Tailscale only Yunohost - possible? how to configure?

Discuss
1

I was using Wireguard before but I didn’t have a good experience with it. I recently discovered Tailscale, and it seems to be something really useful for me. I’m wondering how easy it is to configure my whole Yunohost server to only be accessible via Tailscale, or have certain domains only be available by Tailscale.

I saw it was talked about before but nobody gave an answer how to do it.

2

Hello!

I’ve been thinking about this too, and here is the state of my thoughts.

TL;DR: I would say it’s possible today, accepting some drawbacks, and to do it manually, and I plan on trying soon

What do I try to solve by using Tailscale?

  • No need to open ports on my router/ISP box if I host yunohost at home
  • Hardened security - my 443 port is not open on the internet
  • Allows to host several yunohost server at home, behind the same router/ISP box

What drawbacks it implies

  • Mail won’t work, as well as XMPP and similar communication tools (maybe outbound, but I’m not sure and I haven’t searched it properly)
  • Sharing yunohost with other people will require extra step (use of tailscale by the other users - but it can also be seen as an advantage on the security side)
  • HTTPS certificates by Let’s Encrypt as existing in the current Yunohost won’t work

Hypothetical solutions to the drawbacks
Tailscale offers a beta version of the SSL certificates with their DNS - Enabling HTTPS · Tailscale

So, running Yunohost behind tailscale is possible, but for a certain kind of usage given the drawbacks (that I am considering - for backing up pictures and documents in particular). The recent HTTPS feature of Tailscale makes me think that it’s now possible.

How to implement it

  • manually - install tailscale on your yunohost, choose the local domain feature during the post-installation, and manually add the domain + certificate based on tailscale’s DNS features. You might have to manually renew the SSL certificate (I haven’t looked too much into it yet) (this is the approach I’ll test as soon as I take the time to do it)

  • via an app that would do the manual steps (this doesn’t exist)

  • via an additional feature of Yunohost when you create a domain, to be able to mark it as a Tailscale domain (this doesn’t exist)

1 Like
3

Thanks for your thoughts!

If this worked, I would probably make two Yunohost servers. Public services on VPS and private on tailscale at home.

tailscale:

  • nextcloud
  • searXNG
  • photoprism
  • vaulwarden (self-hosted bitwarden)

VPS

  • simplex
  • hugo blog
  • gotosocial (mastodon)
  • wireguard or opensource version of headscale, (self-hosted tailscale)

The tricky things I think:

  • how to setup public url/https: mycoolsite.com for VPS, and use the same one for tailscale.
  • certs
4

Great to hear you’re considering it :grin:

For the certificates with the Tailscale ynh, once again take what I say with a pinch of salt as I haven’t tried yet, but I would symlink the cert and key created by tailscale to the place where the self signed ones created at first install are.

In order to use the URL of your public vps to access the tailscale one, you could, if the public vps has tailscale installed too, you can use a redirect app on the public one to the tailscale one. I suspect you might have some side effects in some cases, and it might be slower as the traffic would always go through the public vps, but it should work (this I have tried and it worked :wink:).

And thanks, I’m now a bit more excited about this and I should try this sooner than I thought, I’ll post what I find here :slightly_smiling_face:

1 Like
5

Don’t hesitate to share your thoughts in their dedicated threads, I am eager to know more about use cases in the YunoHost apps can support them. :slight_smile:

Personally, I have tried a manual installation of Headscale for packaging purposes (not really advanced though), I could make it run with no issue within my YunoHost.