Tailscale Compatibility

nckrwlmn · May 6, 2023, 2:24am

Is the adam one stack compatible with Tailscale? Is it possible to run a DNS server on the Tailscale network together with the mytools server?

In theory it seems it is. When I add the interface tailscale0 and the listeners in the .CONF file I can reach the mytools page by IP address, but not by host name. I think I have set up all of the correct options to force the DNS to the gateway. I’m using the gw as an exit node but I lose Internet access. Still have advertised routes access, but no Internet. Has anybody ever tried this?

atw · May 7, 2023, 6:38pm

Hey @nckrwlmn
So Tailscale by default enables their MagicDNS feature which basically runs a local stub resolver on the machine with a search domain of <youraccount>.ts.net which allows your tailnet hosts to be resolved and then by default your devices local DNS nameserver is used to resolve non tailnet hosts.
This means that it works perfectly well with adam:ONE and DTTS.

Chris.Kraydich.Indie · May 23, 2023, 2:35pm

@nckrwlmn When you visit the mytools.management/whoami are you getting the correct device IP?

At the moment we are trying to test Tailscale along side our adam:ONE deployment as well.

nckrwlmn · May 30, 2023, 8:00pm

No Chris, I’m not getting a mytools page at all.

I guess my question was @atw, can I use a gateway as an exit node, and have dns answered by that exit node? Through magic dns maybe?

atw · May 30, 2023, 8:50pm

OK I see. So I haven’t tested using an adam:ONE gateway as an exit node. Will have to mess around with that one day.

Douglas_C · June 25, 2023, 2:55am

Indeed you can. See the images below.

On pfSense:

Create a floating rule:

** For the alias, I used the following domains: tailscale.com, login.tailscale.com, controlplane.tailscale.com, pkgs.tailscale.com, derp5d.tailscale.com, derp6.tailscale.com, derp.tailscale.com, derp12d.tailscale.com – your mileage may vary

On Tailscale.com:

On dashboard.adamnet.works:

**be sure to add this to your policy using DNSHarmony, and also to adjust for NXDOMAIN/yhttps://support.adamnet.works/uploads/default/original/1X/e83c093d8e1fe3c3d6feb51e99a5862e081d4982.pngour block page IPs

We can verify with ping first with tailscale enabled and then disabled:

and with the logs (I had to view them by the firewall’s HTTP IP (in my case http://172.16.1.1):

you’ll see all traffic seems to be coming from the router (exit node)!

[Edit (26 Jun 2023)]:
I forgot to mention, and I think it matters, adam will need to listening on localhost, so that would mean something like the below, which is a slight deviation from defaults.

# adamone-setup configure
  ...
  Available Interface Addresses:

  1 - WAN (68.35.118.117)
  2 - *LAN (172.16.1.1)
  3 - *Localhost (127.0.0.1)
  4 - Localhost (::1)

 Select the addresses you would like adam:ONE to listen on separated by a 
 comma, press <ENTER> to skip [2,3]: 2,3,4

Further, I cannot say whether this does or does not work with DTTS.

Victor · June 30, 2023, 5:40pm

How secure is Tailscale as compared to OpenVPN, Wireguard and such?

atw · July 3, 2023, 3:55pm

It depends on from what aspect you’re asking the question. Tailscale is using WireGuard under the hood, so the protocol security aspect would be the same. The main difference is the orchestration aspect of it. When you run your own VPN server, you are responsible for transferring keys, provisioning new keys, etc. But with Tailscale you are using their cloud based system to do this all for you.
So the security may be better, or worse depending on how it compares to your own security practices of managing the keys.

The aspect that gives a solution such as Tailscale an advantage, is the mesh feature, instead of giving users access to an entire network, you can grant by user, access to specific hosts and even ports. So there’s a lot more control than a traditional router based VPN.