I was using Wireguard before but I didn’t have a good experience with it. I recently discovered Tailscale, and it seems to be something really useful for me. I’m wondering how easy it is to configure my whole Yunohost server to only be accessible via Tailscale, or have certain domains only be available by Tailscale.
I saw it was talked about before but nobody gave an answer how to do it.
I’ve been thinking about this too, and here is the state of my thoughts.
TL;DR: I would say it’s possible today, accepting some drawbacks, and to do it manually, and I plan on trying soon
What do I try to solve by using Tailscale?
No need to open ports on my router/ISP box if I host yunohost at home
Hardened security - my 443 port is not open on the internet
Allows to host several yunohost server at home, behind the same router/ISP box
What drawbacks it implies
Mail won’t work, as well as XMPP and similar communication tools (maybe outbound, but I’m not sure and I haven’t searched it properly)
Sharing yunohost with other people will require extra step (use of tailscale by the other users - but it can also be seen as an advantage on the security side)
HTTPS certificates by Let’s Encrypt as existing in the current Yunohost won’t work
Hypothetical solutions to the drawbacks
Tailscale offers a beta version of the SSL certificates with their DNS - Enabling HTTPS · Tailscale
So, running Yunohost behind tailscale is possible, but for a certain kind of usage given the drawbacks (that I am considering - for backing up pictures and documents in particular). The recent HTTPS feature of Tailscale makes me think that it’s now possible.
How to implement it
manually - install tailscale on your yunohost, choose the local domain feature during the post-installation, and manually add the domain + certificate based on tailscale’s DNS features. You might have to manually renew the SSL certificate (I haven’t looked too much into it yet) (this is the approach I’ll test as soon as I take the time to do it)
via an app that would do the manual steps (this doesn’t exist)
via an additional feature of Yunohost when you create a domain, to be able to mark it as a Tailscale domain (this doesn’t exist)
For the certificates with the Tailscale ynh, once again take what I say with a pinch of salt as I haven’t tried yet, but I would symlink the cert and key created by tailscale to the place where the self signed ones created at first install are.
In order to use the URL of your public vps to access the tailscale one, you could, if the public vps has tailscale installed too, you can use a redirect app on the public one to the tailscale one. I suspect you might have some side effects in some cases, and it might be slower as the traffic would always go through the public vps, but it should work (this I have tried and it worked ).
And thanks, I’m now a bit more excited about this and I should try this sooner than I thought, I’ll post what I find here
I’ve just managed to install yunohost with the tailscale certificates
I’ve tested from a fresh install (meaning that my tailscale domain is the first domain I set up at the postinstall), but I don’t see what wouldn’t work if you were to add a domain to an existing installation.
enable DNS and HTTPS in the Tailscale admin console: Tailscale
have tailscale installed, set up and up on the yunohost server
The first step is to get the tailscale domain of your machine. In the admin console, you can retrieve it simply by clicking on its name in the list of machines: Tailscale. It should be in the format [NAME OF THE MACHINE].[YOUR OWN TAILNET NAME].ts.net
Then, create a domain in yunohost using the above-mentioned domain - saying that you already have a domain name.
Alternatively, run as root
yunohost domain add [YOUR TAILSCALE DOMAIN NAME]
Then run the following commands as root on your yunohost server:
I based this on the manual of tailscale cert and the doc page: Custom certificates | Yunohost Documentation
Basically, we move in the folder where the certificates are stored, we move the self-signed certificates of the domain in a dedicated folder, we call tailscale cert with the proper names for the certificate and the key, we set the proper permissions and reload nginx!