Tailscale with Headscale?

Last month, I got a Dell R730xd. And pay many time on Fight with ChinaTelecom. Finally, I lost in this war. But fortunately, Tailscale can effectively(maybe) address my issue.

I used Tailscale past, but stopped by Chinese 'Premium' Network, high latency and loss make me crazy.

And 'they' provides services, just like Google.

Haha, actually, I'm not sensitive to this at all. I'm not a privacy-paranoid person.

"Why not selfhost it?", a real man(character I made up) said. So I host it on a server with CN2AS4809 - a comprehensive range of high quality network services to customers around the world. network.

Got to admit, Tailscale's Hole Punching works seamlessly without any configuration needed – it's fantastic!

So, logged into NixOS first. Finished configuring in about 10 minutes.

headscale = {
  enable = true;
  # Specify listening on all available interfaces with 0.0.0.0
  address = "0.0.0.0";
  port = 443; # Any port you like
  settings = {
    # use "http://weed.ocfox.me" if you don't need tls
    server_url = "https://weed.ocfox.me";
    # Don't forget forwaring if you use other port
    tls_letsencrypt_hostname = "weed.ocfox.me";
    tls_letsencrypt_challenge_type = "TLS-ALPN-01";
    # Any base_domain you like, in this case
    # your nodes will named `<nodename>.<user>.sex.allnight`
    dns_config.base_domain = "sex.allnight";
    # Add this to avoid noisy warning
    ip_prefixes = [
      "fd7a:115c:a1e0::/48"
      "100.64.0.0/10"
    ];
  };
};

Copy this without commnets

headscale = {
  enable = true;
  address = "0.0.0.0";
  port = 443;
  settings = {
    server_url = "https://weed.ocfox.me";
    tls_letsencrypt_hostname = "weed.ocfox.me";
    tls_letsencrypt_challenge_type = "TLS-ALPN-01";
    dns_config.base_domain = "sex.allnight";
  };
};

"Why is it headscale instead of services.headscale?" -- I use haumea.haumea - Filesystem-based module system for Nix Login headscale server to create a user

headscale namespaces create ocfox

Now enable tailscale on the nodes in one line.

services.tailscale.enable = true;

After rebuild, log into headscale.

[ocfox@bed]$ sudo tailscale up --login-server https://weed.ocfox.me
To authenticate, visit:

        https://weed.ocfox.me/register/nodekey:pleasefuckmefrommorningtothemidnight

Visit this site is useless, it has not been implemented yet. But it can be auth at headscale server.

[root@headserver:~]#
headscale nodes register -k nodekey:pleasefuckmefrommorningtothemidnight -u ocfox

[ocfox@bed]$ tailscale status 
100.64.0.1 bed ocfox linux -

Then registered sofa the same way. Both machines can now communicate behind NAT (I think it should work). If not, at least the nodes connect to headscale fast.

On darwin(macos) -- fell into a well. To specify login server with the tailscale app(installed from App Store):

$ /Applications/Tailscale.app/Contents/MacOS/Tailscale up --login-server https://^_^

And check nodekey on another terminal

$ tailscale status
  ...
    https://weed.ocfox.me/register/nodekey:pleasefuckmefrommorningtothemidnight

Of course, magicDNS is needed. But living in China with a proxy, magicDNS causes issues -- it forces all DNS through services.headscale.settings.dns_config.nameservers. No good solution yet, ended up using a system proxy instead of TUN.

All last, Why I must use proxy to see this world? -- "Maybe I fucked a dog in my past life."