: microbot-service
            port:
              number: 80
EOF

Et voila, I can develop remotely, securely, and no more untrusted browser warnings!

You can, of course, configure something line an nginx reverse proxy to use your tailscale-generated TLS certificates. Either way, we like the ease with which tailscale lets us establish a private network with simple DNS entries and TLS certificates, all at little or no cost.

About The Author

Tom is a Software Developer residing in The Good Life (we have nachos). You can find him on GitHub or LinkedIn.

Related Links

• How Tailscale Works
• TLS Certificates in Tailscale