Tailscale only Yunohost - possible? how to configure?

Discuss
1

I was using Wireguard before but I didn’t have a good experience with it. I recently discovered Tailscale, and it seems to be something really useful for me. I’m wondering how easy it is to configure my whole Yunohost server to only be accessible via Tailscale, or have certain domains only be available by Tailscale.

I saw it was talked about before but nobody gave an answer how to do it.

2

Hello!

I’ve been thinking about this too, and here is the state of my thoughts.

TL;DR: I would say it’s possible today, accepting some drawbacks, and to do it manually, and I plan on trying soon

What do I try to solve by using Tailscale?

  • No need to open ports on my router/ISP box if I host yunohost at home
  • Hardened security - my 443 port is not open on the internet
  • Allows to host several yunohost server at home, behind the same router/ISP box

What drawbacks it implies

  • Mail won’t work, as well as XMPP and similar communication tools (maybe outbound, but I’m not sure and I haven’t searched it properly)
  • Sharing yunohost with other people will require extra step (use of tailscale by the other users - but it can also be seen as an advantage on the security side)
  • HTTPS certificates by Let’s Encrypt as existing in the current Yunohost won’t work

Hypothetical solutions to the drawbacks
Tailscale offers a beta version of the SSL certificates with their DNS - Enabling HTTPS · Tailscale

So, running Yunohost behind tailscale is possible, but for a certain kind of usage given the drawbacks (that I am considering - for backing up pictures and documents in particular). The recent HTTPS feature of Tailscale makes me think that it’s now possible.

How to implement it

  • manually - install tailscale on your yunohost, choose the local domain feature during the post-installation, and manually add the domain + certificate based on tailscale’s DNS features. You might have to manually renew the SSL certificate (I haven’t looked too much into it yet) (this is the approach I’ll test as soon as I take the time to do it)

  • via an app that would do the manual steps (this doesn’t exist)

  • via an additional feature of Yunohost when you create a domain, to be able to mark it as a Tailscale domain (this doesn’t exist)

1 Like
3

Thanks for your thoughts!

If this worked, I would probably make two Yunohost servers. Public services on VPS and private on tailscale at home.

tailscale:

  • nextcloud
  • searXNG
  • photoprism
  • vaulwarden (self-hosted bitwarden)

VPS

  • simplex
  • hugo blog
  • gotosocial (mastodon)
  • wireguard or opensource version of headscale, (self-hosted tailscale)

The tricky things I think:

  • how to setup public url/https: mycoolsite.com for VPS, and use the same one for tailscale.
  • certs
4

Great to hear you’re considering it :grin:

For the certificates with the Tailscale ynh, once again take what I say with a pinch of salt as I haven’t tried yet, but I would symlink the cert and key created by tailscale to the place where the self signed ones created at first install are.

In order to use the URL of your public vps to access the tailscale one, you could, if the public vps has tailscale installed too, you can use a redirect app on the public one to the tailscale one. I suspect you might have some side effects in some cases, and it might be slower as the traffic would always go through the public vps, but it should work (this I have tried and it worked :wink:).

And thanks, I’m now a bit more excited about this and I should try this sooner than I thought, I’ll post what I find here :slightly_smiling_face:

1 Like
5

Don’t hesitate to share your thoughts in their dedicated threads, I am eager to know more about use cases in the YunoHost apps can support them. :slight_smile:

Personally, I have tried a manual installation of Headscale for packaging purposes (not really advanced though), I could make it run with no issue within my YunoHost.

6

Hello everyone!

I’ve just managed to install yunohost with the tailscale certificates :slight_smile:

I’ve tested from a fresh install (meaning that my tailscale domain is the first domain I set up at the postinstall), but I don’t see what wouldn’t work if you were to add a domain to an existing installation.

Prerequisites:

  • enable DNS and HTTPS in the Tailscale admin console: Tailscale
  • have tailscale installed, set up and up on the yunohost server

The first step is to get the tailscale domain of your machine. In the admin console, you can retrieve it simply by clicking on its name in the list of machines: Tailscale. It should be in the format [NAME OF THE MACHINE].[YOUR OWN TAILNET NAME].ts.net

Then, create a domain in yunohost using the above-mentioned domain - saying that you already have a domain name.
Alternatively, run as root

yunohost domain add [YOUR TAILSCALE DOMAIN NAME]

Then run the following commands as root on your yunohost server:

cd /etc/yunohost/certs/[YOUR TAILSCALE DOMAIN NAME]
mkdir self-signed
mv *.pem *.cnf self-signed/
tailscale cert --cert-file crt.pem --key-file key.pem [YOUR TAILSCALE DOMAIN NAME]
chown root:metronome crt.pem key.pem
chmod 640 crt.pem key.pem
yunohost service reload nginx

I based this on the manual of tailscale cert and the doc page: Custom certificates | Yunohost Documentation
Basically, we move in the folder where the certificates are stored, we move the self-signed certificates of the domain in a dedicated folder, we call tailscale cert with the proper names for the certificate and the key, we set the proper permissions and reload nginx!

It works perfectly for me :slight_smile:

1 Like