Tailscale on PVE host

[despens]

Hello all,

I am setting up a proxmox PVE within a tailscale VPN.

Accessing PVE from within the VPN works nicely (from the "outside").

But proxmox sets up its own DNS server on the host, so it cannot find other machines that are managed via tailscale's "magic DNS".

That means, for instance, that I cannot add another PVE at a different location into a cluster, nor use an OIDC service that is part of the VPN.

Tailscale says the following:

# tailscale status
[...]
# Health check:
#     - Linux DNS config not ideal. /etc/resolv.conf overwritten. See https://tailscale.com/s/dns-fight

The tailscale "DNS fight" help section mentions that systemd-resolved could be installed, but I believe proxmox doesn't support that and wants to modify /etc/resolv.conf directly?

Is there a way to make tailscale and proxmox's DNS play along?

 

[gridiron]

It would probably be better to install Tailscale into a VM or LXC and access the PVE host via that guest.

 

[despens]

Thanks for the hint gridiron, that makes sense...!

I was only able to find instructions on how to install tailscale inside LXC containers to be used within these containers, but none on how to connect that to the host system. Do you maybe know about a resource that explains this?

 

[gridiron]

I don't use Tailscale myself, but it could potentially be as simple as using Tailscale to connect to the LXC guest, then accessing the PVE web UI via its usual IP and port (assuming you don't have any firewall restrictions in place).

 

[louie1961]

Actually, IMHO, tailscale is best when you put it on the edge of your network, like a firewall/router device. I have it on my pfsense, and by using advertised routes, its the only installation of Tailscale inside my home lab. I can access everything from it, as if I was at home. No need to put tailscale on individual servers, etc. Of course this works best if you have a well segmented network, then just advertise the routes (VLANs) you need to to access, instead of the entire network.

 

[gridiron]

I use WireGuard but like you host it on the router (separate box). I like to keep my networking separate in general.

 

[bl1mp]

Hi,
for setting up the name resolution in a cluster, it is very recommendable to utilize /etc/hosts or even better use the static IPs of the hosts.

I am not sure about your planned setup. Please keep in mind the clusters corosync service needs to meet the below 5ms requirement, or you will experience constant hickups.

BR, Lucas

 

[despens]

I believe my only issue right now is that proxmox doesn't use the VPN's DNS server, as both tools fight for overwriting `resolv.conf`. I wonder if it would be possible to indeed launch a proxmox container, install tailscale inside there, and have proxmox use that container for name server requests? Is it that what you meant, @gridiron?