Client DNS

If you don’t want to use magic DNS like myself. I was having issues with it so I did this.

Add the following to ~/.bashrc this will allow you to SSH to clients in the following way tailssh $USER $HOSTNAME you can also just run tailssh and that will show you all of the servers

function tailssh () {
  if [[ -z $1 ]] && [[ -z $2 ]]; then
    tailscale status |  grep -v 'filter/INPUT' | column -t
  else
    host=$(tailscale status | grep $2 | awk '{ print $1 }')
    ssh ${1}@${host}
  fi
}

Now we need to install column apt install bsdmainutils

No you can use it and it works well

Auth

Preauth nodes

headscale preauthkeys -n $NAMESPACE create

On the client do the following

tailscale up --login-server https://headscale.domain.com --accept-routes=true --exit-node= --accept-dns=true --authkey $KEY_FROM_ABOVE

CLI Commands

headscale preauthkeys -n $NAMESPACE_TO_SHARE_INTO list

Routing

Enable IP Forwarding on host

echo 'net.ipv4.ip_forward = 1' | tee /etc/sysctl.d/ipforwarding.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.d/ipforwarding.conf
sysctl -p /etc/sysctl.d/ipforwarding.conf

Advertise route via tailscale

tailscale up --advertise-routes=192.168.0.0/24 --login-server=https://headscale.domain.com

List routes to make sure it’s being presented

headscale routes list -i $NODE_ID

This will return someting like this

Route          | Enabled
192.168.0.0/24 | false

Enable route within headscale

headscale routes enable -i $NODE_ID -r 192.168.0.0/24

List routes to make sure it’s enabled

headscale routes list -i $NODE_ID

This will return someting like this

Route          | Enabled
192.168.0.0/24 | true

This verifies the routes are enabled now on each client you want to be able to access the you have to run

tailscale up --accept-routes --login-server=https://headscale.domain.com

Now you can magically ping things. My mind was blown

My testing worked like this and I was amazed it worked

myPC -> router (Debian 11 | running tailscale) -> rPi (at moms house) -> (remote network I can access)

ACL exmple yaml 

ACLs:
  - Action: accept
    Users:
      - "HOST"
    Ports:
      - "HOST:PORT"
Hosts:
  # Networks
  NET1: 192.168.7.0/24
  # Hosts
  HOST1: 100.64.0.32/32

This is some crazy stuff