Beginner Networking Question: How to best Implement Tailscale?

R

RealEngineer

Member
Jun 25, 2022
13
4
8
Hello all,

I am looking at using tailscale for my home server, specifications below:
Xeon X3450
16GB Ram (First thing to upgrade when I have money to spare)
Obviously running proxmox.
I am considering using tailscale to set up out of network access for some of my applications, including:
- Jellyfin server
- Pihole
- Samba Server
- A handful of videogame servers
- Offsite backup for other home-server friends
and whatever else I decide I want to try out in the future. I'm unfortunately not super knowledgeable about networking.

I want to be able to share some services and not others with people that I may or may not be able to convince to use their own tailscale VPN. For example, games, jellyfin, but not my file-server.

There are multiple ways to implement tailscale, and I would like to know which would be best for me, and more importantly why.
Tailscale can be installed on the host, on VMs, or on an LXC.
As such, I have the options of:
- Installing tailscale on the host
- Installing tailscale on one VM/LXC and letting it access other things over my LAN (IDK if this one works super well, I am in an appartment with others and don't have access to router settings, nor can I ensure others on my network don't get hacked)
- Installing Tailscale on multiple (possibly not all) VMs and LXCs, so that they show up as separate devices, easier to share individually.

What are the upsides and downsides of these methods, and why? I am interested in learning what I can to more effectively and securely host services for myself and others
 
Hi,

I'm also interested in this setting.
I think installing apps on the host is not the best idea.
Tailescale runs fine in a LXC I think: https://tailscale.com/kb/1133/proxmox/
My personal choice would be a VM, so I can mount only the needed folder with smb.
As i read Tailescale runs a different network, so I hope it has only access to the vm and it mounted partition.
 
Sorry for the necrobumping but this is the most relevant thread I've found.

beta said:
I think installing apps on the host is not the best idea.
Click to expand...

Why?

I'm having a hard time finding convincing arguments about this. Why is it a problem to install Tailscale on the host?

So far the only "conflict" I have found, is that if you want to use the host as an exit node/subnet router you need to enable IP forwarding, which can have consequences on your network configuration (mostly the need to force router advertisement forwarding for IPv6 autoconfig if I am not mistaken).

So, apart from this, why not install Tailscale on the host? I've just done both, on the host and in an LXC with exit node and subnet routing to access the host webUI through port forwarding, but... Why bother?

Thanks
 
@RealEngineer Have you found a effectiv and secure solution? If so, would you share it as well as your experiences with it?
I'm looking for a similar setup. ;-)
Thx
 
tailscale has powerfull acl, so i'd install tailscale on every single host I need access to. hosts where this is not possible are connected through subnet routers. then you have a kind of global SDN with tailscale. that's the idea afais :)

take a look ad headscale, if you want it diy / autonome
 
  • Like
Reactions: roxy
@roxy Behold I returneth from my long absence.

I was concerned about some sort of networking or resource limitations of running tailscale multiple times on what is technically one computer. Now I run tailscale on the host, tailscale on multiple guest VMs, and a tailscale instance inside each container inside one particular guest VM. Overall, I think around 7-8 tailscale instances, one hypervisor. This makes it simpler to control access to various services running in the homelab. I have not noticed a performance penalty to running tailscale multiple times on one machine. I'm using old Xeons, can't comment on what will happen if you try that with something really anemic like an atom cpu. For anything you can't run tailscale on, use a subnet router. Have fun.
 
  • Like
Reactions: roxy
esrevart said:
Sorry for the necrobumping but this is the most relevant thread I've found.



Why?

I'm having a hard time finding convincing arguments about this. Why is it a problem to install Tailscale on the host?

So far the only "conflict" I have found, is that if you want to use the host as an exit node/subnet router you need to enable IP forwarding, which can have consequences on your network configuration (mostly the need to force router advertisement forwarding for IPv6 autoconfig if I am not mistaken).

So, apart from this, why not install Tailscale on the host? I've just done both, on the host and in an LXC with exit node and subnet routing to access the host webUI through port forwarding, but... Why bother?

Thanks
Click to expand...
Tailscale on the proxmox host is kind of supported, by tailscale, not proxmox to my knowledge. I've used the solution below without complications for at least a year or so.
https://tailscale.com/kb/1133/proxmox#enable-https-access-to-the-proxmox-web-ui
Why in general you would not install apps on the host: (IDK if you are already knowledgeable about this, so pardon me if i am telling you what you already know. I see your question was specifically about tailscale)
Keeping the applications on the host to a minimum helps ensure that you don't have to worry about how the apps will interact with the host OS or other apps, especially since they are all (hopefully) regularly being updated. I once had nvidia drivers suddenly break the host's ability to update after months. This is the point of a hypervisor (or containerization). Proxmox is debian based, you can probably get just about anything that runs on debian working if you have enough knowledge. It's just up to you to know how to fix whatever problems may occur, and know that you are dealing with a setup that forfiets the advantages of a hypervisor for any uncontainerized, un VM'd applications.

In general though, one or two apps may need to be installed on the host, such as for VPN access or for additional hardware monitoring. Your call.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back