Development in the VPN space has been quite static for a long time. Cisco VPN and Openvpn are two of the most popular options. I want to introduce an alternative today.
I have been using Tailscale for years now, first for my personal network, and then at work. I know the Tailscale folks have trouble framing their product. If I had to define it, I'd say it is a security, networking, and connectivity tool that helps you create secure and performant mesh networks. I don't think there is any definition that can communicate how powerful this software is.
Tailscale is mostly open source but the control server is proprietary. If that does not work for you, consider using Headscale, an open source version of the Tailscale control plane.
I wanted to explore how Tailscale behaves when operating VPN mode and see if it could be an alternative for our traditional VPN solution.
The setup is quite simple. Build a couple of machines with the proper hardware and connect them to your physical network and then to your Tailnet.
Users will be able to connect directly (assuming they have the right permissions) to other nodes in the tailnet via Wireguard connections (the ideal scenario). For other devices that are not part of the tailnet, you can use the subnet routers. Nodes flagged to work as subnet routers will route traffic from the Wireguard interface to other interfaces as necessary. Again, you can control who can access what via the access controls that Tailscale provides.
With this setup, your users will only send traffic over Tailscale when they are reaching resources in your network instead of routing all the traffic. They can do so if they want to via exit nodes.
Additionally, subnet routers will work in HA mode. You just need to expose the same hosts or subnets with multiple devices that are connected to you tailnet.
We are now ready to make some hardware decisions.
I want to configure a couple of machines to act as subnet routers. Here are the features and characteristics I want for the hardware:
We don't need too many computational resources, just a bit of CPU power and a good NIC to route traffic. Tailscale provides HA for us but I still want to have robust hardware that last a long time.
1G will probably be enough here but since we have access to 10G switches we want to take advantage of that.
I want to be able to remote control the machine as necessary, that means reinstalling the OS remotely and/or power cycling the machine.
Here is what I ended up selecting:
We could have wired the ATX jumpers from the motherboard to the PiKVM to be able to power cycle the machine directly from the PiKVM. Unfortunately I couldn't access those so that is why we have the extra pi4 and the iot relay.
The NUC 9 is very powerful (overkill for this) and it is very well made. It is affordable because it is an older version but it is more than capable for the task.
The Pi-KVM gives us full KVM capabilities. This means I can remote control the NUC. The Pi-KVM has ATX capabilities which you can use to power cycle the machine you want to remote control. Unfortunately, I wasn't able to access the necessary pins to wire that's why we have the extra pi4 and the Iot relay. The raspberry pi controls the relay and allows you to power cycle the NUC as necessary.
And that is all we need. All these can be around 1000 dollars.
All the components of our Tailscale VPN solution
First, flash the pi with Raspbian OS. You probably want to use the lite version. After flashing it, install Tailscale. You may want to disable key expiration and tag the machine to control access from your policy file. At this point you want to exit the ssh session and ssh again to the box using the Tailscale's ip address or hostname. We will only allow traffic on the Tailscale interface to do so run:
sudo apt install ufw
sudo ufw allow in on Tailscale0
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
You also want to wire the GPIO pins to the relay and test that you can open and close the relay. To do so run:
# Here I am using GPI26
cat /sys/kernel/debug/gpio | grep GPIO26
gpio-538 (GPIO26 )
p=538
cd /sys/class/gpio
echo $p > export
cd gpio$p
echo out > direction
# power cycle
echo 1 > value ; sleep 1; echo 0 > value
Now we can work on the PiKVM. Flash the SD card and follow the first steps instructions. Most notably, remember to change the root ssh password and UI password. You may also want to allow traffic on the Tailscale interface only:
rw
pacman -S ufw
systemctl start ufw.service
systemctl enable ufw.service
sudo ufw allow in on Tailscale0
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
ro
At this point you want to plug your PC (hdmi and usb) to the PiKVM and make sure you can remote control it. Checks you can access the BIOS remotely. Also, update the BIOS to make sure the computer starts after a power failure.
Install your OS of choice in the NUC and the installation is completed.
If you plan to install this on a rack, consider getting a
Once the two machines are up and running and part of your tailnet you may want to install node_exporter to capture metrics to see how the routers are performing. I will write a separate post about this.
A follow up post is necessary to determine how well Tailscale is performing with this setup, but I don't expect issues. When you think about it, we just have a Linux machine acting as a router. That's Linux bread and butter. And I know the Tailscale software is high quality and performant. Nonetheless, I will report in the future.
drio out.