Difference between revisions of "Tailscale"
| Line 34: | Line 34: | ||
= Access Controls = | = Access Controls = | ||
| − | Access Controls (ACLs) are managed via the admin console. | + | Access Controls (ACLs) are managed via the GUI builder or the editable JSON file accessible, both from within the admin console. |
Tailscale's documentation for this is great, so be sure to see their [https://tailscale.com/kb/1458/grant-examples examples page] for reference. | Tailscale's documentation for this is great, so be sure to see their [https://tailscale.com/kb/1458/grant-examples examples page] for reference. | ||
| + | [[Tailscale#Tailscale_SSH|Tailscale SSH]] is also not configured by default and needs to be enabled on a host by host basis and then permitted in the ACL file from the admin console. | ||
| + | |||
| + | |||
| + | == Examples == | ||
By default, Tailscale operates under a least privilege architecture, but has an allow all permissions structure in place to facilitate connecting between the nodes. | By default, Tailscale operates under a least privilege architecture, but has an allow all permissions structure in place to facilitate connecting between the nodes. | ||
| − | [[ | + | ==== Default ==== |
| + | This initial, permit-all, ACL looks like this: | ||
| + | <nowiki> | ||
| + | { | ||
| + | "grants": [ | ||
| + | { | ||
| + | "src": ["*"], | ||
| + | "dst": ["*"], | ||
| + | "ip": ["*"] | ||
| + | } | ||
| + | ] | ||
| + | }</nowiki> | ||
| + | |||
| + | ==== Owners' Devices Only ==== | ||
| + | To allow individuals to access the devices that are owned by themselves in the TailNet: | ||
| + | <nowiki>{ | ||
| + | "grants": [ | ||
| + | { | ||
| + | "src": ["autogroup:member"], | ||
| + | "dst": ["autogroup:self"], | ||
| + | "ip": ["*"] | ||
| + | } | ||
| + | ] | ||
| + | } | ||
| + | </nowiki> | ||
= Groups = | = Groups = | ||
Revision as of 09:46, 4 April 2026
Installing Tailscale
Linux
Distros With a Package Manager
To download the package via the terminal, run the following:
curl -fsSL https://tailscale.com/install.sh | sh
Once it's downloaded, initialize Tailscale client via:
sudo tailscale up
This should provide some output to the terminal, including a URL you can use to authenticate via a handful of sign-in options from Google, Microsoft, Github, etc.
Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network).
Distros/Clients Without a Package Manager
MOST PEOPLE SHOULD BE USING THE ABOVE METHOD AND NOT THIS ONE
But if your distro/client does not have a package manager or are more obscure distributions, you can download the version for your system from here.
Extract the downloaded archive:
tar xvf tailscale_*.tgz
Start the downloaded daemon (tailscaled) via:
sudo tailscaled --state=tailscaled.state
And then to start the client and connect the machine to your tailnet:
sudo tailscale up
This should provide some output to the terminal, including a URL you can use to authenticate via a handful of sign-in options from Google, Microsoft, Github, etc.
Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network)
Access Controls
Access Controls (ACLs) are managed via the GUI builder or the editable JSON file accessible, both from within the admin console. Tailscale's documentation for this is great, so be sure to see their examples page for reference.
Tailscale SSH is also not configured by default and needs to be enabled on a host by host basis and then permitted in the ACL file from the admin console.
Examples
By default, Tailscale operates under a least privilege architecture, but has an allow all permissions structure in place to facilitate connecting between the nodes.
Default
This initial, permit-all, ACL looks like this:
{
"grants": [
{
"src": ["*"],
"dst": ["*"],
"ip": ["*"]
}
]
}
Owners' Devices Only
To allow individuals to access the devices that are owned by themselves in the TailNet:
{
"grants": [
{
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"ip": ["*"]
}
]
}
Groups
Tags
Tailscale SSH
To enable SSH on a particular host, that you're currently logged into:
sudo tailscale set --ssh
This should almost immediately reflect on the Admin console as well.
Disable Logging
PLEASE READ THIS CAREFULLY BEFORE PROCEEDING TO FOLLOW THE COMMANDS, PERFORMING THESE ACTIONS MAY IMPACT YOUR ABILITY TO RECEIVE SUPPORT (IF NEEDED) FROM TAILSCALE
Tailscale is configured by default to send logs and diagnostic data regarding connectivity to Tailscale servers (not your servers, their servers) to assist in troubleshooting issues. You may disable this functionality at the cost of potentially being unable to receive support from Tailscale.
To do so, add:
TS_NO_LOGS_NO_SUPPORT=true
To the file located here:
/etc/default/tailscaled
Or using the command:
sudo tailscale set --no-logs-no-support